Seeker,

Welcome to WebmasterWorld [webmasterworld.com]!

Sorry for the delay - A better title on this thread would have gotten a faster answer...

Fill in the domain names of the authorized referrers, and this should work:

# Prevent unauthorized access to all files
SetEnvIfNoCase Referer ^http://(www\.)?your_domain\.com allowed
SetEnvIfNoCase Referer ^http://(www\.)?allowed_domain1\.com allowed
SetEnvIfNoCase Referer ^http://(www\.)?allowed_domain2\.com allowed
SetEnvIfNoCase Referer ^http://(www\.)?allowed_domain3\.com allowed
SetEnvIf Referer ^$ allowed
SetEnvif Remote_Addr 192.168.0.0 blockip
<Files *>
order allow,deny
allow from env=allowed
deny from env=blockip
</Files>

The "(www\.)?" construct allows the directives to accept domain names with or without "www." at the beginning.

Note that not all browsers, spiders, and other user-agents will provide a referer. In the case that no referrer is provided, the
SetEnvIf Referer ^$ allowed directive will allow them. This constitutes a "hole in the wall," but there are simply too many problems with blocking referrer-less user-agents. If someone gets past the block by witholding their referrer. you can always block them by their IP address as shown.

Ref: Apache documentation [httpd.apache.org]

HTH,
Jim

Hey thanks big time, that was incredibly fast! I'm curious how do you guys learn this stuff? Sometimes I look at code and it looks like..well, just normal 'phrases' such as Allow All and such but then others are with special codes. Kinda confusing...

Just making sure, will this prevent (most) browsers from being able to reach mysite.com unless they come from one of my other 3 sites? I know there is a line in there that allows no referrals...but...doesn't that mean everyone? I mean if you just type in the site directly, does that give the referral as local or does it give no referral at all? My main concern is ensuring no one can just manually type in my url and reach it. I've seen it done on alot of sites just not exactly sure how to edit it myself to do it.

Again, thank you VERY very much for this big help, saved me alot of anguish.

I tried adding the .htaccess but mysite.com was still able to be reached directly (meaning typing it directly into the address field). Perhaps its because I don't have a domain name for mysite? (its an IP address) so the first line looked like:

SetEnvIfNoCase Referer ^http://(www\.)?123.456.ip.ip\.com allowed

Seeker,

I learned it by reading the cited documentation - and messing it up a lot. :)

If someone types in your URL, there will be no referrer, so the code above will allow access. You can delete the line which allows no referer, and deal with the complaints, or you can take another approach, and that is to redirect visitors with no referrer to a password-required page before allowing entry. This can be done with either the built-in password protection, or with a script.

Conditional redirection will also require the use of Apache mod_rewrite, or this function could be built into the same script that does the password protection. Again, looking through the Apache documentation may help you to make up your mind about which way you want to go. Note that mod_rewrite is not available on all Apache servers; many "budget" hosting services disable it because it is very powerful. This leads to mistakes and problems that raise their customer-support costs.

Ref: Introduction to mod_rewrite [webmasterworld.com]

You can test to see if mod_rewrite is available to you using the following code, placed in your .htaccess file:

Options +FollowSymLinks
RewriteEngine on
RewriteRule ^testmodrw\.html$ /index.html [L]

I suggest you make a backup of your current .htaccess file before adding the code.

After adding the code and uploading the new .htaccess file to your site, type "http://www.yourdomain.com/testmodrw.html" into your browser address bar. If it works, you should be redirected to your index.html page. If not, you will likely get a 500-Server Error, and your browser will show nothing. Remove the new code by uploading your backup .htacess file, and then check your site error logs if you have access to them.

If you do get an error, you can also try just removing the first line - "Options +FollowSymLinks" and try again. If it still does not work, then it is most likely you do not have access to mod_rewrite.

If you use an IP address, you should delete the "(www\.)?" part:

SetEnvIfNoCase Referer ^http://123\.45\.67\.89\.com allowed

Always precede periods in regular-expressions patterns with "\", otherwise they mean "any single character."

...Off for a day of weekend stuff - No computers involved! :)

Jim

Sorry I keep replying to myself lol I tried changing the code for the IP but still didn't work. After messing with it for 45mins i realized the problem was the first allowed line. So for everyone elses knowledge you can't use:

SetEnvIfNoCase Referer ^http://123\.45\.67\.89\.com allowed

You must use something like:

SetEnvIfNoCase Referer ^http://123\.456\.789\.01/.*$ [NC] allowed

Now the jpegs work again but I still can't get to the site via a flash link, normal txt links will work. Sooooo close. Does flash not send a referral? Is this the wrong section to ask about flash? Thanks again for your help and hope you have a great single day weekend ;)

If flash doesn't do a referer then how about making the flash link to a middle html page which then auto redirects...

So simple! lol why didn't I think of that! I'll try it, big thanks!

Almost finished :) I..can't right click on my images and save them. Like, I can get to the site from my other 3 sites and everyone else is blocked without the referer, but now I can only view my larger jpegs (from the thumbnails) if I left click, and my visitors need to be able to right click and save without opening the actual link.

I think this is because right clicking doesn't offer the .htaccess the referer it needs, regardless if it is on the page. Is this true? If so, is there anyway around this?