Forum Moderators: phranque
I'm new at this, and I'm not sure I'm posting in the correct place... But here it goes.
I'm having some problems with .htaccess...
Here's my .htaccess file:
RewriteEngine on
RewriteRule ^/images/allowed/(.+) - [PT,L]
RewriteCond %{HTTP_REFERER}!^http://www\.mysite\.com.*$ [NC]
RewriteCond %{HTTP_REFERER}!^http://mysite\.com.*$ [NC]
RewriteCond %{HTTP_REFERER}!^http://forum\.mysite\.com.*[/url]$ [NC]
RewriteRule .*\.(jpg¦jpeg¦gif¦png¦bmp¦mp3¦pdf)$ http://www.mysite.com/images/hotlink.jpg [R,NC]
So, I want to block hotlinking from every host exept: www.mysite.com, mysite.com and forum.mysite.com.
This works like a charm... However, I want other sites to be able to hotlink the images in /images/allowed and this doesn't work... Also, I want the image 'hotlink.jpg' to be displayed if someone tries to hotlink, and this doesn't work either...
Thanks in advance / jek
I would suggest rewriting that as follows:
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/images/allowed/.+
RewriteCond %{HTTP_REFERER} !^http://(www\.¦forum\.)?mysite\.com [NC]
RewriteRule \.(jpe?g¦gif¦png¦bmp¦mp3¦pdf)$ /images/hotlink.jpg [NC]
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/images/allowed/.+
RewriteCond %{HTTP_REFERER} !^http://(www\.¦forum\.)?mysite\.com [NC]
RewriteRule \.(jpe?g¦gif¦png¦bmp¦mp3¦pdf)$ /images/hotlink.$1 [NC]
If this is too much work, then just use:
RewriteEngine on
RewriteCond %{REQUEST_URI} !^/images/allowed/.+
RewriteCond %{HTTP_REFERER} !^http://(www\.¦forum\.)?mysite\.com [NC]
RewriteRule \.(jpe?g¦gif¦png¦bmp¦mp3¦pdf)$ - [NC,F]
Be advised that this forum modifies the solid vertical pipe character to a broken vertical pipe "¦" character. You will need to replace the "¦" characters above with the solid ones from your keyboard.
HTH,
Jim
I have been looking for a solution for this problem for a couple of days now, and I never thought I'd solve it. Thanks.
When I put this code in the .htaccess some images appear on my website and others show the hotlink image. When I test the hotlinking from another site the hotlink image appears as it should, so the problem is that some of the pictures on my own site show the hotlink image instead of the actual image (if it makes any difference I was testing it in a sub directory so not the main .htaccess of the site).
I should point out that all images on my sites pages are linked to with a full url - http;//www.mydomain.com
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{REQUEST_URI}!^/images/permit/.+
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mydomain.com/ [NC]
RewriteRule \.(jpg¦jpeg?¦gif¦bmp)$ /images/hotlink.$1 [NC]
so I then changed it slightly to :
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mydomain.com/ [NC]
RewriteRule \.(jpg¦jpeg?¦gif¦bmp)$ /images/hotlink.$1 [NC]
with this hotlinking from another site still works and all my images on my site show up as they should.
Any idea why this could be?
Your second version allows access by users with blank referrers - A practice I do recommend. This supports users who are behind certain firewalls, proxies, and internet security applications which block the referrer.
When testing anti-hotlinking implementations, you must flush your browser cache (Temporary Internet Files) before each and every test. Your code should work fine if you do this, however, I suggest adding the [L] flag to the final rule, and deleting the trailing slash from your domain (to allow for port numbers), as shown.
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain\.com [NC]
RewriteRule \.(jpg¦jpeg?¦gif¦bmp)$ /images/hotlink.$1 [NC,L]
Thank you Jim. Made the changes you suggested and altered the double pipes etc. After clearing cache etc it does not seem to work. Am testing it using htmlbasix and pimpcafe's tester. All the images show up on the website as they should but they also show up in above testers. Any ideas why this could be?
No, your code is correct and is probably working fine. As I said, the only thing that will bypass this code is if the user-agent or an intervening proxy/firwewall hides the referer string. There is not much we can do about that.
Jim
I read somewhere that sometimes a loop can be caused because the code states that .jpg are not allowed to be hotlinked to so when it tries and grabs a picture such as a jpg the code then goes to fetch the hotlink.jpg but as .jpg's are banned it causes a loop.
Where I read this suggested renaming the hotlink.jpg to hotlink.jpe and using just the one image for hotlinking rather than a collection.
What do you think?
All the images on my site are .jpg or .gif so I could even rename the hotlink .jpeg.
Do you see any problems with that though Jim?
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mydomain\.com [NC]
RewriteRule \.(jpg¦gif¦bmp)$ /images/hotlink.jpeg [NC,L]
I basically removed the jpeg selection from the code, changed the name of the hotlink image to jpeg and made the code select that image instead of a respective counterpart.
Because jpeg is not part of the banned image types it allows the other site to download it.
Thanks for all you help.
Hah! You're may be right... I forgot to mention something...
Note that the code above will always loop forever if the RewriteRule specifies an external redirect, as in [R=301,L]
Or it may be that some other module is being invoked that is interfering, and causing the rules to be reprocessed during the request.
Try this:
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain\.com [NC]
RewriteCond %{REQUEST_URI} !^/images\.hotlink\.
RewriteRule \.(jpg¦jpeg?¦gif¦bmp)$ /images/hotlink.$1 [NC,L]
couldn't you handle the looping on the hotlink.jpg in the same manner you've show the handling of robots.txt file?
ie: !/robots.txt
and that would let them get the hotlink.jpg while still redirecting for all the others?
I'm not sure I understand that question. You can't have a RewriteRule that looks to match both .jpg and NOT .jpg, so you have to use either a different filetype or a different directory (or both, as above) to make the exclusion that allows the alternate image to be displayed without itself being redirected.
Note that this is usually a non-problem, because the original code uses an internal redirect - One that does not communicate with the browser, but simply substitutes one file for another, and serves it.
In the robots.txt case, we are talking an external redirect of sorts - a 403-Forbidden response. With an external redirect, the browser is going to come back with a new request, your server will run through your rewriterules again, and that can cause looping, because the server has no memory whatsoever of the previous request.
I'm not quite sure why Visit_Thailand is having a problem - I run the code I posted myself on several hosts, and it works. But there are many, many, ways to set up a server, and some of them cause weird problems with .htaccess directives.
Jim
ahhh... i see what you are saying, now... the reason that!/robots.txt works is because it is specifically allowed in those other examples and not blocked further in the conditions by *.txt... i was thinking that you may have been able to allow that one request thru by naming it specifically and blocking others based on their extensions...
in studying your last example further...
==== quote ====
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mydomain\.com [NC]
RewriteCond %{REQUEST_URI}!^/images\.hotlink\.
RewriteRule \.(jpg¦jpeg?¦gif¦bmp)$ /images/hotlink.$1 [NC,L]
==== quote ====
i see that that is exactly what you did with!^images/hotlink\.
OK, I see what you were asking.
The strange thing is that adding that RewriteCond should not be necessary, but if something on VT's server is causing .htaccess to be processed again, it might help. Normally, .htaccess is only processed once per HTTP request. If a RewriteRule is processed which then causes an external redirect, that ends the current request, sends a response to the client browser, and the client then issues a new request, which will cause the server to re-process .htaccess.
But the above code does an internal redirect, simply substituting one file for another, and so .htaccess should no be re-invoked (causing a loop). But as I said, there are often "invisible" issues outside of .htaccess itself that can cause trouble.
Jim
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mydomain\.com [NC]
RewriteRule \.(jpg¦gif¦bmp)$ /images/hotlink.jpeg [NC,L]
Would this be OK?
Options +FollowSymlinks
RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mydomain\.com [NC]
RewriteCond %{HTTP_REFERER}!^http://(www\.)?THEOTHERDOMAIN\.com [NC]
RewriteRule \.(jpg¦gif¦bmp)$ /images/hotlink.jpeg [NC,L]
and what if it is specifically a subdomain I want to allow. So instead of allowing al X.com I only want to allow sub.X.com?
Your modified rule looks good. To limit access based on a specific subdomain of the referrer, just stick the subdomain name on the end, like so:
RewriteCond %{HTTP_REFERER} !^http://(www\.)?THEOTHERDOMAIN\.com/subdomain [NC]
My hotlink code in .htaccess is :
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mydomain\.com [NC]
RewriteCond %{HTTP_REFERER}!^http://(www\.)?adomain\.net/subdomainname [NC]
RewriteCond %{HTTP_REFERER}!^http://(www\.)?adomain\.com [NC]
RewriteCond %{HTTP_REFERER}!^http://(www\.)?adomain\.com [NC]
RewriteRule \.(jpg¦gif¦bmp)$ /images/hotlink.jpeg [NC,L]
Now this works great from what I can see, but I want to for one image (re RSS Feeds) to be allowed to be hotlinked so I changed the above to:
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mydomain\.com [NC]
RewriteCond %{HTTP_REFERER}!^http://(www\.)?adomain\.net/subdomainname [NC]
RewriteCond %{HTTP_REFERER}!^http://(www\.)?adomain\.com [NC]
RewriteCond %{HTTP_REFERER}!^http://(www\.)?adomain\.com [NC]
RewriteCond %{REQUEST_URI}!ALLOWTHISPICTUREINMYROOT \.jpg$ [NC]
RewriteRule \.(jpg¦gif¦bmp)$ /images/hotlink.jpeg [NC,L]
Did I put this line RewriteCond %{REQUEST_URI}!ALLOWTHISPICTUREINMYROOT \.jpg$ [NC] in the right place above? and does it need a [NC]?
[edited by: DaveAtIFG at 4:38 am (utc) on Aug. 5, 2003]
> Did I put this line RewriteCond %{REQUEST_URI}!ALLOWTHISPICTUREINMYROOT \.jpg$ [NC] in the right place above? and does it need a [NC]?
Other than the extra space in the URI, it looks OK to me... You could use
RewriteCond %{REQUEST_URI} !^/ALLOWTHISPICTUREINMYROOT\.jpg$ [NC]
I use [NC] mostly where it is possible that someone may type-in uppercase URL parts. When I design a site, I make sure that all pathnames in links are lowercase-only, so there is no need for me to allow for case variations in most of my rewriterules. However, there is always the possibility that someone may manually type a page request into their browser, so I tend to make page URLs case-insensitive by adding [NC] to the rules.
So, for my own sites, I don't use [NC] for images, CSS files, scripts etc., - I only use it for html page URLs. It's a personal style thing, though; Using [NC] doesn't slow down the server very much, so it's up to you to make that decision based on your page design habits, and whether your users are likely to be directly typing in requests for anything but pages.
Jim
I am not sure whether I am right in saying the root directory, it is in the main www directory, so the image I want to allow hotlinking to can be linked with mydomain.com/ThisPicture.jpg
Is that the root? and if not should I still use the modified line you put in your last post namely:
RewriteCond %{REQUEST_URI}!^/ALLOWTHISPICTUREINMYROOT\.jpg$ [NC]
Also you bring up an interesting point re case sensitive urls. This site I am working on has case sensitive urls with pages SuchasThis.shtml etc
I get a lot of 404's for people looking for thispage.shtml when it should be ThisPage.shtml
Is there anyway I can add code to .htaccess to ensure that when someone types in thispage.shtml they are redirected to ThisPage.shtml?
Of course I could do 301's but there are hundreds if not thousands of such pages and my .htaccess is already very large with hundreds of 301's already.
mydomain.com/ThisPicture.jpgIs that the root?
If you have access to httpd.conf, I believe you can use a RewriteMap to standardize to all-lowercase or all-uppercase pathnames. Otherwise you can use a script to do it - for example, process all 404s through a script that converts existing URLs to all-lowercase, and tries again (beware of loops). See the RewriteCond -U and -f flags in this regard.
Best advice on mixed-case URLs, IMHO... Don't do it! Using all-lowercase greatly simplifies URL redirection, internal and external linking, and moving from one type of server to another (case-sensitive to case-insensitive, or vice-versa). Simple is good.
Jim
I have been looking into the options you mentioned above and with regards to the CaseSensitive urls I found this module which may seem to help fix the problem.
If I have understood it correctly all I need to do is add the below to the .htaccess file:
Checkspelling on
Has anyone used CheckSpelling directive? Any major problems? or other advice?
