does your hosting account use cpanel, if so you can prevent hotlinking through that

You can also use SetEnvIfNoCase Referer in your .htaccess

Hi:

Here is the code for an httpd.conf file:

<Directory "/path/to/your/images">
Options +FollowSymLinks
### Protect Local Images
RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule \.(gif¦jpg)$ - [NC,F]
</Directory>

dave

Hi -

If you can't change .htaccess (or just don't have that facility on your hosting account), are you able to run a server side scripting language - Perl, PHP or ASP?

Thanks for the quick replies! :)

I can have my own .htaccess files (but no mod_rewrite command) and my server supports pretty much any kind of scripting language (PHP, Perl, etc.).

I'm a newbie to this, so I don't know how to set up a httpd.conf file. Is it similar to a .htaccess file?

And do you have a working code sample for the SetEnvIfNoCase referer as I don't know how to use it.

Thanks!

Doraemon:

Sorry- how very rude of us! Welcome to Webmasterworld!

>>> I'm a newbie to this, so I don't know how to set up a httpd.conf file. Is it similar to a .htaccess file?

You PROBABLY do not have access to httpd.conf- that is the config file for the whole apache server! The advantage is that any changes there effect the whole server and how it runs, and are thus faster than any other sorts of changes you can make (generally!).

Typically, the changes you make there (like the post I made above) can me added to a .htaccess file with very little modification.

I would suggest you contact your ISP and ask them about mod_rewrite- whether it is there, and if not, see if they will put it on. It takes very little effort. Be warned, it is VERY POWERFUL, and if you do not understand the "rules" you can disable your whole website (or cause a loop and kill your whole server). That said, there are MANY wonderful people here who can help you with the rules, and point you to good guides.

Despite my warnings (just keep them in mind!) mod_rewrite is the way to go. You can do so much, so easily! Get with yuour ISP, I am sure they will help you get that going!

Good Luck!

Dave

Doraemon,

An example for you.
Click on the links for information on each Apache directive:

[url=http://httpd.apache.org/docs/mod/mod_setenvif.html#SetEnvIfNoCase]SetEnvIfNoCase[/url] Referer "^http://www\.example\.com" hotlinker
<[url=http://httpd.apache.org/docs/mod/core.html#filesmatch]FilesMatch[/url] "\.(gif¦jpe?g¦GIF¦JPE?G)$">
[url=http://httpd.apache.org/docs/mod/mod_access.html#deny]Deny[/url] from hotlinker
</FilesMatch>

The first line sets an environement variable named "hotlinker" if the http referer is www.example.com
The second line defines what filetypes the restriction is to apply to.
The third line tests the environment variable "hotlinker", and denies access if if is set.
The fourth line closes the <FilesMatch> directive opened on line two.

You can add as many referers as you want to block. Just copy line one and change the "www.example.com" to whatever domain you want to block. The backslashes "\" should precede each period (dot) in the URL.

Important! - You must hand-edit the above code and replace all the "¦" characters in line two with the solid vertical line character from your keyboard. This forum modifies those characters and breaks them. Attempting to use this code without correcting these characters will cause 500-Server Errors!

Notice: I have not used or tested the code above. If it does not work, follow the linked documentation for more information.

HTH,
Jim

carfac, thanks for the welcome. :-)

I already asked my ISP about mod_rewrite and they told me that it was not available and they obviously have no intention of making it available.

Therefore, I'll probably try jdMorgan's code.
One thing, tough. Where do I put that code? ;-)

Sorry, to ask such rudimental questions, but I really don't know. :-)

SetEnvIfNoCase Referer "^http://www\.example\.com" hotlinker
<FilesMatch "\.(gif¦jpe?g¦GIF¦JPE?G)$">
Deny from hotlinker
</FilesMatch>

But it's better to have a list of allowed domains and only allow GET requests for images from those domains. Is there a way of doing so with SetEnvIfNoCase?

To the original poster: I would consider findind a provider which allows mod_rewrite.

No. I am happy with my provider (fast, reliable, good service).
Besides, I just paid for the next 6 month. ;-)

Again: Where Do I place that code?

Thanks!

Where Do I place that code?

In the .htaccess file. Your .htaccess file might look like this:

SetEnvIfNoCase Referer "^http://www\.example\.com" hotlinker
<FilesMatch "\.(gif¦jpe?g¦GIF¦JPE?G)$">
Deny from hotlinker
</FilesMatch>

Options -Indexes

Scooter24,

But it's better to have a list of allowed domains and only allow GET requests for images from those domains. Is there a way of doing so with SetEnvIfNoCase?

# Block image hot-linkers
SetEnvIf Referer "^$" allowimage
SetEnvIfNoCase Referer "^http://(www\.)?yourdomain\.com" allowimage
# Put your server's IP address in the next line
SetEnvIfNoCase Referer "^http://127\.0\.0\.1" allowimage
<FilesMatch "\.(gif¦jpe?g¦GIF¦JPE?G)$"> 
order allow,deny
allow from env=allowimage
</FilesMatch>

I haven't tested this - I use mod_rewrite for most applications. If you try it, please post as to whether it works. The warnings in my original post above apply. This code also allows blank HTTP_REFERERs in order to prevent massive problems with proxies and client security programs such as Norton Internet Security and browsers with "hide referrer" settings.

The last SetEnvIfNoCase line can be used to allow full access to your site even in case of a DNS problem. Put your server's IP address in there, with the periods escaped by backslashes as shown. If your site does not have a unique IP address you can't use this, so delete that line.

HTH,
Jim

I'll try it. Thanks!

One more thing.
If I put that code in a .htaccess file in my images folder, will this code work for sub-directories as well?

Many thanks!

Doraemon,

If you put this in the .htaccess of your images folder, it will work for your images folder and subdirectories of your images folder.

A given .htaccess file controls resources (files, etc.) in the same directory as that .htaccess file, and in subdirectories of that directory only. An .htaccess file in a lower-level subdirectory can override settings in .htaccess files in the directories above it for resources in the lower-level subdirectory. This is sometimes useful to establish default settings or rules in a high-level directory, but allow overriding the default for some special subdirectories below that level.

HTH,
Jim

Just change your file names periodically, and add a nice adult caption with the old file name.

They won't want to poison their own market "periodically" and will quickly stop.

Jim,

thanks a lot! Your code worked! :-)

Many thanks to the rest of you guys, too!

fathom,
I did that for a couple of weeks now, but one especially persistent fellow kept adapting to the file name changes.

Strange.

After the first success it now seems to be not working.

That guy in that one discussion board who uses an image of mine as his avatar, when I check his posts the image is not available, which is good.
Unfortunately, when I check the image on my website it's not there either. However, when I refresh the image on my website it loads correctly. But when I afterwards check that forum the avatar of that guy shows up, too.

Very strange.

Any ideas?

One other thing I noticed.

Only that one image that is (at the moment) being remotely linked causes problems on my website.

Could that be related to the code?

Doraemon,

You must manually flush your browser's cache when testing. If the image is in your browser cache, and you go to look at the hotlinking site, then your browser will not try to access the image from your server, it will instead use the copy it already has. So, the image will appear to still be hot-linked, when in fact, it isn't.

Clearing your cache before each image-access test will clarify any real problems you might be having.

Jim

That did the trick!

Thanks again, Jim! :-)