Yes, you simply cannot redirect from an image format to a non-image format -- The browser cannot understand what to do with the html file.

Essentially, what this redirect is trying to do is identical to trying to do this on your page:

<img src="http://www.example.com/stolen.html border="1" height="100" width ="200">

If you run that through a validator, it's obvious it won't work.

I suggest you simply return a 403-Forbidden response to all unwelcome accesses. It is a better use of your time, and keeps things simple. Otherwise, you will need to create a carefully-scaled replacement image that looks good over a wide range of aspect ratios and sizes, and redirect only still-image formats (jpg,gif,png,bmp) to that replacement image. Each other file type will need to be redirected to an appropriate replacement file of the same type as that which was requested.

A 403-Forbidden response will work for all of them.

Jim

Ok, that makes sense. Thanks Jim.

But if I go with the [F] option, on the rewrite, can I still use a custom 403 html page :

----------------
RewriteEngine On
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mydomain.net [NC]
RewriteRule \.(gif¦jpg¦mpg¦avi¦mov¦rm¦wav¦png¦mp3¦html?¦php¦bmp¦js¦zip¦exe)$ - [F]

ErrorDocument 403 /error403.html

<Files ~ "^error(401¦403¦404¦500)\html$">
order allow,deny
allow from all
</Files>
----------------
It does not seem so. I hit the same problem: the client's browser is not going to display any html if it is expecting an image. Right... So, there is no way to send a generic message when an attemps is made to leech out any type of formats?

Generally, the following approach will work. Make "stolen.gif" a simple graphic with the words "Stolen Image!" in a square image frame, so that it can be read if stretched vertically or horizontally. Make it really ugly, with bright, clashing colors if you like.

Requests for still-image-format files will be served the replacement graphic, while requests for other file formats will simply receive a 403-Forbidden response:

ErrorDocument 403 /error403.html
#
RewriteEngine On
#
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain\.net
RewriteCond %(REQUEST_URI) !^/stolen\.gif$
RewriteRule \.(gif¦jpg¦png¦bmp)$ /stolen.gif [L]
#
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain\.net
RewriteCond %{REQUEST_URI} !^error(401¦403¦404¦500)\.html$
RewriteRule \.(mpg¦avi¦mov¦rm¦wav¦mp3¦html?¦php¦js¦zip¦exe)$ - [F]

If you want to really do this effectively, then create a "stolen file" in each of these formats -- An mpg movie that shows you yelling, "Don't steal my movies!", a wav file of the audio from that movie, a JavaScript that writes a page with that message on it using document.write, an exe file that produces an alert box with that message, etc. Then you can succesfully redirect each hotlinked file type to its "stolen" replacement. It should only take a day or two to do this...

Then the code becomes:

RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain\.net
RewriteCond %(REQUEST_URI) !/stolen\.
RewriteRule \.(gif¦jpg¦mpg¦avi¦mov¦rm¦wav¦png¦mp3¦html?¦php¦bmp¦js¦zip¦exe)$ /stolen.$1 [L]

Again, I feel that it is a waste of time to do this and by doing so, to tell the hotlinkers *why* the request is failing. I'd rather save my time and energy, keep the code simple, keep my server bandwidth low, and simply respond with a 403-Forbidden response to any hotlinked request. It makes *their* site look broken. This makes *them* waste time trying to figure out what is wrong with their Web page. I devote my time to improving my content to make my site better for *my* users, and forget about the punks that try to steal my stuff. If they hotlink, they get a 403, and that is all they are worth, IMO.

Jim

Got you, and agreed. So, I am opting for the first solution: One gif for still images leeching. 403 for everything else:

--------------------
RewriteEngine On
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER}!^http://(www\.)?my domaine\.net
RewriteCond %(REQUEST_URI)!^/stolen.gif$
RewriteRule \.(gif¦jpg¦png¦bmp)$ /stolen.gif [L]

RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER}!^http://(www\.)?my domaine.net [NC]
RewriteRule \.(mpg¦avi¦mov¦rm¦wav¦mp3¦html?¦php¦js¦zip¦exe)$ - [F]
--------------------

The problem is that when I try to leech out from another Web with my test html file :

--------------------
<body>
<img src="http://www.mydomaine.net/DSCN3718.jpg" border="0" width="100" height="75" alt="">
</body>
--------------------

it does not work. I get the red cross in the corner of the frame. I tried with IE and Netscape. Netscape does not display a red cross, just an empty frame with image icone in the corner.

(My stolen.gif image is 200x200 pixels and I can call it directly from my site. So the image file is not corrupted. I have replaced the broken vertical bar by continuous ones...)

So there is still something wrong going on here I guess but I have no idea what...

Flush your cache after any change to access restrictions. You've probably got a cached copy of the 403 response.
In addition, you might want to mark your "stolen" files as non-cacheable if you want to avoid this while testing.

Jim

Thanks Jim!

I have tried all the flushing I could do to no avail.

But incidently, what do you mean by marking files as non cachable? What is involved exactly?
That may be something I could try next.

> I get the red cross in the corner of the frame. I tried with IE and Netscape. Netscape does not display a red cross, just an empty frame with image icone in the corner.

OK, a few things to check... The way the code is written now:

1) /stolen.gif must be in the Web root directory at mydomaine.net/stolen.gif
2) No external site can link to any of your htm, html, or php pages. (And neither can search engines!)
3) That's it. There is nothing wrong with your code, except that #2 above needs to be fixed.

If you have any other code in your .htaccess file that controls access, such as "Deny from 123.456.789.0" then that may be interfering with this code. Rather than trying to test a large block of code all at once, it is often helpful to test one small piece at a time...

Cache-control:

<FilesMatch "^stolen\.gif$">
ExpiresDefault A1
Header unset Cache-Control:
Header append Cache-Control: "no-cache, must-revalidate"
</FilesMatch>

Jim

The problem might be that you sent the content of a gif file for a jpeg request?

The request is made for a jpeg file:

<img src="http://www.mydomaine.net/DSCN3718[b].jpg[/b]" border="0" width="100" height="75" alt="">

...but you substitute it with the content of a gif file:

RewriteRule \.(gif¦jpg¦png¦bmp)$ /stolen[b].gif[/b] [L]

If you really want to go on this way, make four formats of the same image, and replace the

RewriteRule \.(gif¦jpg¦png¦bmp)$ /stolen.gif [L]

rule with this one (as it was mentioned by jdMorgan previously):

RewriteRule \.(gif¦jpg¦png¦bmp)$ /stolen.$1 [L]

Thanks Jim and gergoe for your sugestions.

I have added the cache control module suggested by Jim but haven't been able to make the whole thing work.

Regarding your notes Jim:
1) /stolen2.gif (and stolen2.jpg) is indeed in the Web root
2) No external site can link to any of my htm, html, or php pages and that's intented, it is a personnal site not indexed in search engines.

gergoe:
I did made a stolen2.jpg file because my test file indeed requests a jpg file. But that did not help.

I have gave up on this problem for now. The main reason is that I have temporarily password protected my whole site and this takes care of any leeching attempt as well for now.

Thanks again for you suggestions. I have learnt a lot!