Arr!

[DarqFlare]

It's been so long since I had a question to ask myself.. Here's one!

 

Ok. I'm familiar that with Hotlink Protection, outside websites cannot link to anything specified... Well, I need a much more controllable solution.

 

I basically need, through HTACCESS, to disallow Hotlinking to only a certain image (More, actually, but let's get the basics down right now).

 

Pretty much, I just need to disable Hotlinking for certain files on my website while leaving others available for Hotlinking. Also, having the "Hotlink disabled" image redirect to another "don't hotlink" image would be nice...

 

Thanks a bunch.

Edited March 1, 2004 by TCH-Robert

[MikeJ]

Create a hotlink protected directory (or directory tree) and enable hotlink protection there (you'll have to edit the .htaccess manually). See this thread.

 

If you want to redirect to another image, just make sure it's not in a hotlink protected directory.

Edited March 1, 2004 by Big Gorilla

[DarqFlare]

Ahh, but see... I don't need to Hotlink protect one directory. I need to Hotlink protect only certain files in numerous directories.

[MikeJ]

Then you're going to have to modify the RewriteRule

 

>RewriteRule .*\.(jpg|jpeg|gif|png|bmp)$ - [F,NC]

 

Take a look at the rewriting guide.

 

If there's anything common in the file names that will help a lot, otherwise you are going to have to include each file name.

[DarqFlare]

I'll probably need to include each file by name, but that's no problem. I don't mind...

 

I'm not in a particularly read-y mood tonight. Can you give me a sample snippet that I can mold into my own uses? I've just worked on my website so much today that I really don't have the energy to research mod_rewrite...

Edited March 1, 2004 by TCH-Robert

[MikeJ]

This looks like it will work for you:

 

>RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://******/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://******$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.******/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.******$      [NC]
RewriteRule (^|.*/)(file1\.gif|file2\.gif|file3\.jpg|file4\.png)$ http://******/images/nohotlink.gif [R,NC]

 

This will disallow hotlinking for any instance of file1.gif, file2.gif, file3.jpg, and file4.png. Change as appropriate, noting that "|" is an OR, and dots need to be escaped with a "\". So for a file named "myimage.gif", it needs to be type in the rule as "myimage\.gif".

 

Obviously change the "******" instances, and you can change the redirect URL to whatever you need.

 

If you need to do it for a specific files with the whole path included (as opposed to any instance of the file), let me know and I can test something out and give you an example for that tomorrow probably.

 

Btw, I don't consider myself a rewriting "expert" so test this fully after you install it. It passed all the tests I did, but I could still have messed something up.

Edited March 1, 2004 by Big Gorilla

[TCH-Bruce]

Robert,

 

Why not use two folders (directories)? One for hotlink enabled images and one for images you don't care if they get hotlinked? I know it would be more work because you would have to change all your links to the images but it would be less confusing, I think.

[DarqFlare]

Well... here's the problem. my images/ folder has about 10 subfolders in it.

 

You can see the directorial problem.

 

Thanks BG, I'll take a look at that this morning and see what I can get working... Will separating the filenames onto a newline so they don't get so long on a single line cause problems?

 

Also... Could I have more than one line for rewrite rule for easier organization? How do I add a directory to a rewrite rule?

 

For instance... Say I've got 2 files. images/this.jpg and images/other/this.jpg I only want to protect one of them.. I need to explicitly state the directory for the one I want to protect...

Edited March 1, 2004 by TCH-Robert

[MikeJ]

I believe this will work for you:

 

>RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://******/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://******$         [NC]
RewriteCond %{HTTP_REFERER} !^http://www.******/.*$  [NC]
RewriteCond %{HTTP_REFERER} !^http://www.******$     [NC]
RewriteRule ^/*file1\.gif$ http://******/images/nohotlink.jpg [R,NC]
RewriteRule ^/*images/+file2\.jpg$ http://******/images/nohotlink.jpg [R,NC]
RewriteRule ^/*images/+other/+file3\.png$ http://******/images/nohotlink.jpg [R,NC]

 

The above example will block hotlinking to the following files assuming this is in the .htaccess file located in /public_html (* used to prevent this forum from autolinking):

h*tp://******/file1.gif

h*tp://******/images/file2.jpg

h*tp://******/images/other/file3.png

 

Instead, h*tp://******/images/nohotlink.jpg would be displayed.

 

If you want to just prevent access with no redirection, change the RewriteRule lines to resemble this:

 

>RewriteRule ^/*file1\.gif$ - [F,NC]

 

Legend:

^ = start of line anchor (basically reference to where .htaccess is located)

$ = end of line anchor (nothing exists past this)

* = 0 or more of the proceeding text

+ = 1 or more of the proceeding text

\ = escape for special characters (. without \ means match any char, not just dot).

[R] = Redirect

[F] = Forbidden

[NC] = No Case (ignore case in matching... remove NC if you want specific case to be matched)

 

I used /* and /+ in the examples above to prevent someone from simply bypassing the hotlink protection by linking something like "h*tp://******/images//file2.jpg" since the webserver will still deliver the image, but it wouldn't match the rewrite rule if it was only looking for a single /.

 

Again, try it, see if it works for you. If you have problems, I can probably help you troubleshoot it.

[DarqFlare]

Ahh, you added a legend. Good stuff, this is starting to work for me. Hopefully this will be helpful to others here in TCH.

 

{Edit}

 

I finally understand all of this. Maybe I should have actually read that article you gave me, but I see how things are working now, using the regular expressions... Thanks.

 

{Edit #2}

 

Added in an image to this post for testing purposes:

 

Edited March 1, 2004 by TCH-Robert

[MikeJ]

I should also point out that if you have domains parked, you will need to add those as well as allowed HTTP_REFERER's.

 

The ! means NOT. So the conditions are that the referer is NOT one of those listed for the redirection or blocking to take effect.

[DarqFlare]

Yeah, I gathered the ! was for NOT... Well, by the image in my previous post, the rewriting is working correctly. Thanks a bunch, I owe you.

 

We're looking into adding this information as a new help page to TCH's Help section for others that may need it, since I am not the only one who has asked these questions.

[DarqFlare]

Well, it's not working as I expected... Here is my stuff:

 

>RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://omgn.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://omgn.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.omgn.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.omgn.com$ [NC]
RewriteRule ^/*images/+text\.jpg$ http://www.omgn.com/images/undef.gif [R,NC]
RewriteRule ^/*images/+title\.jpg$ http://www.omgn.com/images/undef.gif [R,NC]
RewriteRule ^/*images/+title_alternate\.jpg$ http://www.omgn.com/images/undef.gif [R,NC]
RewriteRule ^/*images/+advertisements/+omgnbox\.jpg$ http://www.omgn.com/images/undef.gif [R,NC]
RewriteRule ^/*images/+advertisements/+omgnbrick\.jpg$ http://www.omgn.com/images/undef.gif [R,NC]
RewriteRule ^/*images/+advertisements/+omgnbanner\.jpg$ http://www.omgn.com/images/undef.gif [R,NC]
RewriteRule ^/*images/+advertisements/+omgntower\.jpg$ http://www.omgn.com/images/undef.gif [R,NC]
RewriteRule ^/*images/+web/+88x30\.jpg$ http://www.omgn.com/images/undef.gif [R,NC]
RewriteRule ^/*images/+web/+88x31\.jpg$ http://www.omgn.com/images/undef.gif [R,NC]
RewriteRule ^/*images/+web/+100x60\.jpg$ http://www.omgn.com/images/undef.gif [R,NC]
RewriteRule ^/*images/+web/+468x60\.jpg$ http://www.omgn.com/images/undef.gif [R,NC]
RewriteRule ^/*images/+web/+125x600\.jpg$ http://www.omgn.com/images/undef.gif [R,NC]

 

For some reason, title.jpg and advertisements/omgnbrick.jpg are Hotlink Disabled on my own website, but text.jpg isn't.

[MikeJ]

Something's not quite right yet, though:

 

http://www.omgn.com/

 

I'm seeing "Image Hotlinking Disabled" for a couple of your images. Do you have your RewriteCond's correct?

[DarqFlare]

I posted my rewrite coding above...

 

Not a single image defined in the Rules, save for text.jpg, is loading on my site...

[DarqFlare]

Aha. I think I know why...

 

The conditions are right before text.jpg. There are no conditions after text.jpg before the next rule...

[MikeJ]

Ahh...I think I know what's wrong... let me chew on it for a moment.

 

I think the RewriteCond's are only applying to the first RewriteRule. Need to relook at that and see how to make it apply for all...

 

Edit: Yea...what you said.

[DarqFlare]

We seem to be on the same track here.. Checking that guide page you gave me.

[DarqFlare]

For now I've disabled the protection on my website until we get this figured out.

[MikeJ]

It looks like you'll have to apply the RewriteCond's to every line... or compress lines.

 

You could write your one line as this (yes, I'm going to break the board's formating most likely):

 

>RewriteRule ^/*images/+(text\.jpg|title\.jpg|title_alternate\.jpg|advertisements/+(omgnbox\.jpg|omgnbrick\.jpg|omgnbanner\.jpg|omgntower\.jpg)|web/+(88x30\.jpg|88x31\.jpg|100x60\.jpg|468x60\.jpg|125x600\.jpg))$ http://www.omgn.com/images/undef.gif [R,NC]

 

Assuming ()'s can be nested (I haven't tried it). Otherwise, you can do the same without the nested ()'s but it gets a bit longer.

[DarqFlare]

That's about what I was thinking... I'll try it out.

[MikeJ]

At that level of complexity, it might be easier just to write a script to manage .htaccess hotlink stuff... a more advanced version of the cPanel one.

 

Maybe I'll do that sometime when I have a bunch of free time on my hands.

[DarqFlare]

Yes. Good idea... write one up.

 

I think the new singular rule is working. if it doesn't at any point, I'll keep you posted.

[DarqFlare]

I decided to modify my rule rewriting for all images and allow hotlinking for certain other domains.

 

Well, as it turns out, I think there is a major problem with the rule rewriting system.

 

Hop over to Google and search for "space trade text based game." The second option is a listing of a Game in my website's Games Directory. Click the link.

 

I never get anywhere by clicking the link. However, when I copy-paste the address to a new browser window, I get there immediately.

 

After delving into my Latest Visitors file in my wbesite, I see that the visitor that used that Google query (http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=free+online+roleplaying+multiplayer+games) ended up viewing the following file: /undef.gif

 

It seems there is a problem with the rule rewriting system per linking to my website.

 

This may also explain the odd traffic numbers I've been getting the past two days.

 

Just keeping everybody in the know. Perhaps there is a way around this. Let's try and think something up.

 

Also... I don't have access to my rules at this point, but I had to add a new rewrite condition for !^$ -- so direct access of my images was allowed.

[MikeJ]

If you could post your exact rules (if there's nothing you mind making public), or PM me a copy of your exact rules, I can play with it. Even what I posted above I only did limited testing with.

[DarqFlare]

It doesn't matter if I make it public. Here it is, I have removed it from my website to see if my traffic problem is related.

 

>RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !^http://omgn.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://omgn.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*).omgn.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*).omgn.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://darqness.net/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://darqness.net$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*).darqness.net/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*).darqness.net$ [NC]
RewriteCond %{HTTP_REFERER} !^http://friendsurveys.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://friendsurveys.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*).friendsurveys.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*).friendsurveys.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://eclipseprime.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://eclipseprime.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*).eclipseprime.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*).eclipseprime.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://darqstuff.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://darqstuff.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*).darqstuff.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*).darqstuff.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://antietem.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://antietem.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*).antietem.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*).antietem.com$ [NC]
RewriteRule ^/*images/.*$ http://www.omgn.com/undef.gif [R,NC]

 

{Edit}

 

Removed the OR bar in the code...

Edited March 5, 2004 by TCH-Robert

[DarqFlare]

Oh snap! I just noticed the OR bar I have in the rule that should have been removed...

 

removing it and trying the search on Google... Hold on.

[DarqFlare]

Well, I removed the OR bar and closed off my browser windows to clear out the HTACCESS cache... A lot of times when I make changes to my HTACCESS Rules, I have to close out the browser to get a new version.

 

It loaded for me this time...

[DarqFlare]

Also... Is using

 

>RewriteCond %{HTTP_REFERER} !^http://(.*).omgn.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*).omgn.com$ [NC]

 

Valid to pass it on to all subdomains? I don't think it is, actually. I need a way to basically allow the images on certain domains, and all those domains' subdomains.

[DarqFlare]

Hey Mike, if you could take a look and get back to me, that'd be great. Thanks man.

[MikeJ]

I think this is what you are looking for:

 

>RewriteCond %{HTTP_REFERER} !^http://(.*\.)?yoursite.com(/)?.*$     [NC]

 

I believe that will cover all cases of ******, subdomain.yourdoman.com...

[DarqFlare]

Thanks MikeJ!

 

I introduce to you, the uber-effective image hotlink protection known from hereafter as the "Darq-Gorilla IHPM" (Image Hotlink Protection Method).

 

Fun!

 

>RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !^(.*):/+(.*\.*)?omgn.com(:*)(/*).*$ [NC]
RewriteCond %{HTTP_REFERER} !^(.*):/+(.*\.*)?darqness.net(:*)(/*).*$ [NC]
RewriteCond %{HTTP_REFERER} !^(.*):/+(.*\.*)?friendsurveys.com(:*)(/*).*$ [NC]
RewriteCond %{HTTP_REFERER} !^(.*):/+(.*\.*)?eclipseprime.com(:*)(/*).*$ [NC]
RewriteCond %{HTTP_REFERER} !^(.*):/+(.*\.*)?darqstuff.com(:*)(/*).*$ [NC]
RewriteCond %{HTTP_REFERER} !^(.*):/+(.*\.*)?antietem.com(:*)(/*).*$ [NC]
RewriteRule ^/*images/.*$ http://www.omgn.com/undef.gif [R,NC]

 

{Edit}

 

Updated to show new modifications in the method.

 

{Edit #2}

 

Updated again.

 

{Edit #3}

 

Changed typo errors and removed the question about the question mark: 0 or 1 of preceeding text.

Edited March 6, 2004 by TCH-Robert

[MikeJ]

? is for "0 or 1 of the preceeding text"

 

See the RewriteRule in the reference documentation.

[DarqFlare]

Mike, take a look at that and let me know what you think. I think we've got this sucker down to a very efficient script that we could potentially share with all our other TCHers...

[MikeJ]

Will do. I'll give it the full workout shortly.

[MikeJ]

Ok...I gotta stop posting without thinking.... I got a little off track. Doesn't need to be so complicated. The matches for the hotlinking can easily be controlled since we don't care about what doesn't match (everyone else) only what does (your own sites).

 

I haven't found a way to break this:

 

>RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(.*\.)?******(:.*)?/*.*$ [NC]
RewriteRule ....whatever you use for what you want blocked...

 

It works even if you have SSL (https://), and even if someone specifies the port (as in http://www.******:80/). In othewords, it should work for all cases no matter how someone requests your domain as far as I can tell, and it should block all cases where someone is trying to hotlink to you.

 

Obviously repeat for every domain that you have. For the most part, Robert, it's pretty much the same thing as yours (just with a couple less wildcards).

 

Add your line for direct image access (no referrer) if you want to allow it:

 

>RewriteCond %{HTTP_REFERER} !^$

 

{Edited by TCH-Robert to remove auto-link}

Edited March 12, 2004 by TCH-Robert

[DarqFlare]

Well, the thing is that I would also like to allow FTP folder viewing of my images, and that isn't possible if it can only match http and https...

 

I might just use yours anyway, seeing as I never FTP folder view... heh.

 

One other potential problem is that a website can actually be accessed using http:/www.website.com/ with only one forward slash after the protocol.

Edited March 12, 2004 by TCH-Robert

[MikeJ]

I don't believe FTP uses the .htaccess or provides any referrer info, but I could be wrong.

 

As for one forward slash after the protocol, that's not a valid URL. If you're still getting to a website, your browser must be translating it to two first (which should be showing as two in the referrer, but you can look at your raw access logs to confirm that).

Edited March 12, 2004 by TCH-MikeJ

[DarqFlare]

Oh. I didn't think about the fact that HTACCESS is actually viewed by just the http and https protocols... [hits head with palm]

 

Alright, so I don't have to worry about web referrers not including the protocol on the beginning either or in an invalid format... I keep forgetting that IE automatically changes your URLs if it can.

 

Alright, I'll definitely be using your new system...

Edited March 12, 2004 by TCH-Robert

[MikeJ]

Please let me know if you find any holes.

[DarqFlare]

I certainly will. We'll get this thing 100% optimized and bulletproof someday!

[sts]

Thanks Robert for forwarding me here, I missed the latest code

 

image removed

 

Test result: it doesn't work for my weird computer anyway

Edited April 7, 2004 by sts

[DarqFlare]

It says "Oops" for me.

[sts]

It says "Oops" for me.

That means hotlink protection is working

I see "test"

[MikeJ]

What browser are you using, sts?

[sts]

I use Netscape7.1 and test with IE6 and Opera7 [have Mozilla Firesomebody too] hotlink protection doesn't work in all of them.

 

I visited one site the other day and it told me if I want to see the pictures I have to do something with browser [something about headers] or something [don't remember either] with firewall. Since I don't know anything about headers or firewalls I didn't pay attention

[MikeJ]

Here's a little test for you if you like...

 

Click here for a quick script I threw together that outputs your browser header information sent to the server.

 

If you do not see a Referer field, then your browser isn't sending Referer information, or something is preventing your browser from sending it. You can click on the Refresh This Page link on that page to double check.

[sts]

I see 'Weferer'

 

ps According to my statistics there are other people who've read this topic and got 'test' [the original image]. Code: 302

[DarqFlare]

Wow, that's really odd... I haven't seen anything access my protected images since I got this thing installed.

 

I'm not sure there's a workaround if a browser doesn't output the correct headers...