How do I prevent hot-linking?

[Evil Glint]

I found a similar topic, but it uses .htaccess. I would prefer to keep that disabled, and use http.conf instead.

 

http://www.phpfreaks.com/forums/mod_rewrite/need-help-with-stubborn-hotlinking-prevention-rules/msg1131912/#msg1131912

 

Also, I don't know if it makes a difference, but my server has four sites I want protected. For the sake of not spamming about my site, I'll call them:

• example.tk
  
• www,example.tk (yes, unlike usual, www points to an entirely different site on my server, with different content)
  
• brotherssite.example.tk
  
• sisterssite.example.tk
  

Any ideas?

 

Blacklotus' final .htaccess code:

Options +FollowSymlinks
# no hot-linking
RewriteEngine On
RewriteCond %{REQUEST_URI} !nohotlinking.gif$
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?vortexaviation\.ca/ [NC]
RewriteCond %{HTTP_REFERER} !google\. [NC]
RewriteCond %{HTTP_REFERER} !search\?q=cache [NC]
RewriteRule .*\.(gif|jpg|png)$ http://www.vortexaviation.ca/images/nohotlinking.gif [R,NC]

[trq]

What is the problem exactly? Both RewriteCond and RewriteRule can be used within the global httpd.conf file.

[Evil Glint]

I'm new to this, so I didn't realize .htaccess and httpd.conf used the same language. My other question was do I need to make an exeption for each subdomain and the main domain? Such as:

Options +FollowSymlinks
# no hot-linking
RewriteEngine On
RewriteCond %{REQUEST_URI} !nohotlinking.gif$
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://()?example\.tk/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.tk/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(brotherssite\.)?example\.tk/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(sisterssite\.)?example\.tk/ [NC]
RewriteRule .*\.(gif|jpg|png)$ http://example.tk/hotlink.gif [R,NC]

Also, I don't know what line five is used for, or if I even need it:

RewriteCond %{HTTP_REFERER} !^$

[PFMaBiSmAd]

HTTP_REFERER is an optional header that can be set to anything, and in fact most web proxy scripts set it to the domain being requested so that the request looks like it came from someone who is viewing a page on your site. Using HTTP_REFERER will stop casual hot-linking and it will stop your legitimate visitors who's browsers don't set it, but it won't stop someone who really wants to hot-link your media files.

 

What sort of problem are you having that you are trying to solve?

[Evil Glint]

No problems at the moment. Comcast (my isp) said if there would be a problem if I used too much bandwidth, so, being as paranoid as I am, I'm trying to set up preventive measures.

but it won't stop someone who really wants to hot-link your media files.

So how do I stop those people? Also, I noticed a typo in the code in my last post, but was unable to edit my post. It should read:

Options +FollowSymlinks
# no hot-linking
RewriteEngine On
RewriteCond %{REQUEST_URI} !hotlink.gif$
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://()?example\.tk/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.tk/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(brotherssite\.)?example\.tk/ [NC]
RewriteCond %{HTTP_REFERER} !^http://(sisterssite\.)?example\.tk/ [NC]
RewriteRule .*\.(gif|jpg|png)$ http://example.tk/hotlink.gif [R,NC]

[PFMaBiSmAd]

To restrict the output of your media files to only those visitors that are either authorized to view them or have actually visited one of your pages, you would need to dynamically output the media files using php code and use a session variable (set on the web page and checked in the php code that outputs the media file) to determine if the media file should be output at all.

 

 

[trq]

I'm new to this, so I didn't realize .htaccess and httpd.conf used the same language.

 

.htaccess files are simply a configuration file that applies it's configuration directives to the directory it is within. Apache uses a cascading type of configuration something like (locations and names may differ depending on your distribution) ....

 

/etc/apache2/httpd.conf - global settings

/etc/apache2/vhosts/sitename.conf - domain wide settings

/var/www/sitename/htdocs/*/.htaccess - directory specific settings.

 

When you look at a directive within the manual (which you should be checking) it tells you what context you can apply that setting too.

 

You can (and should) read about context here: http://httpd.apache.org/docs/2.0/mod/directive-dict.html#Context

[Evil Glint]

To restrict the output of your media files to only those visitors that are either authorized to view them or have actually visited one of your pages, you would need to dynamically output the media files using php code and use a session variable (set on the web page and checked in the php code that outputs the media file) to determine if the media file should be output at all.

Apparently, I can't read. I went on a wild Google goose chase, and only got anywhere after rereading your post. Great idea! After experimenting with clearing cookies and whatnot, it seems very secure.

 

You can (and should) read about context here: http://httpd.apache.org/docs/2.0/mod/directive-dict.html#Context

FINALY! I never can find a simple set of instructions for the Apache httpd.conf file. Google gives me anything I want to know about  HTML/CSS/PHP/JavaScript/any-other-internet-coding-language, bet not anything helpful about the httpd.conf file.

 

Thank you very much, PFMaBiSmAd and thorpe!

[trq]

The manual should be the first place you go for anything!!!