Forum Moderators: phranque
Basically, it's far too crude to use. I used it for a month without realising about 15-20% of my *legitimate* visitors were getting the stopthief.gif (a 1 pixel image).
RewriteEngine on
RewriteCond %{HTTP_REFERER}!^http://subdomain.mydomain.tld/.*$ [NC]
RewriteCond %{HTTP_REFERER}!^http://mydomain.tld/.*$ [NC]
RewriteCond %{HTTP_REFERER}!^http://www.subdomain.mydomain.tld/.*$ [NC]
RewriteCond %{HTTP_REFERER}!^http://www.mydomain.tld/.*$ [NC]
RewriteRule .*\.(jpg¦jpeg¦gif¦png¦bmp)$ [mydomain.tld...] [R,NC]
So I searched for an alternative and found this code that doesn't use mod_rewrite:
ErrorDocument 403
SetEnvIf Referer "^http://mydomain\.tld" local_ref=1
SetEnvIf Referer "^http://[^/]*\.mydomain\.tld" local_ref=1
SetEnvIf Referer "^$" local_ref=1
SetEnvIfNoCase Referer "^http://babel\.altavista\.com/" local_ref=1
SetEnvIfNoCase Referer "^http://translate\.google\.com/" local_ref=1
<FilesMatch "\.(jpg¦gif)$">
Order Deny,Allow
Deny from all
Allow from env=local_ref
</FilesMatch>
It looks great; I put it in my root .htaccess file, but it too blocks plenty of legitiamte visitors from seeing images.
Even Google Translate and Babel, which it is supposed to let through!
Can anybody offer a more sensitive code fix for the people outsourcing our images illegally?
It is a growing problem since 'Blog's' with 'Email this page to a friend' took off.
The demand for this fix can only increase, we all need a suitably subtle fix.
it too blocks plenty of legitiamte visitors from seeing images
What exactly are "legitimate visitors"?
Which legitimate visitors does this code not allow? I modified the cPanel code to be more compact and to allow blank referrers, as well as babelfish.altavista.com and translate.google.com.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?(subdomain\.)?mydomain.tld/ [NC]
RewriteCond %{HTTP_REFERER} !^-?$
RewriteCond %{HTTP_REFERER} !^http://babelfish\.altavista\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://translate\.google\.com/ [NC]
RewriteRule \.(jpg¦jpeg¦gif¦png¦bmp)$ http://www.mydomain.tld/myopensubdirectory/stopthief.gif [R,NC,L]
Keep in mind that you'll have to replace the ¦ with the one on your keyboard.
Though I've yet to try your code :)
I've altered your code line:
RewriteCond %{HTTP_REFERER}!^http://(www\.)?(subdomain\.)?mydomain.tld/ [NC]
To:...
RewriteCond %{HTTP_REFERER}!^http://(www\.)?my\-domain\.tld/ [NC]
Am I correct in assuming the extra backslashes are needed for my *hyphenated-domain-name* and the .tld? I also deleted the subdomain bit, as I have no images in them. Roge on the vertical line.
Also, (I'm askin' not contesting) shouldn't there be an $ after each RewriteCond, to close off the ^?
RewriteEngine On
RewriteCond %{HTTP_REFERER}!^http://(www\.)?(subdomain\.)?mydomain.tld/ [NC]
RewriteCond %{HTTP_REFERER}!^-?$
RewriteCond %{HTTP_REFERER}!^http://babelfish\.altavista\.com/ [NC]
RewriteCond %{HTTP_REFERER}!^http://translate\.google\.com/ [NC]
RewriteRule \.(jpg¦jpeg¦gif¦png¦bmp)$ [mydomain.tld...] [R,NC,L]
The use of the $ at the end is more of a style thing. Some people prefer to close expressions that start with a ^, some don't. When the $ isn't necessary, I don't include it.
Although now that I think about it, this line:
RewriteCond %{HTTP_REFERER} !^-?$
RewriteCond %{HTTP_REFERER} !^-?
RewriteCond %{HTTP_REFERER} !^-?$could just be written:
RewriteCond %{HTTP_REFERER} !^-?
This all depends on what the purpose of the pattern is. In this case (hotlinking), it is a common desire to detect either a blank user-agent (^$) or a faked non-blank ua masquerading as a blank ua (^-$).
The hyphen masquerade trick is to use a user agent of "-" -- a single hyphen. Since NCSA Extended/Combined Log Format displays a blank ua as "-", this masquerade is used to defeat tests for a blank ua, but to look just like a real blank ua in the log file.
Therefore, the pattern ^-?$ is intended to match a user-agent which is either blank ("") or contains a single hyphen ("-") and nothing else. As a result, it must be end-anchored.
I posted an answer to a similar question yesterday in [webmasterworld.com...] msg #9, but in more general terms.
Jim
Yes, you're right. The trick is used for both ua and referrer... I found out about it here from a guy who was going nuts because he had blocked blank referers and UAs, but they were still getting through... because they weren't really blank!
Jim
