Http_referer - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

Http_referer

control bandwidth with REFERER

WillllF

7:24 pm on Mar 16, 2006 (gmt 0)

10+ Year Member

on my site, users can download files with the following link:
http://www.example.co.uk/files/<type>/<id>/download/

this page then checks if they are users on my website, updates the download counter and redirects them to the file.

// update counter
query("UPDATE `files` SET `counter`=`counter`+1 WHERE `id`='$id'");
// redirect to file
header('location:http://www.example.co.uk/uploads/'.$filename);

taking this into account, the HTTP_REFERER for the file would be http://www.example.co.uk/files/<type>/<id>/download/

so people cant use up my bandwidth without me knowing, i want to stop people from downloading anything if the referer isnt this link.
i have tried:

RewriteCond %{HTTP_REFERER} files/[a-z]+/[0-9]+/download/$
RewriteRule uploads/.{1,}\..{3,4} - [L]

this allows all referer's to download

RewriteCond %{HTTP_REFERER} ^.*/[a-z]+/[0-9]+/download/$
RewriteRule uploads/.{1,}\..{3,4} - [L]

this doesnt allow any referer's through

RewriteCond %{HTTP_REFERER} ^http://%{HTTP_HOST}/[a-z]+/[0-9]+/download/$
RewriteRule uploads/.{1,}\..{3,4} - [L]

this also doesnt allow any referer's through

does anyone know what im doing wrong?
thanks for any help in advance

Will

[edited by: jdMorgan at 2:28 am (utc) on Mar. 17, 2006]
[edit reason] examplified. [/edit]

jdMorgan

6:43 pm on Mar 17, 2006 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

The most obvious problem I see is the use of a server variable in the 'fixed comparison string' on the right side of this RewriteCond:


RewriteCond %{HTTP_REFERER} ^http://%{HTTP_HOST}/[a-z]+/[0-9]+/download/$

There is no 'native' support in Apache for comparing two variables, although some operating systems support 'atomic back-referencess' which can be used to emulate a compare. This depends on the regex library bundled with the OS> Specifically, POSIX 1003.2 atomic back-references can be used to do a compare by using the fact that if A+A = A+B, then A=B.


RewriteCond %{HTTP_REFERER} ^(http://[^/]+)
RewriteCond %{HTTP_HOST)<>%1 ^([^<]+)<>\1$ [NC]
RewriteRule ^uploads/[^.]+\..{3,4}$ - [L]

Note that the "<>" string is entirely arbitrary and has no special meaning to regular-expressions; It is used here only to demarcate the boundary between the two concatenated variables. The actual 'compare' is done in the second RewriteCond, using the atomic back-reference "\1" to 'copy' the value of the string matching the parenthesized pattern directly to its left.

Therefore
if %{HTTP_HOST}<>%{HTTP_REFERER}(partial) == %{HTTP_HOST}<>%{HTTP_HOST}<>%,
then %{HTTP_REFERER}(partial) == %{HTTP_HOST}

This may need some tweaking to fit your actual referrers, since the match between hostname and the partial referrer substring saved in %1 must be exact. And as noted, it will only work on servers which support POSIX 1003.2 regular expressions (FreeBSD is one, and there are others.) I know of no way to support variable-to-variable compares in mod_rewrite without this POSIX 1003.2 trick.

Also, be aware that if you block blank referrers, visitors using "Internet security" software, those behind corporate or ISP caching proxies, and those who type in your URL directly will not be able to use your site.

Jim

leadegroot

10:45 am on Mar 18, 2006 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Well, this would block users who aren't sending referer info.
Not uncommmon.

WillllF

12:13 pm on Mar 18, 2006 (gmt 0)

10+ Year Member

Thanks for all your help

Also, be aware that if you block blank referrers, visitors using "Internet security" software, those behind corporate or ISP caching proxies, and those who type in your URL directly will not be able to use your site.

I want to block users who type in the URL directly, however, I dont want to be blocking off users with internet security. Do you know of any other answer to my problem?

jdMorgan

2:03 pm on Mar 18, 2006 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

If you cannot use the POSIX trick I detailed above to fix your code, then you will have to test each referrer against each host name individually.

Jim