Author Topic: prevent hotlinking  (Read 42285 times)

0 Members and 1 Guest are viewing this topic.

Xepher

  • Techsmith
  • Administrator
  • *****
  • Posts: 4,328
  • Illegitimis non carborundum!
    • View Profile
    • Xepher.net
Re: prevent hotlinking
« Reply #45 on: August 06, 2007, 04:16:36 pm »
(For the purpose of this post, "image" could refer to any file being protected, including mp3s... not just image files)

I think you've still got it backwards... If your legit pages are being blocked from loading images... images which you DO want blocked from hotlinking, then putting the .htaccess file higher doesn't do any good.

Look at it this way... the .htaccess file applies to the directory it's in, and any/all directories/files below it. With the rules you're setting up in that file, it's being used to actively BLOCK (that is, do something abnormal with a request it'd otherwise fulfill.) As such, you don't need it in a location that covers pages you're coming/linking FROM... you only need it covering directories with images you want to limit access to.

Now, once you've got it in a location to cover the IMAGES... now you have to setup the rules in the .htaccess file to make sure they ALLOW the legit access you're wanting. This is where you make sure to make exceptions for any legit pages/URLs that should have access to the blocked images.

Let's go back to the following example:
Code: [Select]
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www.)?fesandernst.com/SAP/ [NC]
RewriteCond %{HTTP_REFERER} !^http://fesworks.xepher.net/SAP/ [NC]
RewriteCond %{REQUEST_URI} !nowayJE.jpg$
RewriteRule .(jpg|gif|png)$ http://fesworks.xepher.net/SAP/nowayJE.jpg [R,L]

If you place this .htaccess file at, say "http://fesworks.xepher.net/SAP/images/.htaccess" what would happen is this. First, it would redirect all image files to the nowayJE.jpg file. It does this for everything BUT the exception conditions above. Thus, the only pages that could access those images would be in the SAP folder or lower. You couldn't access them from your main page even. I believe this is what you're running into. In this case, you'd want to remove the "/SAP/" from the end of those two conditions. Then you should be able to access the image files from any URL from either of your legit server names.


Now, as for the mp3s... I know you used a relative link for the flashplayer parameter... that doesn't matter. When it (the flash applet) loads on the client, it sends a request back to your site to download the mp3. Along with that request it should send a FULL url as the "referer" (and it should be the URL of the page it's embedded in) even though you gave it a relative URL to load. This is why I suggested putting a link on the same page as the player for debugging purposes... the should look/behave identically as far as the server side of things is concerned... it can't really tell a difference between a request from the browser itself, and a request from an applet in the browser.

fesworks

  • Administrator
  • *****
  • Posts: 923
    • View Profile
    • http://www.fesworks.com
Re: prevent hotlinking
« Reply #46 on: August 07, 2007, 07:43:36 am »
testing hotlink:

http://fesworks.xepher.net/TCSS/AUDIO/Fesworks_TCSS_RoosterTeeth.mp3


hmm, still doesn;t seem to work. though I managed to download the SWF file so I can have it on my site instead (which I shoulda done in the first place). But I'll need to recode the rest of the pages for that.

I removed the htaccess for now because it still prevented the other pages from working. This is what I put in:

Code: [Select]
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www.)?fesandernst.com/TCSS/ [NC]
RewriteCond %{HTTP_REFERER} !^http://fesworks.xepher.net/TCSS/ [NC]
RewriteCond %{REQUEST_URI} !nowayJE.jpg$
RewriteRule .(jpg|gif|png|mp3)$ http://fesworks.xepher.net/TCSS/nowayJE.jpg [R,L]

The shockwave file is in the TCSS folder too.

Once I change the other page's code for the new location of the flash file, I'll retry this whole thing.
« Last Edit: August 07, 2007, 07:52:59 am by fesworks »

fesworks

  • Administrator
  • *****
  • Posts: 923
    • View Profile
    • http://www.fesworks.com
Re: prevent hotlinking
« Reply #47 on: August 07, 2007, 08:04:33 am »
Oh! as long as we are on the subject and I forget where to look for it, what's the htaccess code to prevent other people from viewing the base of a directory? Like if I went to http://fesworks.xepher.net/TCCC/AUDIO/ it would give me a page with a list with all of the MP3s I have in there. I don't want people to view that list page. I think I remember that it was possible....


Xepher

  • Techsmith
  • Administrator
  • *****
  • Posts: 4,328
  • Illegitimis non carborundum!
    • View Profile
    • Xepher.net
Re: prevent hotlinking
« Reply #48 on: August 07, 2007, 09:15:01 am »
You can do "-Index" to options. The other method is just put a blank filed called "index.html" in the folder. The second is easier, though the .htaccess method would cover sub folders as well.


If you want more help with the hotlinking thing, setup a test example maybe, and tell me where it is. I'll go in and play with the files myself 'till I get it right.

fesworks

  • Administrator
  • *****
  • Posts: 923
    • View Profile
    • http://www.fesworks.com
Re: prevent hotlinking
« Reply #49 on: August 07, 2007, 05:59:59 pm »
Code: [Select]
RewriteEngine On
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?fesandernst\.com/TCSS/ [NC]
RewriteCond %{HTTP_REFERER} !^http://fesworks\.xepher\.net/TCSS/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www\.odeo\.com/flash/audio_player_standard_gray\.swf [NC]
RewriteCond %{REQUEST_URI} !nowayJE.jpg$
RewriteRule \.(mp3|jpg|gif|png)$ http://fesworks.xepher.net/TCSS/nowayJE.jpg [R,L]

There is a bit more in this example because I looked online for some tutorials, and this is what they said to do with "."s And I did include the link to the SWF file for the time being as well.

Right now, each review plays them MP3s OK, but it still is allowing me to click on and listen to (plays in the browser). I suppose I would make a rewrite in the htaccess saying that any outside requests should be pointed to the home page?


but I did try downloading the file from another page (Save as) and it prevented the download. so that's good.

I just figure that if this gets bigger, I'll definetly want to prevent mp3 file leeching.

http://fesworks.xepher.net/TCSS/.htaccess

Databits

  • Global Moderator
  • *****
  • Posts: 1,607
  • Programming's not just a science, it's an art.
    • View Profile
Re: prevent hotlinking
« Reply #50 on: August 08, 2007, 07:37:48 pm »
Alternatively you could use an image generation script and store the images in a database instead. Which makes it rather tough to just "link" to and puts them under an easier to control system (I.E. an image load script).

Generally you only do this for content images, not layout images.

As a side note, you can store anything in a MySQL database, including swf's, exe's, etc... it's just a binary data storage. So long as you build the mime headers correctly for the serving script, you'll be good to go.
(\_/)    ~Relakuyae D'Selemae
(o.O)    
(")_(")  [Libre Office] [Chrome]

fesworks

  • Administrator
  • *****
  • Posts: 923
    • View Profile
    • http://www.fesworks.com
Re: prevent hotlinking
« Reply #51 on: August 08, 2007, 11:07:08 pm »
Alternatively you could use an image generation script and store the images in a database instead. Which makes it rather tough to just "link" to and puts them under an easier to control system (I.E. an image load script).

Generally you only do this for content images, not layout images.

As a side note, you can store anything in a MySQL database, including swf's, exe's, etc... it's just a binary data storage. So long as you build the mime headers correctly for the serving script, you'll be good to go.

*brain explodes*

Xepher

  • Techsmith
  • Administrator
  • *****
  • Posts: 4,328
  • Illegitimis non carborundum!
    • View Profile
    • Xepher.net
Re: prevent hotlinking
« Reply #52 on: August 09, 2007, 03:40:55 am »
Fes... the direct link was for testing, it SHOULD let people download if it's on the same page as the player that plays the files. You're supposed to remove the link once you're done seeing if it works. Then, people can't download WITHOUT that link (like, from another page as you said you tried.)

As for the backslashes before the dots... I can't believe I didn't see that sooner. Yes, you need to escape (preface with a backslash) dots, as they have a special meaning in those matching rules.

Sounds to me like it's working how you want if you just remove the direct download link from the page. Is that correct?

fesworks

  • Administrator
  • *****
  • Posts: 923
    • View Profile
    • http://www.fesworks.com
Re: prevent hotlinking
« Reply #53 on: August 09, 2007, 05:45:16 pm »
I've always had the MP3 downloadable from the individual pages as a link.

I just didn't want people to link to the MP3 file off site. If they really want the MP3 they can have it. Unless you'd rather I don't have it there.

Xepher

  • Techsmith
  • Administrator
  • *****
  • Posts: 4,328
  • Illegitimis non carborundum!
    • View Profile
    • Xepher.net
Re: prevent hotlinking
« Reply #54 on: August 09, 2007, 11:38:01 pm »
Oh no, that's fine if you want links. I thought you wanted to force people to use that flash player though, so my mistake there. Do it however you want. :-)

fesworks

  • Administrator
  • *****
  • Posts: 923
    • View Profile
    • http://www.fesworks.com
Re: prevent hotlinking
« Reply #55 on: August 10, 2007, 05:52:00 am »
cool!




*Does whatever he wants*




*Runs around with a bannana on his head wearing plantlife as coverings*



WHEEEEEEEEEEEEEEEEEEEEEEEEEEEEE!!!!