PDA

View Full Version : Trying to block hotlinking with .htaccess or httpd.conf



cgmsys
11-13-2004, 05:34 PM
I've been noticing some hotlinking to pics on my site, mostly from totally unrelated forums.

I tried creating an .htaccess file. When I put that in the root it blocked the hotlinks but my site was getting a server 500 error. WH renamed the .htaccess and I could get into everything

they suggested that I try the .htacces in one folder until it was working right. It seemed to work once but it is not working now(i.e. not blocking hotlinking.) I tried a number of versions such as

Rewriteengine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://bucksviews.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.bucksviews.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://206.130.100.218/.*$ [NC]
RewriteRule .*\.(gif|GIF|jpg|JPG)$ - [F]


I read that .htaccess can slow things down when it is in the root since every file read has to check with .htaccess. I then looked into httpd.conf. I'm a bit fuzzy on the exact code to put in there.

I didn't want to make major changes to httpd.conf. What I did was

1. Put the code you see above in access.conf.
2. Remove the # from the line in httpd.conf that references the access.conf file (I think that will 'unremark' the line to allow apache to see access.conf. let me know if I am wrong.
3. Went into the westhost control panel and restarted vps. From what I read the httpd.conf gets read at startup. Am I correct in assuming that this restarts the virtual server?

Other questions:
1. Does anyone have a sample of code to go into httpd.conf or access.conf to stop hotlinking?
2. I understand that you want to only block referrers other than your site and you want to allow blank referrers (i.e google.) Does anyone know if an httpd.conf file blocking will do this?
3. Where in the httpd.conf file do you put the anti hotlinking code?

Thanks

I've been working on this for a couple of hours and I am at my wit's end.

I'd appreciate any thoughts or advice.

chris

wildjokerdesign
11-13-2004, 05:48 PM
I have used the .htaccess file in my image directory in the past and it has worked fine. It was similiar to yours although I displayed an alternate image instead. You can see the example here http://wildjokerdesign.com/phpBB2/viewtopic.php?t=47 .

I have never tried adding it to the httpd.conf file. You are right that when you make changes to the httpd.conf file that you want to resart the VPS for the changes to take effect and doing so via the Site Manager should take care of that.

jalal
11-14-2004, 02:23 AM
they suggested that I try the .htacces in one folder until it was working right. It seemed to work once but it is not working now(i.e. not blocking hotlinking.) I tried a number of versions such as

Rewriteengine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://bucksviews.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.bucksviews.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://206.130.100.218/.*$ [NC]
RewriteRule .*\.(gif|GIF|jpg|JPG)$ - [F]


Note that it is ".htaccess", not ".htacces". Otherwise it all looks good. You can combine the third and fourth lines by using a wild card, but that is not important. Oh, and you may want to escape the periods with a back slash, like so:


RewriteCond %{HTTP_REFERER} !^http://.*bucksviews\.com/.*$ [NC]

You can also turn on the RewriteLog if you want more information about what is happening.


I read that .htaccess can slow things down when it is in the root since every file read has to check with .htaccess.

This is true, but unless you are running a very high traffic site, it is probably not a great concern for you.


I then looked into httpd.conf. I'm a bit fuzzy on the exact code to put in there.

I didn't want to make major changes to httpd.conf. What I did was

1. Put the code you see above in access.conf.

There is no point in doing this. I put my code in a file called 'myrules.conf' and then include that file from httpd.conf. If you use access.conf it may get overwritten if WH ever does an upgrade.


2. Remove the # from the line in httpd.conf that references the access.conf file (I think that will 'unremark' the line to allow apache to see access.conf. let me know if I am wrong.


See above
'access.conf' is an 'officially deprecated file' and not normally used. It is only there for backward compatibility.


3. Went into the westhost control panel and restarted vps. From what I read the httpd.conf gets read at startup. Am I correct in assuming that this restarts the virtual server?

Yes, thats correct.



Other questions:
1. Does anyone have a sample of code to go into httpd.conf or access.conf to stop hotlinking?

I use essentially the same code as you do above. I first put the code into the directory I wanted protected and when I was happy it was all working correctly, then I moved it into httpd.conf.
Actually, I moved it into a file /etc/httpd/conf/myrules.conf and then included that file into the httpd.conf file, but its the same effect.


2. I understand that you want to only block referrers other than your site and you want to allow blank referrers (i.e google.) Does anyone know if an httpd.conf file blocking will do this?

If you want to allow blank referrers then remove the line that checks for the emtpy referrer string.


3. Where in the httpd.conf file do you put the anti hotlinking code?

I just have it at the end of the file. It can appear in different places depending on what effect you want it to have and to what directories/servers you want it to apply, but I think in your case it can just go at the end.

Hope some of that helps....

:P