Forum Moderators: phranque
im completely lost here...
you could say that a few lines in the htaccess is easy to prevent hotlinking but i was suprised to see that non of the codes i found here in the forum work...
im getting very frustrated..
i tried about 6 samples..
and yes i do have mod_rewrite.
Yes i took care of any spaces and broken pipes...etc..
Every time i check the testsite of lycos.co.uk and it still shows the hotlinked image..
yes every time with cleared browser..
how the heck is that possible...
any help..
RewriteCond %{REQUEST_FILENAME} .*jpg$¦.*gif$¦.*mp3$¦.*js$¦.*swf$¦ [NC]
RewriteCond %{HTTP_REFERER} ^[http].*$
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?yoursite.com/.*$ [NC]
RewriteCond %{HTTP_REFERER}!^http://(www\.)?otherallowedsite.com/.*$ [NC]
RewriteRule \.(gif¦jpg¦mp3¦js¦swf¦)$ - [F]
so whats wrong?
However, do you have other *working* rewriterules -- Ones that you can see working?
If so, then the problem is likely down to the code allowing blank referrers. This is necessary so that your site won't appear broken to those using internet security software or connecting through their corporate or ISP proxies; these often block the HTTP Referer header.
For example, in the (sorry, "non-optimal") code posted above, the regex !^$ is used to allow blank referrers.
You could delete that line temporarily for testing purposes, but if you delete it permanently, then your site will look broken to many legitimate visitors.
So, by allowing blank referrers, you prevent that, but you also leave an exploitable hole in the anti-hotlinking. Unfortunately, this is as good as it gets with referrer-based methods; Good enough to stop most hotlinking, but not 100%. If you need better security, then use a cookies-and-script based method, so that images are only served to visitors who have visited a page on your site that sets the cookie.
Jim
thanks....
yes i have htaccess af nearly 100kb by now,covering a whole lot of mod_rewrite rules and banned ranges..
my htaccess starts with..
php_flag output_buffering on
AddType application/x-rar-compressed .rar
AddType application/x-tar .tar
AddType application/x-gzip .gz .tgz
AddType application/x-tar .tgz
ErrorDocument 404 /error_404.php
ErrorDocument 403 /error_403.html
Options +FollowSymlinks
RewriteEngine On
from here the code..
so what do you suggest i do?
To make sure .htaccess itself is working, have your very first command be something like:
Redirect /foo http://example.com/booboo.html
If you're still stuck after that, start deconstructing your code and rebuilding it one line/piece at a time. If you throw in a bunch of code and it doesn't work you could spend forever trying to find the problem. It's easier to start from scratch, and keep adding in bits until you see what breaks.
[edited by: jdMorgan at 9:40 pm (utc) on June 25, 2006]
[edit reason] Example.com, formatting [/edit]
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?yourdomain.com(/)?.*$ [NC]
RewriteRule .*\.(gif¦jpe?g¦png¦bmp)$ [F,NC]
that doesnt work....
nor this...
RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif¦jpg)$ - [F]
nothing seems to work...
Jim
If it doesn't, then the only thing I can think of is that there is a network cache somewhere in your path to lycos, and it is returning cached results instead of passing the requests through to your server. If that is the case, then you might try hotlinking to 'http://example.com/image.gif?1' for example, where the "?1" query string is meaningless, but incremented by one for each test, it would keep caching issues from influencing the test outcome.
Also, I assume you are aware that posting on this board does two things, neither of them particularly good. First, the required space between "}" and "!" is stripped. And second, the solid pipe character is replaced by a broken pipe "¦" character. Both of these must be corrected before using code found posted here.
Jim
