Look up the 'deny' directive in .htaccess files

Be aware the most "players" provide no HTTP_REFERER header, and therefore, referrer-based access control will not work. A more sophisticated approach using cookies and server-side scripting is usually required.

Jim

But since RandomHero isn't trying to deny specific referers or ips, he is essentially trying to only permit certain ips or referers. This means that the requester has to provide the ip or have proper referer info to get access, which is more secure. This also might be easy to spoof I don't really know. Essentially to bust in they would have to provide certain info, instead of simply providing no info (no http referer info etc...).

So it seems perhaps that:

deny from all
allow from [certain condition]
allow from [certain condition]
allow from [certain condition]

...is be better than blocking specific users.

Right, and since an mp3 media player, such as Windows Media Player, won't provide a referrer, any attempt to block access to certain referrers will result in the files being completely inaccessible via HTTP to any media player -- Essentially the same as simply deleting all those files from the server.

The key is in the wording in the forst post, "called directly from one of the wepages hosted on www.myserver.com"; This implies referrer-based access control. And referrer-based access control doesn't work if no referrer is provided, and media players do not generally provide any HTTP_REFERER header...

If you deny access unless the referrer is your own server, it fails because no referrer is provided, and therefore the blank value won't match your own hostname.

If you try to allow blank referrers to correct that problem, then since almost all referrers will be blank due to the fact that few media players send that header, the result is that almost everyone is allowed access, and the code doesn't accomplish anything.

There are various alternative approaches: One is to dynamically rename the published URLs (say based on day-of-week/time-of-day), and then use mod_rewrite to dynamically re-connect the dynamic URLs with the actual server filepaths.

Another is to use a script to read and send the mp3 files to the client. Before doing this, the script can check for a short-expiry-time cookie that is set by the visitor actually viewing one of your own pages. If the request is made based on a hotlink on a third-party site, then the cookie won't be set so the cookie check will fail, and you can then provide alternative content, such as a voice message that says, "The site you are visiting has effectively taken our content, and is representing it as their own. To hear this tune, please visit our site at www.example.com. Again that's www.example.com. Thank you."

Jim

I might be missing something, but I take RandomHero to mean that he DOESNT want media players to access his material.

So forcing the user agent to provide specific referer=mysite.com headers will block all media players (and browsers that don't control their referer headers properly), and all traffic coming from outside mysite.com, which is what I think RH is trying to do. Or am I really lost?

I took the link in the first post to indicate otherwise: <a href="www.myserver.com/downloads/myBestSong.mp3">Listen to my song</a>

That would presumably invoke a media player on the client side...

I dunno, we'll have to see what the OP says.

Jim