prevent hotlinking

fesworks · August 02, 2007, 02:12:14 PM

Testing

http://fesworks.xepher.net/SAP/STORIES/NippedNap/avatar.jpg

http://fesandernst.com/SAP/STORIES/NippedNap/avatar.jpg

Ok, why will it work for one, and not the other?

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www.)?fesandernst.com/SAP/ [NC]
RewriteCond %{HTTP_REFERER} !^http://fesworks.xepher.net/SAP/ [NC]
RewriteCond %{REQUEST_URI} !nowayJE.jpg$
RewriteRule .(jpg|gif|png)$ http://fesworks.xepher.net/SAP/nowayJE.jpg [R,L]

Also ".htaccess" seems to disappear from my account, according to the FTP window. o_0 .. though it still behaves as though it were there... asside from not blocking both URLs that is...

Xepher · August 02, 2007, 04:20:07 PM

First off, I get the nowayJE.jpg image for BOTH of the above ones. Which seems "working" to me. So are you sure it's not just your browser having cached versions? Try shift+reload to force a full page refresh.

As for the .htaccess files "disappearing" well... duh. :-) Files that start with a dot are hidden files. Use SCP if your FTP client can't understand that. (It may be an option to toggle somewhere.)

fesworks · August 02, 2007, 09:28:19 PM

Ok, it seems to be working fine for me now. Must have been a cache issue then.

and yea, looks like I'll have to get a new upload program soon.. I thnk I recall you saying FTP will no longer be used what program will we have to use then?

griever · August 02, 2007, 09:56:07 PM

I think the general program used is winscp? because FTP is already out the door..?

Xepher · August 03, 2007, 12:25:57 AM

Yeah, no FTP on the new server. I personally recommend WinSCP for windows users, but you're welcome to use any SCP program you want. OSX and Linux both have SCP built in.

griever · August 03, 2007, 01:32:00 AM

Wow, didn't know that about OSX...I've been using Cyberduck all this time. It's okay, but I really liked WinSCP's layout better. I'll have to look into that.

Xepher · August 03, 2007, 02:37:11 AM

If you're using OSX (or for that matter, linux) there's a really nifty program that let's you mount a remote directory over FTP. Basically, it lets your home folder on the server work just like some local folder on your computer. It's great for websites, as you can open the file in any program you want, and when you save, it's saving directly to the server. Really useful if you're working with PHP or other things that need server-side scripting. I can't remember the name of it for OSX though. For linux, it's called SSHFS. I'll ask my friend that uses it and find out the name if I can.

fesworks · August 04, 2007, 01:32:20 AM

OOOO!!!

Can I HotLink my MP3s of my Webcomic Reviews, but allow the ODEO site (only because I have no idea how to utilize a stream device on my own account), so people can still listen to it?

Also, if I did that, would it prevent people from downloading it if they were right on the page?

Xepher · August 04, 2007, 02:55:37 AM

Not quite clear on what you're asking. Give me example URLs of what is being linked, and where you want it to be linked from (and a longer explanation.)

fesworks · August 04, 2007, 04:53:53 PM

This is a portion of the Two Cents in 60 Seconds webcomic review section of my website:

http://fesworks.xepher.net/TCSS/rooster.htm

Code Select


          <p align="center"></p><embed src="http://www.odeo.com/flash/audio_player_standard_gray.swf" quality="high" allowscriptaccess="always" wmode="transparent" type="application/x-shockwave-flash" flashvars="valid_sample_rate=true&amp;external_url=AUDIO/Fesworks_TCSS_RoosterTeeth.mp3" pluginspage="http://www.macromedia.com/go/getflashplayer" align="center" height="52" width="300">

All the MP3s are stored in http://fesworks.xepher.net/TCSS/AUDIO/

and the code that I use, includes links to:

http://www.macromedia.com/go/getflashplayer

and

http://www.odeo.com/flash/audio_player_standard_gray.swf

basically, I tried the .htaccess bit the directory to prevent hot-linking (people linking to the actual MP3 instead of the page itself), but it also prevented me from playing the MP3 on the streaming program as well.

My question is, How can I block hotlinking, but allow the stream to run?

Also, does hotlinking prevent actual downloading of the MP3 if you are on the site page itself?

Xepher · August 05, 2007, 01:01:21 AM

Well, you have to understand, the hotlinking prevention stuff we talk about on this page relies on the idea that a browser (or other client) sends a "Referrer" url along with the request for a file. These configs basically block any request that doesn't include an authorized URL as the referrer. It is, of course, trival to fake that, if you know what it is, so it's not really "secure" in anyway. You're using a flash applet as the "client" when it fetches and streams the mp3 file. I don't know how flash handles/passes URLs and whether it sends a referrer or not. If it does, you should be able to restrict the hotlinking to ONLY the url that the flash applet sends. My guess would be it would send the page it's embedded in, but I don't know for sure. I'd try putting a direct link just below the flash applet for testing. If that link (in the same page) works, then the flash applet should work. If it works and the flash doesn't, then it means flash is sending some other referrer (or none at all.)

fesworks · August 05, 2007, 02:49:52 PM

Oh sure, there are probably some ways around that sort of hotlink prevention, but simple enough that most people will just go ahead and give the page link instead.

hmmm... I wonder if I were to put in the FULL URL into the code than just the quick URL (up one folder to the file).

fesworks · August 05, 2007, 02:59:12 PM

Ah, of course. the page and the file are in different directories.. I need to double check where I put the htaccess file, and put it a directory higher methinks.

Xepher · August 06, 2007, 12:23:50 AM

First off... the .htaccess file only needs to go in the folder which contains the stuff you want to protect. The mp3s in this case. You don't need it to cover the page being linked FROM. Secondly, yes... referrer URLs are full URLs sent by the browser. There is no "relative" about them. They'll start with "http://" and contain the servername as well as the full path. In the examples you used above for images, it looked like you had that set just fine. Why did you go with a relative URL for the audio?

fesworks · August 06, 2007, 03:27:18 PM

Oh, in the code on the page for the embedded player, I used the relative link because if I got a chance to apply for a new account for my webcomic review section, I would avoid redoing the entire website, since all the links are relative... well.. maybe aside from a couple images from a folder above my TCSS stuff.... but mostly so I could move the site if needed without recoding a ton of crap.

Also, the thing about the hotlink prevention. Yes, I want to protect those files, but I also don't want to protect againts myself usign them! Already my Jenny Everywhere sample prevents the image from displaying on my site on a page in a different directory. So I think that means I need to go higher in the directory tree before placing the .htaccess so I can use all the images BELOW it without interuption.

I have yet to actually try this because of time constraints of "fiddling with things". Plus I forgot where I put it, so that's more fiddling... I need to download that other program too... anyway, so I'm skipping dealing with this for a while and will expirment later.

But I do thank you for all of the assistance so far

Xepher.Net Forums

News:

prevent hotlinking

fesworks

Xepher

fesworks

griever

Xepher

griever

Xepher

fesworks

Xepher

fesworks

Xepher

fesworks

fesworks

Xepher

fesworks