Welcome to WebmasterWorld Guest from 54.221.75.68

Forum Moderators: Ocean10000 & phranque

hotlink of index.php page?

     
5:42 pm on Apr 12, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Nov 29, 2015
posts:88
votes: 20


Hi all,

I'm trying to stop people from directly accessing my index.php pages in the /games/ folder on my site - except when loaded through an iframe. (I know its not 100% secure - but it'll work for most of my users)
e.g. (games/game1/index.php | games/game2/index.php | etc)

I've put this in my games folder - and it basically works how I want:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com
RewriteRule \.(php)$ https://www.example.com/ [R,L,QSD]


But it only works if someone access this page:

example.com/games/game1/index.php

So if they go to...

example.com/games/game1/

The index loads - but the htaccess doesn't catch this.

This rule doesn't catch RewriteRule \.(php)$ it because its not got php on the end - even though the server has loaded the index.php page.

I need to the rule to ignore the loading of all the other js files, sound files, etc. -- it only needs to block users from accessing the index.php file, and when it loads without the "index.php" being mentioned.


Thanks so much for any help!
8:32 pm on Apr 12, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15256
votes: 691


Before we begin...
#1 This rule is located within the /games/ folder? Why? Even in Apache 2.4, you don’t want to rely on RewriteRules being inherited exactly like other mods’ rules, and surely you've got RewriteRules in the root directory already. Put this one in the main htaccess, too with the pattern expressed as
^games/\w+/index\.php
(replace \w+ with something else if your game names contain hyphens or other punctuation)

#2 The HTTP_REFERER condition has a lot of extraneous guff. The site is either https or it isn't, and a legitimate referer will be either with or without www because at this point you have already redirected to your preferred form. You can bypass the whole thing by just saying "example\.com" without opening anchor if you're not concerned with robots sending fake referers.

# 3 In the body of the rule \.(php)$ what are the parentheses for? Nothing is being captured. (The same applies to (s) in the RewriteCond: You don't need parentheses around a single character.)

But it only works if someone access this page:
example.com/games/game1/index.php

So if they go to...
example.com/games/game1/

The index loads - but the htaccess doesn't catch this.
Do you mean that this does happen, or that this is what you want to have happen? Is "index.php" in fact the directory-index page for the assorted games? If so, you have to let it load internally, or nobody could ever play the games at all.

It seems as if what you want is a RewriteCond looking at %{THE_REQUEST} : users can get index.php if mod_dir served it up internally, but not if they ask for it by name.

Or did you mean that you don't want people walking in off the street to request /games/gamename/ with or without “index.php” because they need to come in through /games/ first?

I think we've talked about your site before, and that there are weird complications which you need to explain over again each time.
10:05 pm on Apr 12, 2018 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4055
votes: 249


I'd also mention that "[R,L,QSD]" is not a 301, just in case that matters.
4:09 pm on Apr 13, 2018 (gmt 0)

Junior Member

Top Contributors Of The Month

joined:Nov 29, 2015
posts:88
votes: 20


Hi,

I didn't want to edit my site root htaccess - as its already complicated - and I don't like to touch it - as I don't know what I'm doing in there ;)

Basically - I ONLY want the index.php pages in the "games" directory to be accessed through an iframe on the other pages on my site.

So the only way to load example.com/games/game1/index.php is through an iframe on example.com/seo-name-of-game/

The problem is - people are by-passing my pages - and just playing the games in the /games/ folder - so not seeing my ads.

My site root htaccess file is this:

Options -Indexes
ServerSignature Off

RewriteEngine On

SetOutputFilter DEFLATE
#SetEnvIfNoCase Request_URI \.mp4$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|swf|mp4|exe|zip|wav|)$ no-gzip dont-vary

RewriteRule ^(games|index\.php) - [L]
RewriteRule ^.*\.(css|txt)$ - [L]

RewriteRule ^(([a-z0-9\-]+/)*[a-z0-9\-]+)$ https://www.example-example.com/$1/ [R=301,L]

RewriteCond %{HTTP_HOST} !^(www\.example-example\.com)?$ [NC]
RewriteRule (.*) https://www.example-example.com/$1 [R=301,L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php?t=$1 [L,QSA]



Thanks for any help! :)
8:54 pm on Apr 13, 2018 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15256
votes: 691


It still seems as if the "index.php" part is a red herring, and you simply don't want people requesting /games/game1/ with or without following "index.php". In that case, I think the best approach is a RewriteCond looking at THE_REQUEST. Now, since you've gone to the length of giving this directory its own htaccess with its own RewriteRules, one approach is
ErrorDocument 418 /games/noname.html

RewriteCond %{THE_REQUEST} /games/\w+/
RewriteRule ^gamename/(index\.php)?$ - [R=418]
Instead of redirecting, make a special page that says something like “I’m awfully sorry, but you can’t get there from here” with a pretty link to the page you want people to use. (It doesn't have to be a 418 error. Make something up.) Or redirect R=301 to this page. The idea is that you're doing this for humans, and you should explain to them what's happening and why. Well, part of the why. You don't have to tell them that it's because you want them to see your ads first ;)

In addition, make sure you're got a “RewriteOptions Inherit“ line. In Apache 2.4 (which I assume you're using, because of the QSD flag) there are several different inheritance settings. Look them up, and pick the one that seems most appropriate. Probably you can stick with the tried-and-true, vanilla “Inherit” alone.

Link including fragment (which gets eaten by Forums software):
http://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriteoptions

Up above, I said "\w+" in one place and "gamename" in another. You should say the same thing in both places--but what, exactly, you use will depend on how many gamenames you've got, and what other directories are in the /games/ directory. But if the body of the rule is constrained to (a) /gamename/ and (b) /gamename/index.php then it doesn't matter if /games/ contains other subdirectories, containing files with names other than "index.php", because the RewriteCond will never be evaluated on those. In fact, if you want to be sure the wrong thing doesn't get intercepted, you could have a preliminary RewriteRule in this same directory's htaccess saying something along the lines of
RewriteRule \.(css|js|png|jpg) - [L]
and-that's-all, listing any supporting-file extensions that actually occur in the /games/ directory.

Finally: It is possible that you'll have to omit the ^ opening anchor if you want the rule to apply both with and without index.php. I haven't tested, but I've got a vague idea that once mod_dir has kicked in, requests will be in the form of full filepaths, rather than directory-relative. Try it both ways.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members