Hello,

Seems to me that the last line is faulty

RewriteRule ^http://.*/([a-zA-Z0-9]+\.(gif¦htm))$ [myalloweddomain.net...] [R,NC]

%1 catch the first subpattern in the regexp, ie the name of the resource and its extension.

Tell us if it works.

supernuke,

It's not entirely clear what you're trying to achieve, but I would suggest the following changes:

RewriteEngine on
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://myalloweddomain.net/site [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/desc/images/epig [NC]
RewriteRule \.gif$ - [F]

1) Allow blank referrers, unless you want to reject all users behind ISP and corporate caching proxies, like AOL.
2) Do not end-anchor the referrer for the allowed domains. This is the likely reason your allowed referrers failed.
3) Return a simple 403-Forbidden response to hotlinkers instead of trying to redirect. Otherwise you can end up trying to redirect an image request to an html page, and that won't work as expected. Your original code could also cause massive problems with search engine spiders and cause them to drop your site.

There are a lot of threads here with details on allowing blank referrers and the various hotlink responses you can use. Try searching [google.com]through the forums for more background on these subjects.

Jim

Thanks both for your replies, unfortunely none of the modified codes worked, i forgot to mention im trying to block direct requests, in order to make my visitors access to those protected files only by clicking on the links placed in my site. is it this posible?

thanks

I'd recommend a cookies-based scripted solution. Your requirements exceed the capabilities of an HTTP_REFERER-based solution. Have a look through the recent hotlinking threads here for more information.

A scripted approach can also permit search engine spiders to 'log in' to your site, so that you don't get dropped from the search engines.

Jim

i really didnt understand what you mean with cookies-based script, but in any case, im being obligated by my server to use a htaccess file in order to be able to access my files, so if this htaccess doesnt work,ˇˇmy server become useless. As long as i know, what im trying to do is not imposible at all, if you have cpanel in your server try going to the anti-hotlinking protection option, there you have a few features, like establishing allowed referers and enabling or disabling direct requests option, this sets you automatically a htaccess file in your root directory, what i did is to copy that code and post it here as it is, as it was generated by such a popular and efective script as Cpanel, i assumed it was going to be right, but it simply doesnt work, weird huh?

>> enabling or disabling direct requests option

Do you realy know the concequences of this? You are not disabling only direct requests, but you are blocking an empty referer. Tage a look again on 1) of Jim's post on the concequences of it.

Is this a new disease like blocking the right mouse click a few years ago? Now we block requests with a blank referer?

If sthg. is "top secret", the internet might be the wrong place for it.

Since the syntax is correct, make sure that mod_rewrite is working in per-dir context

Since the syntax is correct, make sure that mod_rewrite is working in per-dir context

sorry about my ignorance, but how am i supposed to do that? im not so used to those terms, so i would thank you a more simple reply, please.

Im trying to block direct requests because if people can view files without viewing my index then there is no sense i set an anti-hotlinking protection.

place a 'bar.html and this code in a folder and call ie. test.com/folder/foo.html. you should see bar.html

/folder/.htaccess:

RewriteEngine On
RewriteRule ^foo\.html bar.html [L]

But anyway it doesn't make much sense if some config programs places rules in a folder if mod_rewrite is not allowed to use there.

Remember that also people viewing your index are blocked if the referer is empty. If someone links to you, you'll have usually a referer present

Hi

i thank for your replies, but i dont know if im being clear enough in my explanations about my purpose, i have the next feature menu in my cpanel:

<snip>

The main point in this is as follows:

HotLink protection prevents other websites from directly linking to files (as specified below) on your website.

and

You should ensure that all sites that you wish to allow direct links from are in the list below. This system attempts add all sites it knows you own to the list, however you may need to add others.

and thats what i did, i set the allowed sites by writing them onto that space as you can see, im not checking the "allow direct requests" box because i dont want to allow them, the only way to access those files should be only by clicking on a link on my allowed site.

When i enable this, a .htaccess file is automatically created, and its something like this:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://myowndomain.net/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://myowndomain.net/site$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.somewherelse.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.somewherelse$ [NC]
RewriteRule .*\.(gif¦htm)$ [myalloweddomain.net...] [R,NC]

well, this code prevents hotlinking but from EVERYWHERE, even my allowed sites, then my files cant be accesed by any way, it has the same sense as if i didnt upload anything from the begining, what i would like to know is hot to set this allowed referers properly.

Thanks.

[edited by: jdMorgan at 2:14 pm (utc) on Mar. 2, 2005]
[edit reason] Removed specifics per TOS. [/edit]

Here is an optimized version of the code. This is the best you'll be able to do with a simple referrer-based method (see msg5 above). In order to avoid making your site look broken to users behind ISP and corporate caching proxies (all AOL users, for example), it allows "direct requests." Again, this is the best you can do with simple referrer-based access control. If you need more "security," you'll need a cookies-based solution.

RewriteEngine on
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?myowndomain\.net [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?somewhereelse\.com [NC]
RewriteRule \.(gif¦htm)$ http://www.myalloweddomain.net/site/ [R=302,NC]

This allows access from www.myowndomain.net, myowndomain.net, www.somewhereelse.com and somwhereelse.com. It's shorter and more efficient than the auto-generated code you posted, and corrects several errors in that code as well.

Important: In order to test access-control code like this, you must flush your browser cache (Temporary Internet Files) before testing any change in the code or in the location you are testing from. Otherwise, your browser cache will interfere with the test results.

Jim

Thanks for the new code, but its just useless if it allows direct requests, stealers still can using a direct address to some file of mine without making their visitors see the original page/index, thats why i want to prevent also direct requests.

Thanks.

> stealers still can using a direct address to some file

No, because if they are linking to your file in some way, the referer has the value from the site the user followed the link.

ie. the site test.com/1.html put a link to your file. The referer would contain the value of test.com/1.html if the user clicks on that link. This would end up in an external redirect to [myalloweddomain.net...]