There is little-to-nothing you can do to prevent people from downloading images once they're looking at them. In effect, they've already been downloaded. (But if you do have a foolproof method, I want to hear about it :))

On the overall question: do you mean that you don't want the general public (as opposed to selected individuals) to see the images at all, or do you mean that you want everyone to get there via the overall gallery page?

Both are doable-- in several ways each-- but you have to start by saying exactly what you want to do. You also need to figure out what happens if users try something they're not allowed to do. Redirect/rewrite,* error page, something else?


* Yes, yes, I know, but the user doesn't care ;)

Hello Lucy24, thanks for such a quick response.
I have error pages for 404 & not allowed etc for the main part of my site and they work fine.
At the moment i have no protection in my gallery folder at all.

What i should have said was ...
I want the general public to see the images only via my gallery script, if they try to access them by going directly into any sub folder(by grabbing the image urlbfrom the source code), then i want them blocked from doing so. ( I have an index.html page in each folder so they cannot see the contents).
Please let me know if i have made this clearer.
Thanks :)

For starters, your /gallery folder is definitely going to want its own .htaccess. Anything you put here will apply to /gallery and to any folders inside of it, but will have no effect on your sitewide .htacess.

I have an index.html page in each folder so they cannot see the contents

You can save yourself some trouble by letting that go in your new, local .htaccess

Options -Indexes

This line has no effect on user access to files that are actually named "index dot something" (details and variant names are at your server's whim). You've simply turned off auto-indexing. This in turn means you should make a nice friendly 403 page specific to this area, and add the appropriate "ErrorDocument" line to the same .htaccess. Or bounce your 403's back to the page you wanted them to be on. (As a user, I hate sites that do this. But that's me.)

Next you need to do some rewriting. Someone else will tell you whether this bit should be in the local .htaccess or the top-level one. They will also fix the grammar.* Something like

RewriteCond %{HTTP_REFERER} !/gallery\.html?$ [NC]
RewriteRule \.(jpe?g|JPE?G|gif|GIF|png|PNG)$ /gallery.html [L]

The ! means "if the referrer is anything other than the main gallery.html page". The ? means "I don't know whether you use htm or html so let's cover our bases". The word "referer" [Apache's misspelling, not mine] means "who asked for the file?" In your case, you want it to be a specific page and nothing else. If you use this wording, you have also locked out search engines that index images. This may or may not be what you want.

[NC] means "nuh-uh, you're not going to sneak past me by sitting on the CAPS LOCK". [L] means "once you've done this, stop here and skip any other rewrite rules you may find".

The RewriteRule says "neener-neener, I'm sending you back to gallery.html and there's not a thing you can do about it".

All of this is assuming there's a single master page that shows all the pictures. If what you've got is a master page that links to sub-pages, and they link to the images, you'll need something like

RewriteMatch %{HTTP_REFERER} !/gallery/.*html?$ [NC]

instead of RewriteCond. Wording doesn't need to be exact, if all you're trying to weed out is people who try to land directly on the picture rather than coming in via a page.


* I do not speak Apache, nor yet any other Athabaskan language. But I'm good at swiping other people's code.

Hello again
I have tried your suggestion as below but get a 500 error.

RewriteMatch %{HTTP_REFERER} !/digitalimages/gallery/.*php?$ [NC]
RewriteRule \.(jpe?g|JPE?G|gif|GIF|png|PNG)$ /digitalimages/gallery.php [L]

I tried it as you had written and also added a new directory, as i had forgotten that the /gallery folder was actually inside the root/digitalimages folder, therefore
root/digitalimages/gallery

My main landing page is called index.php, so also tried to replace the "html" with "php" in the code you had written, but that didnt work either.

I will try and explain much better how it all works.

I will find an image in my gallery called bluebell.jpg. It is part of a collection of images called flowers in a category called spring.
so...
from my gallery landing page

.co.uk/digitalimages/gallery/index.php

i choose the "Spring" collection (There are others called Summer & Winter)

.co.uk/digitalimages/gallery/index.php?level=collection&id=4

then choose "Flowers" album (As there are also ones called "Trees" & Animals"

.co.uk/digitalimages/gallery/index.php?level=album&id=7

this then gives me all the flowers images i have taken. i scroll down a little and click on the small thumbnail of the bluebell

.co.uk/digitalimages/gallery/index.php?level=picture&id=96

this now shows me the full size image of the bluebell.

If i now look at the source code i can see the url to the image is

.co.uk/digitalimages/gallery/content/thumbs/spring/flowers/large/96-plt11-0012.jpg

P.S. I have just noticed there is already a .htaccess file in the co.uk/digitalimages/gallery/content directory with this in

deny from all

, could that be affecting something ?

OK, here's the part where I grovel apologetically as I tally up the things I said that were wrong. But first:

If "deny from all" is the only thing the .htaccess files says, then yes, it could be affecting quite a few things-- but you would be getting a 403 ("Forbidden") error message, not a 500. (I verified with one of my own image directories. The user gets an empty "I can't show this picture" box; the logs show a 403.)

If it contains the line "deny from all" it should also contain the lines "Order Deny,Allow" and then one or more lines beginning "Allow from..." But that's pretty extreme. "deny" and "allow" both refer to all access of any kind-- including the internal access that lets your invited guests see the pictures-- not just direct visits from humans.

The 500 error, on the other hand, means that there is a mistake in the .htaccess file itself, so your server is taking the safest route by not letting anyone in. It can mean other things too, but this seems the likeliest explanation. (Voice of experience.) I believe 500-class errors "hit" before 400-class errors, so if a page potentially has both, you'll only see the 500.

Booboo #1

Make sure your .htaccess contains this line:
RewriteEngine On
It has to go before any rewrites.

Booboo #2

Ain't no such thing as RewriteMatch. I was thinking of redirects. The word is RewriteCond.

So your "referer" is
{blahblah} gallery/index\.php\?level=picture&id=96
or, generically,
gallery/index\.php\?level=\w+&id=\d+

The . and ? in the address have to be "escaped" so the RegEx knows you mean the literal . and ? characters. \w+ means "buncha text" and \d+ means, more narrowly, "buncha numbers". Exact form isn't important; you could just as well say .+ meaning "some stuff here". You just need to ensure that "level" and "id" are included.

Booboo #3
If your server works the same as mine, the site "thinks" you're in the requested location when you're really in the new one, so if you have any relative links-- such as to stylesheets or thumbnails-- it can't find them. (Again, I tested this on an analogous page of my own.) So for the last part of the rewrite you have to give the full address of the new page.

Try this:

RewriteCond %{HTTP_REFERER} !gallery/index\.php\?level=\w+&id=\d+$ [NC]
RewriteRule \.(jpe?g|JPE?G|gif|GIF|png|PNG)$ http://example.co.uk/digitalimages/gallery/index.php [L]

If you know for a fact that all your big pictures have the same extension, you can simplify the middle part to

RewriteRule \.jpg$ etc.

This version has to go in the directory that your full-size pictures live in, so it doesn't block the thumbnails at the higher level. Alternatively, you can split the first part:

RewriteRule /large/.+\.jpg$ http://example.co.uk/digitalimages/gallery/index.php [L]

meaning that the requested image has to be somewhere inside a directory called "large". (I tested this too.)

Try that.

:: mopping brow ::

Thank you so very much lucy24 for all the trouble you have gone to to help me with this.

I ended up with this which i placed in the content folder
(which has both thumbs and large image folders for all different categories of my image)
It worked just fine.
At first it didnt show the thumbs, so i chnaged to ytour later suggestion of adding /large/ and that solved it.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !gallery/index\.php\?level=\w+&id=\d+$ [NC]
RewriteRule /large/.+\.jpg$ http://example.co.uk/index.html [L]

Now anytime anyone types the URL in a new window, it boots them to my homepage :) :) :)
If they can find a way around the right click disable and the .htaccess file thats been set up, they are welcome to the image :)

Again thanks so very much :)

P.S. I deleted the htacces with deny all in, it didnt seem to affect anything.