Forum Moderators: phranque
Dear Webmasterworld
Here's the .htaccess file I'm trying to use in order to stop sites linking to my ZIP, EXE, RAR... files. I'm trying to setup an anti-leech system in order to publish downloads for soccer games.
Thanks in advance for your great support
Regards
Xavier
[edited by: jdMorgan at 6:31 am (utc) on Dec. 16, 2003]
[edit reason] No personal Urls or sigs, please [/edit]
Welcome to WebmasterWorld!
Please check out our Terms of Service [webmasterworld.com] and the Apache forum charter [webmasterworld.com].
You didn't say what went wrong when you try your code, but several things to be aware of:
The simplest solution is simply to return a 403-Forbidden server response for hotlink-related requests that have a non-local referrer:
RewriteEngine On
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://.*example\.net [NC]
RewriteCond %{HTTP_REFERER} !^http://64\.***\.24\.58
RewriteRule \.(zip¦exe¦rar)$ - [NC,F]
Note that you must replace the "¦" character with the solid vertical pipe character from your keyboard.
For a lot more info on this subject, try searching WebmasterWorld [google.com] for "hotlinking" and related phrases.
Jim
I got this .htaccess working at
www.example.com
It works perfectly fine
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^$ [OR]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/.*$ [NC]
RewriteRule .*\.([zip¦rar¦exe¦gif¦jpg¦jpe?g]+)$ - [NC,F]
Here are URLs were you can see the .htaccess working:
www.example.com/testing/testing.php (image and download working)
www.example.net/testing/testing.php (image and download not working)
However, when I insert that .htaccess to example.net, it doesn't works
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^$ [OR]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.net/.*$ [NC]
RewriteRule .*\.([zip¦rar¦exe¦gif¦jpg¦jpe?g]+)$ - [NC,F]
Here are some URLs were you can preview it:
www.example.com/testing/testing.php (image and download not working)
www.example.net/testing/testing.php (image and download not working NEITHER)
mod_rewrite is installed at example.net
I have Apache 2.0.40 at example.net, and I think I have Apache 1.3 at example.com
I am the webmaster of example.net, it's a plain RedHat 9 LInux server. However, example.com is located at Imhoted, and all I have is a Cpanel.
My questions are:
1) Is the .htaccess I provided right?
2) Why do you think .htaccess work at example.com and not at example.net?
I even tried entering the .htaccess code directly at Apache, like this:
<Directory>
/home/***/public_html/testing/files
</Directory>
Thanks for the support!
[edited by: jdMorgan at 5:17 am (utc) on Dec. 17, 2003]
[edit reason] No personal URLs, please. [/edit]
The problem is most likely due to a configuration difference between the two servers.
In order for the code to work, you must have AllowOverrides All or AllowOverrides FileInfo, plus Options FollowSymLinks set in httpd.conf.
Alternatively, you must have AllowOverrides All or AllowOverrides FileInfo Options set in httpd.conf, and Options +FollowSymLinks set in .htaccess.
Be careful to preserve any pre-existing settings when adding these overrides and options.
In addition, mod_rewrite must be installed and enabled on your server.
If the above conditions are not met, then mod_rewrite will not be activated.
Note that a leading "^.*" or ".*" and a trailing ".*$" is redundant, and can be omitted from your regular expressions patterns.
The first RewriteCond, which you have modified to block blank referers, now serves no purpose and can be omitted without changing the behaviour. I strongly suggest that you do not block blank referrers. However, you can block them as long as you are aware that this will cause a large number of your legitimate visitors who are behind their ISP's caching proxies or firewalls to be blocked, costing you visitors, customers, and/or members, and increasing your "customer service" calls dramatically. Referrers are simply not reliable enough to allow most sites to block blank referers unless specific exceptions are made based on {REMOTE_ADDRESS} and/or {REMOTE_HOST}. You must assess the economics of this problem for your own sites, but in most cases, it will cost you more than it is worth to block blank referrers either completely or selectively.
"jpe?g" matches either "jpeg" or "jpg", and the square brackets and "+" serve no purpose.
Further, I suggest that you eliminate the trailing slash on the regular expressions hostname pattern, and you can also write the pattern so that it will work on both top-level domains without change to ease maintenance. Example:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.(net¦com) [NC]
RewriteRule \.(zip¦rar¦exe¦gif¦jpe?g)$ - [NC,F]
Here is a small part of my httpd.conf file:
# Dynamic Shared Object (DSO) Support
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
# there are a bunch of other modules here
<Directory />
Options FollowSymLinks
AllowOverride None
Order Deny,Allow
Deny from all
</Directory>
<Directory /www/example/>
# Options Includes
# Options ExecCGI
</Directory>
# This is the directory I´m using to test the anti-leech. I want only this directory to have anti-leech, and to obligate my users to go through www.example.com in order to
# download ZIP, RAR, EXE.... files
<Directory /www/example/public_html/testing/files>
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /www/example/public_html/cgi-bin/>
Options ExecCGI
SetHandler cgi-script
</Directory>
# this directory is where the index.php file is located
<Directory "/www/example/public_html">
Options Indexes FollowSymLinks
Options Includes
AllowOverride All
Order allow,deny
Allow from all
</Directory>
Additionally, this is the .htaccess file, it has been uploaded into the following directory:
/www/example/public_html/testing/files
RewriteEngine On
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER}!^http://(www\.)?example\.(net¦com) [NC]
RewriteRule \.(zip¦rar¦exe¦gif¦jpe?g)$ - [NC,F]
Please not that there is a space between } and!, however this forum deletes it
According to me, everything should be working. My partner sais it's working at his computer, however, it doesn´t works here. That may be because my ISP uses a proxy to have a "cache" so that their bills wil be lower.
Do I have to remove the following line?:
RewriteCond %{HTTP_REFERER} .
Will people be able to directly type the ZIP, EXE, RAR... URL in their browser if I remove this line?
I am ALMOST done with this, thanks for your excellent support!
Xavier
FINAL
------
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^$ [OR]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.net/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/.*$ [NC]
RewriteRule .*\.([zip¦rar¦exe¦gif¦jpe?g]+)$ - [NC,F]
Well with BETA we have
(1) Direct Links working
(2) Not working links from webpages in example.com. example.net and foo.com
With RECOMMENDED AND FINAL
(1) Direct Links not working
(2) Not working links from webpages in example.net and foo.com
(3) Working from example.com
With WORKING
(1) Direct Links not working
(2) Not working links from webpages in example.com and foo.com
(3) Working from example.net
The file that it´s working now is WORKING
We would like to know if this will work for people who use Dial Up, or for those whose ISP use proxies or whose computers have Firewall. The idea is that this finally work from example.com and example.net (not from other website) and not from direct links.
Thanks
Xavier
[edited by: jdMorgan at 7:12 pm (utc) on Dec. 17, 2003]
[edit reason] No personal URLs per Terms of Service [/edit]
Do I have to remove the following line?:RewriteCond %{HTTP_REFERER} .
I suggest that you do not remove that line.
Will people be able to directly type the ZIP, EXE, RAR... URL in their browser if I remove this line?
No. And users behind firewalls or caching proxies will not be able to access the content.
The file that it´s working now is WORKING
We would like to know if this will work for people who use Dial Up, or for those whose ISP use proxies or whose computers have Firewall.
No, it will not work for users with caching proxies or firewalls. The connection technology (dial-up, cable, ISDN, T1, or DSL) does not matter.
The idea is that this finally work from example.com and example.net (not from other website) and not from direct links.
The problem is that HTTP_REFERER is not reliable. If you block direct type-ins, you also block users behind firewalls and caching proxies. If you allow users behind firewalls and caching proxies, then you also allow direct type-ins. Therefore, this is an imperfect solution. Mod_rewrite cannot provide a perfect solution based on HTTP_REFERER. Using cookies, sessions, or password-protection to protect your files would be a much better solution.
I strongly suggest that you accept a partial mod_rewrite solution that allows type-ins and users behind firewalls and caching proxies, and then fix the direct type-in problem using cookies, sessions, or password protection. If you do not allow firewall and caching-proxy users to access your files, then you will have many complaints. Many of these people will not know that their firewall or caching proxy is blocking them from sending a referrer to your site; They will think your site is broken and go elsewhere.
You must choose between accepting some hot-linking using mod_rewrite, blocking all hotlinking using mod_rewrite and losing 25% of your visitors, or implementing a partial solution with mod_rewrite and completing the protection using other methods.
The following code is identical in function to your "Final" code, except that it allows type-ins, firewall, and proxy users. All unneccessary code and regular-expressions errors have been removed or corrected. Please review message #4 above.
RewriteEngine On
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.(net¦com) [NC]
RewriteRule \.(zip¦rar¦exe¦gif¦jpe?g)$ - [NC,F]
When testing, be sure to flush your browser and proxy caches before each test access. Try pressing the CTL key while clicking "reload", or manually empty your Temporary Internet Files.
Jim
I want my visitors to go to
firstpage.php
secondpage.php
download.zip
Therefore, I included a code like this:
detailed.php
-------------
(this code goes into the first page, I'm using Links 2.0 at my site)
<% Mirror_4%>
$mirror4
<%EndIf%>
/* these are just examples, somebody please tell me how to generate random encrypted words, for example= AD192nADl10ADMF */
$user=Generate MD5 ()
$pass=Generate MD5
If (isset($user) && isset($pass) && &user!="" && $pass!="") {
# I'll make these cookies valid for only 5 minutes
$var = setcookie ("myuser", $user)
$var = setcookie ("mypass", $pass)
/* the following codes may not be complete HTML codes, but you get the idea */
<form action="prevdown.php" method="post">
hidden="pass", value="$pass"
hidden="user", value="$user"
/* this will make the user to go prevdown.php with four variables, $user, $pass, $mypass and $myuser
</form>
prevdown.php
-------------
<? if (isset($myuser) && isset($mypass) && $myuser!="" && $mypass!="" && $myuser=="$user" && $mypass=="$pass" {?>
/* this is the first option */
<form action="download.php" method="post">
hidden="pass", value="$pass"
hidden="user", value="$user"
hidden="file", value="$mirror4"
/* this will make the user to go download.php with four variables, $user, $pass, $mypass and $myuser
</form>
/* this one is the second option
The bad thing about this is that the users will know the value of the user and pass variables, however, they don't know the name of those variables at their local PCs (cookies)*/
<a href="http://www.example.com/download.php?file.zip&user=$user&pass=$pass">Download the file</a>
<? } Else {?>
Message to leechers
Go back to <a href="http://www.example.com/Download_Info/detailed<?php Echo=\"$ID\"?>">this site</a> in order to download your file.
<? }?>
download.php
------------
/* users never see this page. If successfull, the download starts, like if it would be a normal link to a ZIP file, if not, then the page loads with a message to leechers
<? if (isset($myuser) && isset($mypass) && $myuser!="" && $mypass!="" && $myuser=="$user" && $mypass=="$pass" {?>
Start download
<? } Else {?>
Please visit <a href="www.example.com">www.example.com</a> in order to authenticate yourself as a valid visit and download files form our site. Thank you.
<? } >
My questions are.
1) Is this safe enough? (it's currently working at my site and it works fine, this version is improved)
2) at the page "prevdown.php", should I use a form again so that users will not be able to see the file? (this will be really confusing because we want kits to be downloaded with kits.php, stadiums with stadium.php... and then, I want the script to be automatic)
3) if I at prevdown.php I use the second option (linking to the download.php displaying the user and pass) will that be unsafe?
4) Could I edit the IFS at download.php, and make it search for $myuser and $mypass, as long as they are different from "". Would that be safe?
5) Finally, could someone tell me, how to make the variables $user, $pass, $myuser, $mypass... and its values... random, ecrypted values, each time the user visits our site (detailed.php)?
Thanks for your support! :)
I'm not using Apache anti-leech at all and it works fine at the moment
Xavier
Your last post might be better answered in our PHP forum, since it focuses on PHP issues.
Jim
