I'd like to set up something, just in case, to prevent people from leeching bandwidth. I followed various tutorials about setting up an htaccess file to do this, but whatever I try, it just kills my site and doesn't protect the images. I was wondering if any one else could point me in the right direction... :D
Generally speaking, you set mod_rewrite to only NOT redirect if the referrer is a page on your site. Otherwise it redirects to some "don't hotlink!" image. What've you got so far.
So far, I've got this, although it is the end product of several separate how to sites. It's obviously wrong. x.x
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www.)?grieversanime.org/images/screencaps/ [NC, OR]
RewriteCond %{HTTP_REFERER} !^http://griever.xepher.net/images/screencaps/ [NC]
RewriteRule .(jpg|gif|png)$ images/no_hotlink.gif [R,L]
I also had it in the public_html folder and chmodded to 644.
Where is it? Because it's not at public_html/.htaccess where it should be. Lemme try a couple things...
Okay, two changes...
First line, you can't have a space in the [NC, OR] bit... And you need another condition to exclude the no_hotlink image itself from the redirect, or else you get an infinite loop.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www.)?grieversanime.org/images/screencaps/ [NC]
RewriteCond %{HTTP_REFERER} !^http://griever.xepher.net/images/screencaps/ [NC]
RewriteCond %{REQUEST_URI} !no_hotlink.gif$
RewriteRule .(jpg|gif|png)$ http://griever.xepher.net/images/no_hotlink.gif [R,L]It's already setup/tested in your public_html folder... I'm just posting this for edumacationalizing reasons. :-)
EDIT: Not fixed yet, there's another problem... Gimme another minute.
EDITEDIT: Got it now, revised code above. Removed the "OR" from the first condition. Which seems counter intuitive, but if you think hard about the logic, it works. We don't want to rewrite if any of those things match. So we really want the default "AND" on all three. That is "not #1 AND not #2 AND not #3" and only if all that works, THEN we do the rewrite.
Ahh...thank you for fixing this! It was frustrating me to no end and I really wanted to protect the image-heavy folder. The explanation makes sense now...I think that OR was screwing me up.
(I had to remove the htaccess file I had there because it screwed up the rest of the site - index page showed up fine, but all following pages refused to display.)
This is related, but slightly different confusion. I'm experimenting on using mod_rewrite to make clean URLs, since that seems to be how things are going. I've read a bunch of tutorials, which make it seem relatively easy, but for the life of me, I can't get a rather basic redirect to work.
(version 1) RewriteRule ^anime.php$ anime2.php
(version 2) RewriteRule ^anime/$ anime2.phpI was able to get to get the first one to work just fine, but the second one gives me a 404 error. Based on all the examples I've seen, this shouldn't be happening. Any ideas on what I'm doing wrong? I'm fairly certain the syntax is right, but given my rather spotty memory of the semi-colon, I'm probably missing something easy and crucial. :(
First off, do you know what the special characters do? "^" indicates the start of a line, and "$" indicates the end of a line. By using both, you're effectively saying it has to be EXACTLY that request, but I believe a directory request would actually be "/anime/" so it doesn't match. I assume you want it to take the URL http://grieversanime.org/anime/ and have it actually serve the page "anime2.php" yes? Try ditching the carrot (^) at the beginning.
Ohh...I knew it was the start and the end, but I didn't realize it was exact. But I was right in that I was missing something easy and crucial...looking back on the tutorials, I can't believe I missed that. Nothing explicit, but it should have been so obvious. I feel like an idiot.
EDIT: Tried it without the caret, but still no go. It's in a subfolder, but that shouldn't have any affect on it. Ah well, I'll probably delay that idea until mid-March and go read up more on using mod_rewrite. Thanks though, Xepher. :)
I'm not positive if using a subfolder matters or not, but I think it does. If it rewrites to anime2.php, is it looking for that file in the subfolder, or the main one? If you let me know exactly where (aka, what folder) you're dealing with, I can try and mess around with it like before.
I read somewhere that htaccess files affect directories recursively, so it should mean that the htacess file in a subfolder would only affect the subfolder and all subsequent folders inside? I tried also with RewriteBase and even RewriteRule with a straightforward http://blahblahblah.php and nothing seemed to work. I found a support forum yesterday for only mod_rewrite issues, so I'm going to try there. I'm absolutely stumped as to why such a basic statement won't work, even though I've found exact examples in tutorials. Thanks for the offer though. ^-^
While it's true .htaccess is recursive... that only applies to the initial request. Rewrites do tricky stuff to the internals, so you usually need to specify an actual file such as /home/griever/public_html/something/file.php for the second part of the rewrite if you're not using the R (redirect) flag. If you use R, you have to give a relative (or absolute) URL, rather than file address. Also, if you're trying to rewrite a directory to some specific file, the .htaccess file may need to be one directory above, as I'm not sure parses .htaccess inside that directory until it actually uses a file IN it. That might explain why your first version worked (file to file) but the second (directory to file) didn't.
Hmm...thanks, Xepher. I really need to do more reading on this. I just get screwed up with technical terms, which makes me great for tech support but horrible for trying to learn from manuals.
I'm back and wondering if you could help me out again, Xepher. I realized, after finding that someone was hotlinking, that I had forgotten to upload the htaccess file that you gave me. So I went back and changed it to fit the new domain and uploaded it into the public_html folder. However, it gives me a 500 error when I try to visit my site, which is really odd because it worked before with the previous domain name.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www.)?chanpuru.org/images/screencaps/ [NC]
RewriteCond %{HTTP_REFERER} !^http://griever.xepher.net/images/screencaps/ [NC]
RewriteCond %{REQUEST_URI} !no_hotlink.gif$
RewriteRule .(jpg|gif|png)$ http://griever.xepher.net/images/no_hotlink.gif [R,L]EDIT: I've given up on adding anything else, so it's the only stuff in the htaccess file. It's also on the server as htaccess.txt because if I change it to .htaccess, my site dies.
Testing...
I renamed your htaccess.txt back to .htaccess.
(http://www.chanpuru.org/images/screencaps/22_24.jpg)
That should be your "no hotlink" image, even though it's pointing to a legit screencap.
RewriteEngine On
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www.)?chanpuru.org/ [NC]
RewriteCond %{HTTP_REFERER} !^http://griever.xepher.net/ [NC]
RewriteRule .(jpg|gif|png)$ http://griever.xepher.net/images/no_hotlink.gif [R,L]Same as you had above, minus the "!no_hotlink..." line. Since you're just protecting the screencaps directory, put the .htaccess file IN the screencaps folder, then no need for exceptions for the no_hotlink image, since it's in another folder. If you put the one you had directly in public_html, it would, in fact, break your whole site, as it only allows images to work if they're referenced by a page in "screencaps" so all OTHER images on your site would break. I also shortened the two conditions, so you can link screencaps from ANY part of your site(s) rather than just from pages that are also inside screencaps.
The second problem, is that you wrote the file in Macintosh text format, which doesn't get read as a proper config file, since macs put weird characters at the end of each line. You can either get a text editor that can save stuff in dos or unix/linux format, OR you can run the command "mac2unix" on the file to convert it after it's uploaded. That is... "mac2unix /home/griever/public_html/images/screencaps/.htaccess" (or whatever file you're converting.)
Anyway, I've already done all that for this go round, and your screencaps directory should be protected.
Quote from: XepherThe second problem, is that you wrote the file in Macintosh text format, which doesn't get read as a proper config file, since macs put weird characters at the end of each line. You can either get a text editor that can save stuff in dos or unix/linux format, OR you can run the command "mac2unix" on the file to convert it after it's uploaded. That is... "mac2unix /home/griever/public_html/images/screencaps/.htaccess" (or whatever file you're converting.)
Thanks so much, Xepher! And this is really good to know. I had no idea before...the whole mess about trying to make clean links before? I think I did all that in the Mac text editor. That might explain why the end result was always a 500 error....
The funny thing is, technically though be it that they don't get the image, they still get an image which still steals at least some bandwidth. It just makes them look more like a thief. :P
Hmm...is there a better way to do it then? I had kind of assumed that a "no hotlinking" image was the default way to deal with it.
No, it's fine. That image is small enough to not really be a problem. It's more about the principal of the thing. Though, if you really want to bother people, go out and find some really bad image on some other site, and have it redirect to that one. Pro Nazi/Hitler images are nifty, as they get people banned from whatever forum they were trying to post on when they hotlinked. Not that you should... but it's funny. :-)
Haha, yeah, or something gross, like tubgirl. Or the man-Faye cosplayer. I thought about doing something like that, but I didn't want to be rude about it. I know they're being rude and all, but two wrongs.... Maybe I'll write a shaming message or something. :(
Get a pic from somethingaweful.com... that's enough to just make people gouge their eyes out, the person would be ridiculed and probably banned.
I'm going to attempt this, once I get a free moment, for my webcomic reviews... that is, if it works the same for MP3 files?
I see no reason why not.
Since mp3 files don't really load inline like images do (at least, not usually) you might want to redirect mp3 hotlinks to the main page for your radio program, where people can see that it's actually your stuff, then have the option to download/listen from there.
Quote from: Xepher on May 18, 2007, 04:30:11 AM
Since mp3 files don't really load inline like images do (at least, not usually) you might want to redirect mp3 hotlinks to the main page for your radio program, where people can see that it's actually your stuff, then have the option to download/listen from there.
they were on the main page until I decided that the main page would take too long to load eventually... so I only have the main page hold a few. I have an Archive page for all of them too.
Basically, everytime I make an entry, I always make a bookmark link for it,(which can be found here: http://fesworks.xepher.net/TCSS/TCSS.htm ) and get a link like this: http://fesandernst.com/TCSS.htm#Voids
and go to the line in which holds the link for that MP3.
I suppose it would be cool if it could be played like in a player on the site itself... I have not tried to do something like that before... but I would like for people to be able to download them as well...
listing out the mp3's links wouldn't slow down your page's load times :P
Quote from: Databits on May 18, 2007, 06:24:29 PM
listing out the mp3's links wouldn't slow down your page's load times :P
No I just didn't want people to link directly to the MP3 file itself.. I want them to visit the site to see the side ad and the other reviews.
But on the same note, if the content is difficult to find people lose interest in it. It's a double edged sword man.
Quote from: Databits on May 19, 2007, 12:48:08 AM
But on the same note, if the content is difficult to find people lose interest in it. It's a double edged sword man.
It's not difficult! I provide a bookmark link for every single review and e-mail said link to each author.
hmmm.. I supposed I could put a "perma link" next to each one of them that IS the bookmark link....
Testing
(http://fesworks.xepher.net/SAP/STORIES/NippedNap/avatar.jpg)
http://fesworks.xepher.net/SAP/STORIES/NippedNap/avatar.jpg
(http://fesandernst.com/SAP/STORIES/NippedNap/avatar.jpg)
http://fesandernst.com/SAP/STORIES/NippedNap/avatar.jpg
Ok, why will it work for one, and not the other?
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www.)?fesandernst.com/SAP/ [NC]
RewriteCond %{HTTP_REFERER} !^http://fesworks.xepher.net/SAP/ [NC]
RewriteCond %{REQUEST_URI} !nowayJE.jpg$
RewriteRule .(jpg|gif|png)$ http://fesworks.xepher.net/SAP/nowayJE.jpg [R,L]
Also ".htaccess" seems to disappear from my account, according to the FTP window. o_0 .. though it still behaves as though it were there... asside from not blocking both URLs that is...
First off, I get the nowayJE.jpg image for BOTH of the above ones. Which seems "working" to me. So are you sure it's not just your browser having cached versions? Try shift+reload to force a full page refresh.
As for the .htaccess files "disappearing" well... duh. :-) Files that start with a dot are hidden files. Use SCP if your FTP client can't understand that. (It may be an option to toggle somewhere.)
Ok, it seems to be working fine for me now. Must have been a cache issue then.
and yea, looks like I'll have to get a new upload program soon.. I thnk I recall you saying FTP will no longer be used what program will we have to use then?
I think the general program used is winscp? because FTP is already out the door..?
Yeah, no FTP on the new server. I personally recommend WinSCP for windows users, but you're welcome to use any SCP program you want. OSX and Linux both have SCP built in.
Wow, didn't know that about OSX...I've been using Cyberduck all this time. It's okay, but I really liked WinSCP's layout better. I'll have to look into that.
If you're using OSX (or for that matter, linux) there's a really nifty program that let's you mount a remote directory over FTP. Basically, it lets your home folder on the server work just like some local folder on your computer. It's great for websites, as you can open the file in any program you want, and when you save, it's saving directly to the server. Really useful if you're working with PHP or other things that need server-side scripting. I can't remember the name of it for OSX though. For linux, it's called SSHFS. I'll ask my friend that uses it and find out the name if I can.
OOOO!!!
Can I HotLink my MP3s of my Webcomic Reviews, but allow the ODEO site (only because I have no idea how to utilize a stream device on my own account), so people can still listen to it?
Also, if I did that, would it prevent people from downloading it if they were right on the page?
Not quite clear on what you're asking. Give me example URLs of what is being linked, and where you want it to be linked from (and a longer explanation.)
This is a portion of the Two Cents in 60 Seconds webcomic review section of my website:
http://fesworks.xepher.net/TCSS/rooster.htm
<p align="center"></p><embed src="http://www.odeo.com/flash/audio_player_standard_gray.swf" quality="high" allowscriptaccess="always" wmode="transparent" type="application/x-shockwave-flash" flashvars="valid_sample_rate=true&external_url=AUDIO/Fesworks_TCSS_RoosterTeeth.mp3" pluginspage="http://www.macromedia.com/go/getflashplayer" align="center" height="52" width="300">
All the MP3s are stored in http://fesworks.xepher.net/TCSS/AUDIO/
and the code that I use, includes links to:
http://www.macromedia.com/go/getflashplayer
and
http://www.odeo.com/flash/audio_player_standard_gray.swf
basically, I tried the .htaccess bit the directory to prevent hot-linking (people linking to the actual MP3 instead of the page itself), but it also prevented me from playing the MP3 on the streaming program as well.
My question is, How can I block hotlinking, but allow the stream to run?
Also, does hotlinking prevent actual downloading of the MP3 if you are on the site page itself?
Well, you have to understand, the hotlinking prevention stuff we talk about on this page relies on the idea that a browser (or other client) sends a "Referrer" url along with the request for a file. These configs basically block any request that doesn't include an authorized URL as the referrer. It is, of course, trival to fake that, if you know what it is, so it's not really "secure" in anyway. You're using a flash applet as the "client" when it fetches and streams the mp3 file. I don't know how flash handles/passes URLs and whether it sends a referrer or not. If it does, you should be able to restrict the hotlinking to ONLY the url that the flash applet sends. My guess would be it would send the page it's embedded in, but I don't know for sure. I'd try putting a direct link just below the flash applet for testing. If that link (in the same page) works, then the flash applet should work. If it works and the flash doesn't, then it means flash is sending some other referrer (or none at all.)
Oh sure, there are probably some ways around that sort of hotlink prevention, but simple enough that most people will just go ahead and give the page link instead.
hmmm... I wonder if I were to put in the FULL URL into the code than just the quick URL (up one folder to the file).
Ah, of course. the page and the file are in different directories.. I need to double check where I put the htaccess file, and put it a directory higher methinks.
First off... the .htaccess file only needs to go in the folder which contains the stuff you want to protect. The mp3s in this case. You don't need it to cover the page being linked FROM. Secondly, yes... referrer URLs are full URLs sent by the browser. There is no "relative" about them. They'll start with "http://" and contain the servername as well as the full path. In the examples you used above for images, it looked like you had that set just fine. Why did you go with a relative URL for the audio?
Oh, in the code on the page for the embedded player, I used the relative link because if I got a chance to apply for a new account for my webcomic review section, I would avoid redoing the entire website, since all the links are relative... well.. maybe aside from a couple images from a folder above my TCSS stuff.... but mostly so I could move the site if needed without recoding a ton of crap.
Also, the thing about the hotlink prevention. Yes, I want to protect those files, but I also don't want to protect againts myself usign them! Already my Jenny Everywhere sample prevents the image from displaying on my site on a page in a different directory. So I think that means I need to go higher in the directory tree before placing the .htaccess so I can use all the images BELOW it without interuption.
I have yet to actually try this because of time constraints of "fiddling with things". Plus I forgot where I put it, so that's more fiddling... I need to download that other program too... anyway, so I'm skipping dealing with this for a while and will expirment later.
But I do thank you for all of the assistance so far :)
(For the purpose of this post, "image" could refer to any file being protected, including mp3s... not just image files)
I think you've still got it backwards... If your legit pages are being blocked from loading images... images which you DO want blocked from hotlinking, then putting the .htaccess file higher doesn't do any good.
Look at it this way... the .htaccess file applies to the directory it's in, and any/all directories/files below it. With the rules you're setting up in that file, it's being used to actively BLOCK (that is, do something abnormal with a request it'd otherwise fulfill.) As such, you don't need it in a location that covers pages you're coming/linking FROM... you only need it covering directories with images you want to limit access to.
Now, once you've got it in a location to cover the IMAGES... now you have to setup the rules in the .htaccess file to make sure they ALLOW the legit access you're wanting. This is where you make sure to make exceptions for any legit pages/URLs that should have access to the blocked images.
Let's go back to the following example:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www.)?fesandernst.com/SAP/ [NC]
RewriteCond %{HTTP_REFERER} !^http://fesworks.xepher.net/SAP/ [NC]
RewriteCond %{REQUEST_URI} !nowayJE.jpg$
RewriteRule .(jpg|gif|png)$ http://fesworks.xepher.net/SAP/nowayJE.jpg [R,L]
If you place this .htaccess file at, say "http://fesworks.xepher.net/SAP/images/.htaccess" what would happen is this. First, it would redirect all image files to the nowayJE.jpg file. It does this for everything BUT the exception conditions above. Thus, the only pages that could access those images would be in the SAP folder or lower. You couldn't access them from your main page even. I believe this is what you're running into. In this case, you'd want to remove the "/SAP/" from the end of those two conditions. Then you should be able to access the image files from any URL from either of your legit server names.
Now, as for the mp3s... I know you used a relative link for the flashplayer parameter... that doesn't matter. When it (the flash applet) loads on the client, it sends a request back to your site to download the mp3. Along with that request it should send a FULL url as the "referer" (and it should be the URL of the page it's embedded in) even though you gave it a relative URL to load. This is why I suggested putting a link on the same page as the player for debugging purposes... the should look/behave identically as far as the server side of things is concerned... it can't really tell a difference between a request from the browser itself, and a request from an applet in the browser.
testing hotlink:
http://fesworks.xepher.net/TCSS/AUDIO/Fesworks_TCSS_RoosterTeeth.mp3
hmm, still doesn;t seem to work. though I managed to download the SWF file so I can have it on my site instead (which I shoulda done in the first place). But I'll need to recode the rest of the pages for that.
I removed the htaccess for now because it still prevented the other pages from working. This is what I put in:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www.)?fesandernst.com/TCSS/ [NC]
RewriteCond %{HTTP_REFERER} !^http://fesworks.xepher.net/TCSS/ [NC]
RewriteCond %{REQUEST_URI} !nowayJE.jpg$
RewriteRule .(jpg|gif|png|mp3)$ http://fesworks.xepher.net/TCSS/nowayJE.jpg [R,L]
The shockwave file is in the TCSS folder too.
Once I change the other page's code for the new location of the flash file, I'll retry this whole thing.
Oh! as long as we are on the subject and I forget where to look for it, what's the htaccess code to prevent other people from viewing the base of a directory? Like if I went to http://fesworks.xepher.net/TCCC/AUDIO/ it would give me a page with a list with all of the MP3s I have in there. I don't want people to view that list page. I think I remember that it was possible....
You can do "-Index" to options. The other method is just put a blank filed called "index.html" in the folder. The second is easier, though the .htaccess method would cover sub folders as well.
If you want more help with the hotlinking thing, setup a test example maybe, and tell me where it is. I'll go in and play with the files myself 'till I get it right.
RewriteEngine On
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?fesandernst\.com/TCSS/ [NC]
RewriteCond %{HTTP_REFERER} !^http://fesworks\.xepher\.net/TCSS/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www\.odeo\.com/flash/audio_player_standard_gray\.swf [NC]
RewriteCond %{REQUEST_URI} !nowayJE.jpg$
RewriteRule \.(mp3|jpg|gif|png)$ http://fesworks.xepher.net/TCSS/nowayJE.jpg [R,L]
There is a bit more in this example because I looked online for some tutorials, and this is what they said to do with "."s And I did include the link to the SWF file for the time being as well.
Right now, each review plays them MP3s OK, but it still is allowing me to click on and listen to (plays in the browser). I suppose I would make a rewrite in the htaccess saying that any outside requests should be pointed to the home page?
but I did try downloading the file from another page (Save as) and it prevented the download. so that's good.
I just figure that if this gets bigger, I'll definetly want to prevent mp3 file leeching.
http://fesworks.xepher.net/TCSS/.htaccess
Alternatively you could use an image generation script and store the images in a database instead. Which makes it rather tough to just "link" to and puts them under an easier to control system (I.E. an image load script).
Generally you only do this for content images, not layout images.
As a side note, you can store anything in a MySQL database, including swf's, exe's, etc... it's just a binary data storage. So long as you build the mime headers correctly for the serving script, you'll be good to go.
Quote from: Databits on August 08, 2007, 07:37:48 PM
Alternatively you could use an image generation script and store the images in a database instead. Which makes it rather tough to just "link" to and puts them under an easier to control system (I.E. an image load script).
Generally you only do this for content images, not layout images.
As a side note, you can store anything in a MySQL database, including swf's, exe's, etc... it's just a binary data storage. So long as you build the mime headers correctly for the serving script, you'll be good to go.
*brain explodes*
Fes... the direct link was for testing, it SHOULD let people download if it's on the same page as the player that plays the files. You're supposed to remove the link once you're done seeing if it works. Then, people can't download WITHOUT that link (like, from another page as you said you tried.)
As for the backslashes before the dots... I can't believe I didn't see that sooner. Yes, you need to escape (preface with a backslash) dots, as they have a special meaning in those matching rules.
Sounds to me like it's working how you want if you just remove the direct download link from the page. Is that correct?
I've always had the MP3 downloadable from the individual pages as a link.
I just didn't want people to link to the MP3 file off site. If they really want the MP3 they can have it. Unless you'd rather I don't have it there.
Oh no, that's fine if you want links. I thought you wanted to force people to use that flash player though, so my mistake there. Do it however you want. :-)
cool!
*Does whatever he wants*
*Runs around with a bannana on his head wearing plantlife as coverings*
WHEEEEEEEEEEEEEEEEEEEEEEEEEEEEE!!!!