Hotlinking .htaccess and Frontpage

Forum Moderators: phranque

Message Too Old, No Replies

Hotlinking .htaccess and Frontpage

vipermk2

1:10 pm on Nov 18, 2005 (gmt 0)

I would have use the search function but it doesnt work because I'm sure this has come up before.

Basically i want to prevent image hotlinking from my site so in .htaccess I have added.

RewriteEngine on
RewriteCond %{HTTP_REFERER}!^http://(www\.)?example.com(/)?.*$ [NC]
RewriteCond %{HTTP_REFERER}!^http://(www\.)?66.xx. xx.xx(/)?.*$ [NC]
RewriteRule .*\.(gif¦jpg¦jpeg¦bmp)$ - [F,NC]

This does indeed prevent hotlinking however it does not allow access or to publish through Microsoft FrontPage without me rewriting it.

If I add 'RewriteEngine off' as the last line, it allows me access but does not block hotlinking.

jdMorgan

9:45 pm on Nov 18, 2005 (gmt 0)

vipermk2,

Welcome to WebmasterWorld!

Frontpage extensions and .htaccess do not play nicely with each other. However, there is a fix. See
[webmasterworld.com...] message #43 for more information (read back up that thread for background).

In addition, you code will need one change and could use some cleaning-up:


RewriteEngine on
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com [NC]
RewriteCond %{HTTP_REFERER} !^http://192\.168\.6\.10 [NC]
RewriteRule \.(gif¦jpe?g¦bmp)$ - [F,NC]

The main change is the first line, which effectively allows blank referrers to access your site. Without it, you will have major problems with users behind corporate or ISP caching proxies -- All of AOL, for example. The other changes prevent problems if a port number is appended to the domain name, and fix incorrect or unnecessary regular expressions.

Change all broken pipe "¦" characters above to solid pipe characters before use. Posting on this forum modifies them.

Jim

vipermk2

11:10 pm on Nov 18, 2005 (gmt 0)

Thank you, after weeks of looking I now have access without having to rewrite the htaccess everytime i was to publish.

One problem though

RewriteCond %{HTTP_REFERER} .

seems to allow hotlinking, if it is removed then no hotlinking

try this image with the above line in
[<snip>...]

[edited by: jdMorgan at 11:40 pm (utc) on Nov. 18, 2005]
[edit reason] No URLs, please. See TOS. [/edit]

jdMorgan

11:44 pm on Nov 18, 2005 (gmt 0)

Yes, it does to an extent. It's the best you can do with referrer-based access control, though. Since it is up to the client to send (or not send) a referrer, this method of access control is not 100% effective. However, it is effective enough to stop webmasters from linking to your stuff, because it blocks *most* accesses and makes *their* site look broken. Again, if you don't allow blank referrers, then *your* site will look broken to anyone behind a corporate or ISP proxy that blocks referrers. Your choice...

[added] Flush your browser cache before and during tests of new access-control code. If your browser caches an image, then it won't ask the server for the image, and your code will have no effect. [/added]

Jim

vipermk2

12:05 am on Nov 19, 2005 (gmt 0)

Ah great stuff, i have a little more understanding of the workings now thanks.

one thing, I assume the numbers in the following line should be substituted with the ip of my site

RewriteCond %{HTTP_REFERER}!^http://192\.168\.6\.10 [NC]

jdMorgan

12:10 am on Nov 19, 2005 (gmt 0)

Yes, with the literal periods escaped as shown.

Jim