Have you tested your code without the trailing slash?
(and without that asterisk)

RewriteCond %{HTTP_REFERER}!^$ 
RewriteCond %{HTTP_REFERER}!^http://mydomain\.com
RewriteCond %{HTTP_REFERER}!^http://www.mydomain\.com
RewriteRule \.(jpg¦jpeg¦gif¦png¦bmp¦mp3¦mov¦wmv¦rm¦ram¦wma)$ http://www.mydomain.com/ [NC,L]

When I do that, I get the following message:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.
Please contact the server administrator, webmaster@********xx.com and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

--------------------------------------------------------------------------------

Apache/1.3.29 Server at www.****xxxxx.com Port 80

This is the exact code that I used (the x's in place of my domain, of course):

Options -Indexes

RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://xxxxxxxx\.com
RewriteCond %{HTTP_REFERER}!^http://www.xxxxxxxx\.com
RewriteRule \.(jpg¦jpeg¦gif¦png¦bmp¦mp3¦mov¦wmv¦rm¦ram¦wma)$ [xxxxxxxx.com...] [NC,L]

And also, you said no asterisk, but what about the rest of the code (e.g. the "$ [NC]" after two of the lines, and you changed the [R,NC] to [NC,L] after the last line)?

And should the "\" be after the ".com"?

e.g.

RewriteCond %{HTTP_REFERER}!^http://xxxxxx.com\

The code should work in .htaccess.

The backslash (\) is used to escape the dot (.) which has another meaning in RegEx.

Also, if you cut 'n pasted the code, there are a couple things you will need to correct because this forum changes them. Replace all the vertical pipes (¦) with the solid one from your keyboard. Also, there should be a space preceeding those exclamation points (!)

[edited by: keyplyr at 8:39 am (utc) on Dec. 6, 2003]

Here is the "HP Classic" code:

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain\.com [NC]
RewriteRule \.(jpe?g¦gif¦png¦bmp¦mp3¦mov¦wmv¦rm¦ram¦wma)$ - [NC,F]

Notes:

Leave everything after ".com" off the pattern in the RewriteCond to avoid problems

There must be a space between the "}" and the "!"

You must replace all "¦" characters above with solid vertical pipe characters from your keyboard

The "(www\.)?" allows combining two RewriteConds into one -- the "?" makes the contents of the parenthesized group optional

Add [NC] flag to RewriteCond #2 to make domain name case-insensitive

Add [NC] flag to RewriteRule to make filetypes case-insensitive

You cannot redirect an image, audio, or video file to an html (or script-generated html) page - the browser cannot handle it. Best bet is to simply return 403-Forbidden response as shown.

Alternatively, separate these filetypes and return blank or modified versions of those same filetypes instead. The classic one is to add a text overlay to images saying, "This image taken from www.example.com -- Visit www.example.com to see the original image!" But if the browser asks for an image, you can't return an html page. You *can* often substitute a .gif for a .jpg or vice-versa, but this may not work in some browsers. Other file types, such as the video and audio, are best not substituted - use the same type replacement files, or simply return 403-Forbidden.

Jim

<cross-posted> LOL

Yeah, noticed that too... :)

Not real impressed with cPanel - they should know that this:

RewriteCond %{HTTP_REFERER} !^$

can be shortened to this:

RewriteCond %{HTTP_REFERER} .

Jim

Brilliant! Thanks, guys!

This worked perfectly:

Options -Indexes

ReWriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mydomain\.com [NC]
RewriteRule \.(jpe?g¦gif¦png¦bmp¦mp3¦mov¦wmv¦rm¦ram¦wma)$ - [NC,F]

You guys were right. I had copied and pasted it, so the lack of verticle pipes and spaces were creating problems.

Not sure how to do this:

Alternatively, separate these filetypes and return blank or modified versions of those same filetypes instead. The classic one is to add a text overlay to images saying, "This image taken from www.example.com -- Visit www.example.com to see the original image!" But if the browser asks for an image, you can't return an html page. You *can* often substitute a .gif for a .jpg or vice-versa, but this may not work in some browsers. Other file types, such as the video and audio, are best not substituted - use the same type replacement files, or simply return 403-Forbidden.

What would be the coding for that?

Also, is it possible to stop people from viewing files via a URL like [example.com...]

LABachlr,

The first block of code below redirects any out-of-domain-referrer requests to each specified filetype to a substitute file named "thief" of the same filetype as that requested -- the "$1" in the substitution back-references the requested filetype.

Since you may not have alternate versions for the mp3, mov, wmv, rm, ram, and wma files, the second block of code simply returns a 403-Forbidden for out-of-domain-referrer requests for these filetypes. You can re-arrange the filetypes between the two rules to suit your needs.

RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain\.com [NC]
RewriteRule \.(jpe?g¦gif¦png¦bmp)$ /thief.$1 [NC,L]
#
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain\.com [NC]
RewriteRule \.(mp3¦mov¦ra?m¦wm[av])$ - [NC,F]

Also, is it possible to stop people from viewing files via a URL like [example.com...]

Not sure I understand the question here. The rules above will operate in any directory in which they are placed, and in any subdirectory of that directory. So, the short answer is, "Yes, stick "swf" into the list of filetypes, and they won't be accessible for requests with referrers from outside your domain."

If there is more to the question than that, please state how you *do* want to allow access to your swf files as well as how you don't. Are we still talking about a hotlinking issue, or is this something else?

Jim

jdMorgan,

Great! Thanks for the code.

With respect to my second question, I didn't explain myself correctly. What I meant was can you block a person from seeing a flash file (for example) by just typing in their browser www.example.com/flash/file.swf? I have an entertainment site that has flash files, and in my logs, I see a lot of hits that are directly to the flash files, which means all they are seeing in their browser is the flash file, and not the rest of the page on my site. This costs my money as they do not see the things that I sell when they do this. Same thing with other multimedia files (wmv, mpg, etc.).

But, I suppose if you blocked them from doing that, then you would also block your own site from showing those files since you would be blocking them from being viewed within your own domain, unless there is a way around that.

Yes, the problem is that they'll access the swf without a referrer - and blocking blank referers leads to trouble, because some of your visitor's accesses won't provide one, and they don't necessarily control that.

For the sake of keeping things simple, let's say you have only one swf file on your site, called my_flash.swf. Let's also assume that the page that links to the swf file is an html page, just for reference. Conceptually, this makes no difference, and the solution is not restricted to one swf file linked-to by an html file, but it simplifies the description below.

One approach I can think of is to rename either the swf file or the directory occasionally, and then change the links on your pages which reference them. You could do this by hand or using a cron job. This will break the direct type-ins.

You can also use mod_rewrite to 'alias' the actual file (or directory) name (on the server) so that you don't have to change it, but this does not get around having to change the links on the page. However, you could use PHP or SSI in the html page to do that. One common way of doing it is to use the current date as part of the URL. However, you will need to take care of the case where someone has a cached copy of your page (the one that INCludes the swf files). You need to make sure that the cache header on the html file that links to the flash file expires at least twice as fast as the links are changed, and that the time increment you use can still be matched by the time for the previous cached copy. This is a bit complex, so here's an example:

html file expires header: twelve hours
html file cache-control: must-revalidate
links changed: once per day
mod_rewrite code allows either today's or yesterday's links to point to the real swf file, now called my_real_flash.swf.

In this way, you won't block anyone who has a cached copy of your page from accessing the swf linked-to by that page.

Some details: Using days of the year 001-365, you could have a link to my_flash001.swf on January 1st, and that link changes to my_flash002.swf at midnight.
If a user caches the page at exactly 12:59:59.99PM on January 1st, views the flash, and then clicks on the link to view it again, the would normally now be invalid, because all links have just been changed to my_flash_002.swf. However, since mod_rewrite is set up to cover *two* days worth of links, he's still OK. Also, due to the action of the cache-control headers, the html page he's viewing will expire at 12:59:59.99pm on January 2nd, forcing an update if he reloads the page.

Now, the only remaining problem is what to do if he opens the page and leaves it open for 24 hours. Here, I guess you could include a meta-refresh to force the page to reload every 24 hours. Don't do this with JavaScript, though, because not all users will have it enabled -- just use a plain-old html <meta name="refresh">.

The RewriteRule for this example would be something like:

 RewriteRule ^my_flash(001¦002)\.swf$ /my_real_flash.swf [L] 

On the first day (only) you use this, you'd also need:

 RewriteRule ^my_flash\.swf$ /my_real_flash.swf [L] 

to cover those users who have cached an old copy of the page (before you changed everything).

As I said, there are also various JavaScript solutions, but they would not work if the user had JS disabled. There are also ways of implementing this using server-side scripts, but we have other forums for that. :)

Anyway, something to think about...

Jim

Wow. I'm blown away by your knowledge and thoroughness, Jim. Very impressive.

Thanks for all of the info. I will definitely keep that as an option.

I was thinking about it, and was wondering if this would work:

Put all of the multimedia files in a folder that is above the root folder, and then have the HTML file link to it.

For example:

On the HTML page that would be linked to the flash file, the link itself would be the following:

../folder/flash/file.swf

Wouldn't that work since a visitor is not able to directly view any file that is above the root folder via a URL that points directly to the file?

No, it won't work, because the user is not allowed to access anything above the root folder using HTTP in any way.

You could, however, use a script to "go get it for him". Have the link call the script, and have the script access the files in the filespace -- That's an important concept... URL-space versus filespace. In URL-space, nothing above the site root folder exists.

Jim

OK. Thanks for clearing that up. I guess I'll just have to weigh my options. Which do you think would be the best to implement?

I don't know your sites, your workload, your project "commitment level," or your skill-set, so... In my considered opinion:

It's all up to you.

By all means look around for some other solutions, too - this is not my area of expertise!

Jim

OK. Will do. Thanks.