hotlink protection: allowing a range of IPs through - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

hotlink protection: allowing a range of IPs through

I'd like to allow SE caches, but w/o constant updates

stapel

9:48 pm on Feb 16, 2006 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

I have hotlink protection in place on my site, and it's working fine. I like to allow users to view the images within the search engines' cached versions of my pages, and this requires that exceptions be added to the exceptions listing. This listing is getting rather long, and the constant updating of my .htaccess file is a tad annoying.

The syntax I'm currently using is as follows:

RewriteEngine on 
RewriteCond %{HTTP_REFERER}!^$ 
RewriteCond %{HTTP_REFERER}!^http://64.233.161.104/.*$ [NC] 
... various other IPs ... 
... certain approved domains, including my own ... 
RewriteRule .*\.(jpg¦gif)$ http:// mydomain /hotlink.png [R,NC]

What would be the syntax for allowing a range of IPs? For instance, Google has 64.233.160.0 - 64.233.191.255. How would I allow all of these to display my images? I've noticed that the Google-cache IPs seem regularly to end with the same sets of digits, namely .100, .104, and .120. What would be the syntax for "all of the IPs within this range that terminate with one of these three endings"?

Thank you.

Eliz.

jdMorgan

12:21 am on Feb 17, 2006 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

> 64.233.160.0 - 64.233.191.255:

Try:


RewriteCond %{HTTP_REFERER} !^http://64\.233\.1([6-8][0-9]¦9[01])\.

(no end anchor)

> the Google-cache IPs seem regularly to end with the same sets of digits, namely .100, .104, and .120.
Something like:


RewriteCond %{HTTP_REFERER} !^http://63\.233\.[0-9]{1,3}\.(10[04]¦120)$

Jim

stapel

3:43 am on Feb 17, 2006 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

You escaped (used a backslash in front of) the "dots" in the IPs in your examples. I've noticed that this is often how the syntax is displayed. But my .htaccess file has been working just fine without that.

Have I just been lucky? Or am I not understanding something about the syntax in the .htaccess file?

Thank you.

Eliz.

jdMorgan

4:53 am on Feb 17, 2006 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

An unescaped period means "match any single character" in regular expressions. So leaving them unsecaped can lead to ambiguity, the result of which would be to allow (or deny) more than the intended address. This is particularly the case with unanchored IP addresses (ranges) where single-digit octets occur. For example, the pattern in

RewriteCond %{REMOTE_ADDR} ^1.2.21.

is obviously intended to match the IP address range 1.2.21.0 - 1.2.21.255

but it also matches the IP address ranges:

102.21.0.0 - 102.21.255.255
112.21.0.0 - 112.21.255.255
122.21.0.0 - 122.21.255.255
...
182.21.0.0 - 182.21.255.255
192.21.0.0 - 192.21.255.255

because the unescaped period will happily match the digits 0 through 9.

So, in fact, where it was the intent to allow (or block, depending on the RewriteRule) 256 IP addresses, this actually allows (or blocks) 65536x10 + 256 addresses, or 655,616 addresses.

That's one example, and others exist. Rather than spending the time to figure out if I might have a problem, I just code them to be formally correct. Having developed that habit, I stick with it most of the time.

Jim