blocking localhost hotlink

[ababba2]

I need to deny hotlinking on my site.

In this way I make hotlinking allowing blank refferer

   RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain1.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

In this way, localhost will be able to use all image uploaded. But even mydomain1.com will be able to use the image uploaded. All other domain won't be able to use images uploaded on localhost.

But this is not what I want. I want that also localhost will be unable to use image hosted, and that only mydomain1.com will be able to use that image.

This can be done denying blank refferer, like this

   RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain1.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Anyway, this is not a good solution. Because some visitors uses a personal firewall or antivirus program, that deletes the page referer information sent by the web browser. So, denying blank refferer I'm blocking this users who visits mydomain1.com correctly.

I can't find a solution to this. All I want to do is that the images will be used only by mydomain1.com, doesn't allowing anyone to download them from somewhere else. Do you have any solution for doesn't block users, but still blocking hotlinking in localhost?

[Jacques1]

None of this makes any sense.

 

The only way a user could access your images directly via localhost if they're actually on the server. So whom are you trying to protect against? Yourself? Your own server admins?

 

Besides that, there's simply no way to forcefully prevent other sites or people from accessing a public resource. The best you can do is ask people not to hotlink, and that's what your current referrer check already does. As soon a site or an individual client suppresses the refferrer, you're out of luck.

[Psycho]

The way I've seen hotlinking prevented is to use a server-side page to serve the images (which are not publicly available). That page can then perform the logic of whether to provide the requested resource or not. If not, you can provide a default image to use in its place (i.e. "hotlinking not allowed message" or something similar).

 

So, instead of providing src values of "http://www.mydomain.com/image.jpg" you could use something like "http://www.mydomain.com/getimage.php?name=image" or "http://www.mydomain.com/getimage.php?id=3" (with an identifier for the image). If you you image names you have to be very careful on how the data is handled to prevent malicious values from being acted upon.

 

I'm not too knowledgeable on ModRewrite rules. but,if you can redirect all requests for images to the php script then you could implement the above logic without having to change any of the image src values.

Edited December 28, 2015 by Psycho

[Jacques1]

And how does your server-side script determine valid requests? I mean, besides checking the referrer.

[Psycho]

And how does your server-side script determine valid requests? I mean, besides checking the referrer.

 

I didn't state that I have a script. I merely stated that is the method in which I have seen hotlink preventing implemented before.

[ababba2]

None of this makes any sense.

 

The only way a user could access your images directly via localhost if they're actually on the server. So whom are you trying to protect against? Yourself? Your own server admins?

 

Besides that, there's simply no way to forcefully prevent other sites or people from accessing a public resource. The best you can do is ask people not to hotlink, and that's what your current referrer check already does. As soon a site or an individual client suppresses the refferrer, you're out of luck.

For example.

If an user have this url: localhost/image1.jpg

Then he can open this url directly from localhost.

 

I want to avoid this.

In domain1.com I want to use my image ad

[img=localhost/image1.jpg]

So that this image will appear in domain1.com but if someone try to copy the URL and open it in another table trying to get access to localhost, this guy must not have access to this image.

Edited December 29, 2015 by ababba2

[requinix]

...What do you think "localhost" is?

 

[edit] No, wait, this isn't going to work.

 

localhost is always the computer who is trying to look up what "localhost" is. If I click a link to http://localhost/image1.jpg then localhost is my computer. If your server tries to download that image to itself then localhost is your server.

What you're saying doesn't make sense. You cannot block localhost. Localhost is yourself. You are localhost.

 

Are you trying to stop hotlinking in general? If so then forget all this "localhost" stuff.

Edited December 29, 2015 by requinix

[NotionCommotion]

And how does your server-side script determine valid requests? I mean, besides checking the referrer.

 

A session?

 

...What do you think "localhost" is?

 

Evil localhost, got to worry about that one

[requinix]

Evil localhost, got to worry about that one

"lol /b/'s attacking me but I have mad hacker skillz I can see them coming from 'localhost' lol watch me ddos them back wtf why is my computer so slow guys stop it's not funny anymore"

[ababba2]

localhost was just an example... if you like you can call it mydomain0.com...

[Jacques1]

There's a fundamental difference between localhost and a public domain name, so that wasn't really a good example

 

Actually, I'm not even sure what you're saying now. That you have trouble with all sites and clients which suppress the referrer? Well, there's not much you can do about this. Really the only difference between an “internal” request from your site and an “external” request from a hotlinking site is the referrer.

 

If hotlinking is actually a serious problem for you (not just a vague fear), your only chance would be to not have publicly accessible images at all, to the disadvantage of usability and possibly performance:

• Consider restricting the images to registered users.
• It's also possible to embed the images directly into the page without ever making them available via a URL. Note that this will increase the effective image size by 1/3 (due to the encoding) and might have a negative impact on the (perceived) performance.
• You could embed a nonce into the image URLs so that the image can only be loaded once right after the original HTML page. This again might come with a lot of problems, so I'd be careful with that.

But again: Is hotlinking really a problem? Have you actually analized the traffic caused by hotlinking?

Edited December 29, 2015 by Jacques1

[ginerjm]

If the fear is that someone is preventing you from getting a valid referrer, why not write your code to demand a valid referrer and, in one's absence, reject the request.  Furthermore you could have any valid url requests include a POST value that has to be present as well.