Forum Moderators: phranque
I run an image hosting site and I have 1 directory and 1 subdirectory.
The structure is img/thumbnails
I would like to block hotlinking from the img directory but allow it from the thumbnail directory using .htaccess.
I did a search through the forums but everything I tried did not work.
I'm very new to apache so please don't rip me on this one. (I'm a windows guy and I'm used to IIS so this is all very different for me).
Anyway, what i tried doing is putting
# Require images to be linked to or embedded from my site
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?domain\.com [NC]
RewriteRule \.(gif¦jpe?g¦png)$ - [F,NC,L]
in my img .htaccess
and
# disable hotlink protection
RewriteEngine on
RewriteRule ^.*$ -
in the thumbnails folder, but all that does is fully disable hotlinking.
Can anyone please point me in the right direction?
Basically, I have to allow hotlinking from the thumbnail directory so the thumbnails show up when images are embedded on the pages.
<snip>
[edited by: jdMorgan at 10:12 pm (utc) on June 30, 2008]
[edit reason] No URLs, please. [/edit]
No, you don't need to allow hotlinking to images in the subdirectory -- The referral will still contain your domain name, no matter what directory the request is to or from...
Hotlinking is the inclusion of an object (e.g. an image) on a page which is not in your own domain.
However, the following would allow images in /image-subdirectory to be hot-linked.
# Require images to be linked to or embedded from my site, except in /image-subdirectory
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?domain\.com [NC]
RewriteCond %{REQUEST_URI} !^/image-subdirectory/
RewriteRule \.(gif¦jpe?g¦png)$ - [NC,F]
It is likely you were having problems because you did not completely flush your browser cache between testing allowed/disallowed referrers and disallowed/allowed referers. The server response is cached along with the image, so once your browser caches an image and the server response that came with it, it will continue to use that image/response until you clear your cache or it expires.
For users, this is only generally a problem if they visit a page which hotlinks your image, and then visit your site. Their browser would use the cached "forbidden" response, and they would see a broken image on your site as well. You can avoid problem that by marking your custom 403 error document as non-cacheable.
Having done that, the only remaining problem is that if a user visits your site and successfully loads the image, and then subsequently visits a hotlinking site, they will still see the image because their browser will have cached it. If the goal is to avoid excess server bandwidth consumed by hotlinkers, you can just ignore this 'problem.' If it is a matter of copyright, then you'll need to use stronger anti-hotlinking methods not based on the http referrer, such as a script that checks for a cookie set only by pages on your own site.
Jim
I really appreciate your reply.
I don't think I'm fully understanding this though...
Let me give you an example of the situation I am dealing with...
Let's say a user uploads an image to my server. It will return the following code. So the img src still does have my URL in the referral path and that link points to a thumb directory.
<a href="http://domain.com/img/image.php?image=frh_220089_images_3066_301658_loc.jpg" target="_blank"><img src="http://domain.com/img/thumbnails/frh_220089_images_3066_301658_loc.jpg" alt="image hosted by domain.com"></a>
The point of the site is to allow people to go there, host their photos and allow them to hotlink the thumbnails and that in turn will link to the full size image.
So let's say now, a blogger takes that code and pops it onto their site to host a photo, wouldn't the referring url be the blog url and not my domain?
So you want to put thumbnails and full-size photos into separate directories, and then hotlink-protect only the full-size photos. That is, use "/thumbnails/" as the image-subdirectory in my second RewriteCond above, bypassing the rule.
Jim
Thanks for your reply.
I just realized something that is a big issue..I realized that within my img folder, I have alot of subdirectories named thumbnails that are 3 or 4 folders down.
Is there a way to allow hotlinking from any folder named thumbnails? Basically, if it sees a folder named thumbnails it should allow the image to be hotlinked - otherwise it should stop it.
Is that even possible? It's probably wishful thinking on my part, but I've gotta ask!
RewriteCond %{REQUEST_URI} [b]!^/t[/b]humbnails/ RewriteCond %{REQUEST_URI} !/thumbnails/ That is, in regular-expressions speak, change "URL-path does not start with "/thumbnails/" to "URL-path does not contain "/thumbnails/".
Jim
I really cannot thank you enough for your help! You rock!
Jim
Basically what is happening is when a user clicks a thumbnail, they are supposed to see the large image in the img folder, however this is only working with Firefox, but not IE. For IE users, nothing is displayed.
Any ideas?
Flush your browser caches before testing any new code.
Be aware that if a browser is set up to *not* send a referrer, or if an intervening ISP or corporate caching proxy drops the referrer, then image access will be denied. For this reason, you may wish to consider allowing blank referrers.
This can be done by adding
RewriteCond %{HTTP_REFERER} . Allowing blank referrers constitutes a 'hole' in the hotlinking prevention, but in most cases is needed for the reasons described.
Jim
Adding that to the top my my stack causes an Internal Server 500 Error
Once again, thanks so much for your help!
