FilesMatch contradiction

Forum Moderators: phranque

Message Too Old, No Replies

FilesMatch contradiction

eliminate hotlinking .png except for apple-touch-icon

idiotgirl

12:41 am on Jun 12, 2022 (gmt 0)

I finally converted all my old .htaccess files to the updated Apache 2+ version, but it's making me re-examine this apple-touch-icon stuff again. I have something like (I abbreviated this):


<FilesMatch "\.(au|avi|avif|bmp|doc|gif|jpg|jpeg|mp3|mp4|mov|mpeg|mpg|pdf|png|tif|wav|webp|zip)$">
Require env local_referal
</FilesMatch>

But that conflicts with

<FilesMatch "apple-touch-icon[^.]">
Require all granted
</FilesMatch>

How do I enable just the one (or more) .png files to be available to anybody? I'm unsure about nesting rules in FilesMatch.

lucy24

2:29 am on Jun 12, 2022 (gmt 0)

General guideline for Apache: two of the same thing will be taken in the order the server sees them. (There are exceptions, but it's a good general principle.) That might be Rule 1 in a containing directory, followed by Rule 2 in a deeper directory; or it might be Rule 1 followed by Rule 2 in the same directory. So your two rules, if presented in the order shown, will do what you want.

How do you handle things like search engine crawlers, which generally don't send a referer with image requests?

Edit: And what have you got against the basic “apple-touch-icon.png”?

idiotgirl

10:27 pm on Jun 12, 2022 (gmt 0)

Yes! I tested this yesterday and it appears to be working as is. Thanks for the confirmation. I was making this way too complicated in my own head.

I only allow certain crawlers that identify themselves and are reverse DNS checked from a good bots list. If they aren't on good guys the list, they get no juice. Many of the sites have their images stolen and used elsewhere, in scammy catalogs, even animal p*rn sites, etc..

Some of the bots from shady neighborhoods come in and ask for every version of apple-touch-icon, over and over again, even though .htaccess serves all apple-touch-icon-* requests simply as a single apple-touch-icon.png. (152x152) It's just tiresome seeing every conceivable version of apple-touch-icon requested, is all.

lucy24

4:55 am on Jun 13, 2022 (gmt 0)

Huh. It looked as if the rule was meant to do the opposite: only grant access to the ones that request apple-touch-icon-blahblah-more-stuff. [^.] = anything other than literal period. (And then there's the vexed question of when <Files> refers to the actual physical file being serves, and when it refers to the request. Eeuw.)

After posting yesterday, it occurred to me that there is an Option B: In the same place where you set the local_referal environmental variable, you could add a line like

SetEnvIf Request_URI apple-touch-icon\.png local_referal
and then it will fall under the existing Require rule.

But yes, it is exasperating that they couldn't stick with a distinctive extension like .ico that isn't used for anything else.