Welcome to WebmasterWorld Guest from 54.221.28.179

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

htaccess deny referrer ip HELP

How to deny by referrer IP address

     

schmel

5:06 pm on Sep 20, 2013 (gmt 0)



Hello all. Iím new to this forum so I hope nothing I post is in the wrong area.
Iím having some problems with a website I am trying to stop hotlinking from via the referrer. I am able to successfully stop them by the domain for example:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?worxdpress\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?example\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?example\.com/ [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ http://example.com/getlost.jpg [L]

The above works great. The problem I am having is some of the hotlinks from the same referrer are been done via the referrers IP only.

Can anyone advise me or suggest on how to add an IP to the above to block a refers IP as well?

[edited by: phranque at 10:45 pm (utc) on Sep 20, 2013]
[edit reason] exemplified domain [/edit]

lucy24

9:22 pm on Sep 20, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



While waiting for a full reply, go upstairs and read the Forums charter about using only "example.com". Or example dot something-else if you need to name more than one domain.

Do you mean the referring IP or the requesting IP? If the referer itself comes through as IP numbers, you can put that in the {HTTP_REFERER} line just like anything else. Also note that you don't always need an opening anchor in referers.

If you're talking about the source of the request, that becomes {REMOTE_ADDR}. But at that point you're probably looking at a simple Deny from... directive instead.

The specific IP you named-- which may get snipped in the process of Forums cleanup-- is listed as "Private customer" routed via wowrack. Sure sounds like someone you'd block out unconditionally in any case; the full range seems to be
216.176.176.0/20

:: wandering off to add range to my own Deny list ::

schmel

9:56 pm on Sep 20, 2013 (gmt 0)



Thanks for replying. It shows in the log as a http referer from the IP I mentioned earlier that I now refer to with 000.

What I did was add the following:

RewriteCond %{HTTP_REFERER} ^http://(.+\.)?example\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?000\.000\.000\.000/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?example\.com/ [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ http://example.com/example.jpg [L]

I tested it by the domain which works great. But I have no way of testing whether the addition of the ip works or not. Everything else does.

phranque

10:55 pm on Sep 20, 2013 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



welcome to WebmasterWorld, schmel!


you could test it by navigating to the IP address <http://123.45.67.89/> and finding and clicking the link to your domain.

lucy24

12:38 am on Sep 21, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



you could test it by navigating to the IP address <http://123.45.67.89/> and finding and clicking the link to your domain.

Assuming for the sake of discussion that it's really a link, rather than referer spam :) OK, I guess that's more common with page requests.

Could the form
http:/ /blahblah.123.34.67.89
ever occur as a viable URL? I'd expect numbers alone.

Now, unless you have a very odd site, you could probably get by with a global referer block on

\d+\.\d+\.\d+\.\d+

(substitute [0-9] if server is crotchety) because when would you ever get a legitimate image referer from a numerical IP address?

RewriteRule .*\.(jpe?g|gif|bmp|png)$


The leading .* is unnecessary and may slow things down. Since you're not capturing, all you need is the end-anchored extension.

You might also consider that most anti-hotlink routines are expressed with negative conditions:

Referer IS NOT blank (this is for search engines)
Referer IS NOT my own site (specifying with/without www form to exclude forged referers)
Referer IS NOT {short list of sites that you've personally approved for hotlinking}

schmel

12:39 am on Sep 21, 2013 (gmt 0)



Tried that. The referrer from the link that I found comes back from the domain and it works fine. That block works. I can't find the link they are using that comes back as the IP address.

schmel

12:45 am on Sep 21, 2013 (gmt 0)



I do have a good script for blocking hotlinking. Only problem I have with it is it blocks all links including those legitimate ones.

The server itself is a fairly strong server running centos. We use it as a VOD site running the wowzamedia server. It' a storm server through liquidweb.

JD_Toims

2:16 am on Sep 21, 2013 (gmt 0)

WebmasterWorld Senior Member Top Contributors Of The Month



I can't find the link they are using that comes back as the IP address.

It's not likely it would be a link, in-my-opinion. The most likely place I think you would find it is in an <img> request -- [img requests send referrer headers in all modern browsers I've looked into ;)] -- Check your server logs to see if you visited a page with the image request on it and got blocked then let us know.

schmel

2:57 am on Sep 21, 2013 (gmt 0)



Log:

---.---.---.--- - - [20/Sep/2013:11:01:17 -0400] "GET /image-x/new_age/new_age%20(3).jpg HTTP/1.1" 302 226 "http://000.000.000.000/forum/viewtopic.php?f=44&t=4185&sid=401aa2c6814039e0b4f38907dfae3ba3" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"

Looks like a direct request from their phpbbs script. the 000.000.000.000 is the culprit.

lucy24

3:28 am on Sep 21, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



img requests send referrer headers in all modern browsers I've looked into

They'd darn well better, since that's what your ordinary hotlink protection is based on. You'll meet the rare isolated browser that doesn't send a referer, and ugh are they annoying.

looks like a direct request from their phpbbs script.

Yes, from someone posting the direct URL of your image in a forum like this one ;) Well, not exactly like this one, since we don't allow images. But why isn't this already blocked by your existing anti-hotlinking routine? The referer isn't blank, isn't your own site and-- I assume-- isn't on the short list of approved hotlinkers.

Do you really have a literal space in your filename? And equally literal parentheses? I sure hope you've got very good reasons for both.

What's the 302? I mean, duh, it's a temporary redirect, but what did they get redirected to, and why?

If you plug the IP into the link, you get to a php/bb Forums login page. Grr.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month