Welcome to WebmasterWorld Guest from 54.205.89.199

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

htaccess deny referrer ip HELP

How to deny by referrer IP address

     
5:06 pm on Sep 20, 2013 (gmt 0)

New User

joined:Sept 20, 2013
posts: 6
votes: 0


Hello all. Iím new to this forum so I hope nothing I post is in the wrong area.
Iím having some problems with a website I am trying to stop hotlinking from via the referrer. I am able to successfully stop them by the domain for example:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?worxdpress\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?example\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?example\.com/ [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ http://example.com/getlost.jpg [L]

The above works great. The problem I am having is some of the hotlinks from the same referrer are been done via the referrers IP only.

Can anyone advise me or suggest on how to add an IP to the above to block a refers IP as well?

[edited by: phranque at 10:45 pm (utc) on Sep 20, 2013]
[edit reason] exemplified domain [/edit]

9:22 pm on Sept 20, 2013 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13268
votes: 363


While waiting for a full reply, go upstairs and read the Forums charter about using only "example.com". Or example dot something-else if you need to name more than one domain.

Do you mean the referring IP or the requesting IP? If the referer itself comes through as IP numbers, you can put that in the {HTTP_REFERER} line just like anything else. Also note that you don't always need an opening anchor in referers.

If you're talking about the source of the request, that becomes {REMOTE_ADDR}. But at that point you're probably looking at a simple Deny from... directive instead.

The specific IP you named-- which may get snipped in the process of Forums cleanup-- is listed as "Private customer" routed via wowrack. Sure sounds like someone you'd block out unconditionally in any case; the full range seems to be
216.176.176.0/20

:: wandering off to add range to my own Deny list ::
9:56 pm on Sept 20, 2013 (gmt 0)

New User

joined:Sept 20, 2013
posts: 6
votes: 0


Thanks for replying. It shows in the log as a http referer from the IP I mentioned earlier that I now refer to with 000.

What I did was add the following:

RewriteCond %{HTTP_REFERER} ^http://(.+\.)?example\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?000\.000\.000\.000/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?example\.com/ [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ http://example.com/example.jpg [L]

I tested it by the domain which works great. But I have no way of testing whether the addition of the ip works or not. Everything else does.
10:55 pm on Sept 20, 2013 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:10596
votes: 22


welcome to WebmasterWorld, schmel!


you could test it by navigating to the IP address <http://123.45.67.89/> and finding and clicking the link to your domain.
12:38 am on Sept 21, 2013 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13268
votes: 363


you could test it by navigating to the IP address <http://123.45.67.89/> and finding and clicking the link to your domain.

Assuming for the sake of discussion that it's really a link, rather than referer spam :) OK, I guess that's more common with page requests.

Could the form
http:/ /blahblah.123.34.67.89
ever occur as a viable URL? I'd expect numbers alone.

Now, unless you have a very odd site, you could probably get by with a global referer block on

\d+\.\d+\.\d+\.\d+

(substitute [0-9] if server is crotchety) because when would you ever get a legitimate image referer from a numerical IP address?

RewriteRule .*\.(jpe?g|gif|bmp|png)$


The leading .* is unnecessary and may slow things down. Since you're not capturing, all you need is the end-anchored extension.

You might also consider that most anti-hotlink routines are expressed with negative conditions:

Referer IS NOT blank (this is for search engines)
Referer IS NOT my own site (specifying with/without www form to exclude forged referers)
Referer IS NOT {short list of sites that you've personally approved for hotlinking}
12:39 am on Sept 21, 2013 (gmt 0)

New User

joined:Sept 20, 2013
posts: 6
votes: 0


Tried that. The referrer from the link that I found comes back from the domain and it works fine. That block works. I can't find the link they are using that comes back as the IP address.
12:45 am on Sept 21, 2013 (gmt 0)

New User

joined:Sept 20, 2013
posts: 6
votes: 0


I do have a good script for blocking hotlinking. Only problem I have with it is it blocks all links including those legitimate ones.

The server itself is a fairly strong server running centos. We use it as a VOD site running the wowzamedia server. It' a storm server through liquidweb.
2:16 am on Sept 21, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member Top Contributors Of The Month

joined:July 19, 2013
posts:1097
votes: 0


I can't find the link they are using that comes back as the IP address.

It's not likely it would be a link, in-my-opinion. The most likely place I think you would find it is in an <img> request -- [img requests send referrer headers in all modern browsers I've looked into ;)] -- Check your server logs to see if you visited a page with the image request on it and got blocked then let us know.
2:57 am on Sept 21, 2013 (gmt 0)

New User

joined:Sept 20, 2013
posts: 6
votes: 0


Log:

---.---.---.--- - - [20/Sep/2013:11:01:17 -0400] "GET /image-x/new_age/new_age%20(3).jpg HTTP/1.1" 302 226 "http://000.000.000.000/forum/viewtopic.php?f=44&t=4185&sid=401aa2c6814039e0b4f38907dfae3ba3" "Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0"

Looks like a direct request from their phpbbs script. the 000.000.000.000 is the culprit.
3:28 am on Sept 21, 2013 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:13268
votes: 363


img requests send referrer headers in all modern browsers I've looked into

They'd darn well better, since that's what your ordinary hotlink protection is based on. You'll meet the rare isolated browser that doesn't send a referer, and ugh are they annoying.

looks like a direct request from their phpbbs script.

Yes, from someone posting the direct URL of your image in a forum like this one ;) Well, not exactly like this one, since we don't allow images. But why isn't this already blocked by your existing anti-hotlinking routine? The referer isn't blank, isn't your own site and-- I assume-- isn't on the short list of approved hotlinkers.

Do you really have a literal space in your filename? And equally literal parentheses? I sure hope you've got very good reasons for both.

What's the 302? I mean, duh, it's a temporary redirect, but what did they get redirected to, and why?

If you plug the IP into the link, you get to a php/bb Forums login page. Grr.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members