Welcome to WebmasterWorld Guest from 34.204.169.76

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

.htaccess

Anti-leech not working

     
3:46 am on Dec 16, 2003 (gmt 0)

New User

10+ Year Member

joined:Nov 29, 2003
posts:23
votes: 0


RewriteEngine On
RewriteCond %{HTTP_REFERER}!^http://([a-z0-9-]+\.)*example.net/ [NC]
RewriteCond %{HTTP_REFERER}!^http://([a-z0-9-]+\.)*64.***.24.58/ [NC]
RewriteRule ^.*$ http://www.example.net/ [L,R]

Dear Webmasterworld

Here's the .htaccess file I'm trying to use in order to stop sites linking to my ZIP, EXE, RAR... files. I'm trying to setup an anti-leech system in order to publish downloads for soccer games.

Thanks in advance for your great support

Regards

Xavier

[edited by: jdMorgan at 6:31 am (utc) on Dec. 16, 2003]
[edit reason] No personal Urls or sigs, please [/edit]

6:49 am on Dec 16, 2003 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


Socceraccess,

Welcome to WebmasterWorld!

Please check out our Terms of Service [webmasterworld.com] and the Apache forum charter [webmasterworld.com].

You didn't say what went wrong when you try your code, but several things to be aware of:

  • You must have a space between "}" and "!" in the RewriteConds - Unfortunately, this forum deletes the space unless you type two spaces in there.
  • You cannot redirect to a fundamentally different file type (MIME type). That is, you can generally redirect from a .gif image to a .jpg image (for example), but you cannot redirect from an image to an html page - most browsers can't handle that.
  • If you block blank referrers, many of your legitimate visitors will be blocked. If they are surfing from behind their ISP's caching proxy or have Internet Security software or a firewall installed, their referrer may be suppressed without their knowledge. This can lead to a "customer support" nightmare for you. It is a sad fact that referrers are simply not reliable.

    The simplest solution is simply to return a 403-Forbidden server response for hotlink-related requests that have a non-local referrer:

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} .
    RewriteCond %{HTTP_REFERER} !^http://.*example\.net [NC]
    RewriteCond %{HTTP_REFERER} !^http://64\.***\.24\.58
    RewriteRule \.(zip¦exe¦rar)$ - [NC,F]

    Note that you must replace the "¦" character with the solid vertical pipe character from your keyboard.

    For a lot more info on this subject, try searching WebmasterWorld [google.com] for "hotlinking" and related phrases.

    Jim

  • 10:30 pm on Dec 16, 2003 (gmt 0)

    New User

    10+ Year Member

    joined:Nov 29, 2003
    posts:23
    votes: 0


    Dear WebmasterWorld

    I got this .htaccess working at
    www.example.com
    It works perfectly fine

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} ^$ [OR]
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/.*$ [NC]
    RewriteRule .*\.([zip¦rar¦exe¦gif¦jpg¦jpe?g]+)$ - [NC,F]

    Here are URLs were you can see the .htaccess working:
    www.example.com/testing/testing.php (image and download working)
    www.example.net/testing/testing.php (image and download not working)

    However, when I insert that .htaccess to example.net, it doesn't works
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} ^$ [OR]
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.net/.*$ [NC]
    RewriteRule .*\.([zip¦rar¦exe¦gif¦jpg¦jpe?g]+)$ - [NC,F]

    Here are some URLs were you can preview it:
    www.example.com/testing/testing.php (image and download not working)
    www.example.net/testing/testing.php (image and download not working NEITHER)

    mod_rewrite is installed at example.net
    I have Apache 2.0.40 at example.net, and I think I have Apache 1.3 at example.com

    I am the webmaster of example.net, it's a plain RedHat 9 LInux server. However, example.com is located at Imhoted, and all I have is a Cpanel.

    My questions are:
    1) Is the .htaccess I provided right?
    2) Why do you think .htaccess work at example.com and not at example.net?

    I even tried entering the .htaccess code directly at Apache, like this:

    <Directory>
    /home/***/public_html/testing/files
    </Directory>

    Thanks for the support!

    [edited by: jdMorgan at 5:17 am (utc) on Dec. 17, 2003]
    [edit reason] No personal URLs, please. [/edit]

    5:54 am on Dec 17, 2003 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

    joined:Mar 31, 2002
    posts:25430
    votes: 0


    Xavier,

    The problem is most likely due to a configuration difference between the two servers.

    In order for the code to work, you must have AllowOverrides All or AllowOverrides FileInfo, plus Options FollowSymLinks set in httpd.conf.

    Alternatively, you must have AllowOverrides All or AllowOverrides FileInfo Options set in httpd.conf, and Options +FollowSymLinks set in .htaccess.

    Be careful to preserve any pre-existing settings when adding these overrides and options.

    In addition, mod_rewrite must be installed and enabled on your server.

    If the above conditions are not met, then mod_rewrite will not be activated.

    Note that a leading "^.*" or ".*" and a trailing ".*$" is redundant, and can be omitted from your regular expressions patterns.

    The first RewriteCond, which you have modified to block blank referers, now serves no purpose and can be omitted without changing the behaviour. I strongly suggest that you do not block blank referrers. However, you can block them as long as you are aware that this will cause a large number of your legitimate visitors who are behind their ISP's caching proxies or firewalls to be blocked, costing you visitors, customers, and/or members, and increasing your "customer service" calls dramatically. Referrers are simply not reliable enough to allow most sites to block blank referers unless specific exceptions are made based on {REMOTE_ADDRESS} and/or {REMOTE_HOST}. You must assess the economics of this problem for your own sites, but in most cases, it will cost you more than it is worth to block blank referrers either completely or selectively.

    "jpe?g" matches either "jpeg" or "jpg", and the square brackets and "+" serve no purpose.

    Further, I suggest that you eliminate the trailing slash on the regular expressions hostname pattern, and you can also write the pattern so that it will work on both top-level domains without change to ease maintenance. Example:


    RewriteEngine on
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.(net¦com) [NC]
    RewriteRule \.(zip¦rar¦exe¦gif¦jpe?g)$ - [NC,F]

    Jim
    3:02 pm on Dec 17, 2003 (gmt 0)

    New User

    10+ Year Member

    joined:Nov 29, 2003
    posts:23
    votes: 0


    Dear jdMorgan

    Here is a small part of my httpd.conf file:

    # Dynamic Shared Object (DSO) Support

    LoadModule alias_module modules/mod_alias.so
    LoadModule rewrite_module modules/mod_rewrite.so
    # there are a bunch of other modules here

    <Directory />
    Options FollowSymLinks
    AllowOverride None
    Order Deny,Allow
    Deny from all
    </Directory>

    <Directory /www/example/>
    # Options Includes
    # Options ExecCGI
    </Directory>

    # This is the directory I´m using to test the anti-leech. I want only this directory to have anti-leech, and to obligate my users to go through www.example.com in order to
    # download ZIP, RAR, EXE.... files

    <Directory /www/example/public_html/testing/files>
    Options FollowSymLinks
    AllowOverride All
    </Directory>

    <Directory /www/example/public_html/cgi-bin/>
    Options ExecCGI
    SetHandler cgi-script
    </Directory>

    # this directory is where the index.php file is located
    <Directory "/www/example/public_html">
    Options Indexes FollowSymLinks
    Options Includes
    AllowOverride All
    Order allow,deny
    Allow from all
    </Directory>

    Additionally, this is the .htaccess file, it has been uploaded into the following directory:

    /www/example/public_html/testing/files

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} .
    RewriteCond %{HTTP_REFERER}!^http://(www\.)?example\.(net¦com) [NC]
    RewriteRule \.(zip¦rar¦exe¦gif¦jpe?g)$ - [NC,F]

    Please not that there is a space between } and!, however this forum deletes it

    According to me, everything should be working. My partner sais it's working at his computer, however, it doesn´t works here. That may be because my ISP uses a proxy to have a "cache" so that their bills wil be lower.

    Do I have to remove the following line?:

    RewriteCond %{HTTP_REFERER} .

    Will people be able to directly type the ZIP, EXE, RAR... URL in their browser if I remove this line?

    I am ALMOST done with this, thanks for your excellent support!

    Xavier

    4:39 pm on Dec 17, 2003 (gmt 0)

    New User

    10+ Year Member

    joined:Nov 29, 2003
    posts:23
    votes: 0


    WORKING
    ---------
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} ^$ [OR]
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.net/.*$ [NC]
    RewriteRule .*\.([zip¦rar¦exe¦gif¦jpg¦jpe?g]+)$ - [NC,F]

    FINAL
    ------
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} ^$ [OR]
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.net/.*$ [NC]
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.com/.*$ [NC]
    RewriteRule .*\.([zip¦rar¦exe¦gif¦jpe?g]+)$ - [NC,F]

    Well with BETA we have
    (1) Direct Links working
    (2) Not working links from webpages in example.com. example.net and foo.com

    With RECOMMENDED AND FINAL
    (1) Direct Links not working
    (2) Not working links from webpages in example.net and foo.com
    (3) Working from example.com

    With WORKING
    (1) Direct Links not working
    (2) Not working links from webpages in example.com and foo.com
    (3) Working from example.net

    The file that it´s working now is WORKING
    We would like to know if this will work for people who use Dial Up, or for those whose ISP use proxies or whose computers have Firewall. The idea is that this finally work from example.com and example.net (not from other website) and not from direct links.

    Thanks
    Xavier

    [edited by: jdMorgan at 7:12 pm (utc) on Dec. 17, 2003]
    [edit reason] No personal URLs per Terms of Service [/edit]

    7:42 pm on Dec 17, 2003 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

    joined:Mar 31, 2002
    posts:25430
    votes: 0


    Xavier,

    Do I have to remove the following line?:

    RewriteCond %{HTTP_REFERER} .

    I suggest that you do not remove that line.

    Will people be able to directly type the ZIP, EXE, RAR... URL in their browser if I remove this line?

    No. And users behind firewalls or caching proxies will not be able to access the content.

    The file that it´s working now is WORKING
    We would like to know if this will work for people who use Dial Up, or for those whose ISP use proxies or whose computers have Firewall.

    No, it will not work for users with caching proxies or firewalls. The connection technology (dial-up, cable, ISDN, T1, or DSL) does not matter.

    The idea is that this finally work from example.com and example.net (not from other website) and not from direct links.

    The problem is that HTTP_REFERER is not reliable. If you block direct type-ins, you also block users behind firewalls and caching proxies. If you allow users behind firewalls and caching proxies, then you also allow direct type-ins. Therefore, this is an imperfect solution. Mod_rewrite cannot provide a perfect solution based on HTTP_REFERER. Using cookies, sessions, or password-protection to protect your files would be a much better solution.

    I strongly suggest that you accept a partial mod_rewrite solution that allows type-ins and users behind firewalls and caching proxies, and then fix the direct type-in problem using cookies, sessions, or password protection. If you do not allow firewall and caching-proxy users to access your files, then you will have many complaints. Many of these people will not know that their firewall or caching proxy is blocking them from sending a referrer to your site; They will think your site is broken and go elsewhere.

    You must choose between accepting some hot-linking using mod_rewrite, blocking all hotlinking using mod_rewrite and losing 25% of your visitors, or implementing a partial solution with mod_rewrite and completing the protection using other methods.

    The following code is identical in function to your "Final" code, except that it allows type-ins, firewall, and proxy users. All unneccessary code and regular-expressions errors have been removed or corrected. Please review message #4 above.


    RewriteEngine On
    RewriteCond %{HTTP_REFERER} .
    RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.(net¦com) [NC]
    RewriteRule \.(zip¦rar¦exe¦gif¦jpe?g)$ - [NC,F]

    Replace the "¦" characters with the solid vertical pipe character from your keyboard.

    When testing, be sure to flush your browser and proxy caches before each test access. Try pressing the CTL key while clicking "reload", or manually empty your Temporary Internet Files.

    Jim

    2:50 pm on Dec 20, 2003 (gmt 0)

    New User

    10+ Year Member

    joined:Nov 29, 2003
    posts:23
    votes: 0


    Dear Jim

    I want my visitors to go to

    firstpage.php
    secondpage.php
    download.zip

    Therefore, I included a code like this:

    detailed.php
    -------------
    (this code goes into the first page, I'm using Links 2.0 at my site)
    <% Mirror_4%>
    $mirror4
    <%EndIf%>

    /* these are just examples, somebody please tell me how to generate random encrypted words, for example= AD192nADl10ADMF */
    $user=Generate MD5 ()
    $pass=Generate MD5

    If (isset($user) && isset($pass) && &user!="" && $pass!="") {

    # I'll make these cookies valid for only 5 minutes
    $var = setcookie ("myuser", $user)
    $var = setcookie ("mypass", $pass)

    /* the following codes may not be complete HTML codes, but you get the idea */
    <form action="prevdown.php" method="post">
    hidden="pass", value="$pass"
    hidden="user", value="$user"
    /* this will make the user to go prevdown.php with four variables, $user, $pass, $mypass and $myuser
    </form>

    prevdown.php
    -------------
    <? if (isset($myuser) && isset($mypass) && $myuser!="" && $mypass!="" && $myuser=="$user" && $mypass=="$pass" {?>

    /* this is the first option */
    <form action="download.php" method="post">
    hidden="pass", value="$pass"
    hidden="user", value="$user"
    hidden="file", value="$mirror4"
    /* this will make the user to go download.php with four variables, $user, $pass, $mypass and $myuser
    </form>

    /* this one is the second option
    The bad thing about this is that the users will know the value of the user and pass variables, however, they don't know the name of those variables at their local PCs (cookies)*/

    <a href="http://www.example.com/download.php?file.zip&user=$user&pass=$pass">Download the file</a>

    <? } Else {?>
    Message to leechers
    Go back to <a href="http://www.example.com/Download_Info/detailed<?php Echo=\"$ID\"?>">this site</a> in order to download your file.
    <? }?>

    download.php
    ------------
    /* users never see this page. If successfull, the download starts, like if it would be a normal link to a ZIP file, if not, then the page loads with a message to leechers

    <? if (isset($myuser) && isset($mypass) && $myuser!="" && $mypass!="" && $myuser=="$user" && $mypass=="$pass" {?>
    Start download
    <? } Else {?>
    Please visit <a href="www.example.com">www.example.com</a> in order to authenticate yourself as a valid visit and download files form our site. Thank you.
    <? } >

    My questions are.

    1) Is this safe enough? (it's currently working at my site and it works fine, this version is improved)
    2) at the page "prevdown.php", should I use a form again so that users will not be able to see the file? (this will be really confusing because we want kits to be downloaded with kits.php, stadiums with stadium.php... and then, I want the script to be automatic)
    3) if I at prevdown.php I use the second option (linking to the download.php displaying the user and pass) will that be unsafe?
    4) Could I edit the IFS at download.php, and make it search for $myuser and $mypass, as long as they are different from "". Would that be safe?
    5) Finally, could someone tell me, how to make the variables $user, $pass, $myuser, $mypass... and its values... random, ecrypted values, each time the user visits our site (detailed.php)?

    Thanks for your support! :)

    I'm not using Apache anti-leech at all and it works fine at the moment

    Xavier

    12:42 am on Dec 23, 2003 (gmt 0)

    Senior Member

    WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

    joined:Mar 31, 2002
    posts:25430
    votes: 0


    Xavier,

    Your last post might be better answered in our PHP forum, since it focuses on PHP issues.

    Jim

     

    Join The Conversation

    Moderators and Top Contributors

    Hot Threads This Week

    Featured Threads

    Free SEO Tools

    Hire Expert Members