Jump to content
ababba2

blocking localhost hotlink

Recommended Posts

I need to deny hotlinking on my site.

In this way I make hotlinking allowing blank refferer

   RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain1.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

In this way, localhost will be able to use all image uploaded. But even mydomain1.com will be able to use the image uploaded. All other domain won't be able to use images uploaded on localhost.

But this is not what I want. I want that also localhost will be unable to use image hosted, and that only mydomain1.com will be able to use that image.

This can be done denying blank refferer, like this

   RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain1.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Anyway, this is not a good solution. Because some visitors uses a personal firewall or antivirus program, that deletes the page referer information sent by the web browser. So, denying blank refferer I'm blocking this users who visits mydomain1.com correctly.

I can't find a solution to this. All I want to do is that the images will be used only by mydomain1.com, doesn't allowing anyone to download them from somewhere else. Do you have any solution for doesn't block users, but still blocking hotlinking in localhost?

Share this post


Link to post
Share on other sites

None of this makes any sense.

 

The only way a user could access your images directly via localhost if they're actually on the server. So whom are you trying to protect against? Yourself? Your own server admins?

 

Besides that, there's simply no way to forcefully prevent other sites or people from accessing a public resource. The best you can do is ask people not to hotlink, and that's what your current referrer check already does. As soon a site or an individual client suppresses the refferrer, you're out of luck.

Share this post


Link to post
Share on other sites

The way I've seen hotlinking prevented is to use a server-side page to serve the images (which are not publicly available). That page can then perform the logic of whether to provide the requested resource or not. If not, you can provide a default image to use in its place (i.e. "hotlinking not allowed message" or something similar).

 

So, instead of providing src values of "http://www.mydomain.com/image.jpg" you could use something like "http://www.mydomain.com/getimage.php?name=image" or "http://www.mydomain.com/getimage.php?id=3" (with an identifier for the image). If you you image names you have to be very careful on how the data is handled to prevent malicious values from being acted upon.

 

I'm not too knowledgeable on ModRewrite rules. but,if you can redirect all requests for images to the php script then you could implement the above logic without having to change any of the image src values.

Edited by Psycho

Share this post


Link to post
Share on other sites

And how does your server-side script determine valid requests? I mean, besides checking the referrer.

Share this post


Link to post
Share on other sites

And how does your server-side script determine valid requests? I mean, besides checking the referrer.

 

I didn't state that I have a script. I merely stated that is the method in which I have seen hotlink preventing implemented before.

Share this post


Link to post
Share on other sites

None of this makes any sense.

 

The only way a user could access your images directly via localhost if they're actually on the server. So whom are you trying to protect against? Yourself? Your own server admins?

 

Besides that, there's simply no way to forcefully prevent other sites or people from accessing a public resource. The best you can do is ask people not to hotlink, and that's what your current referrer check already does. As soon a site or an individual client suppresses the refferrer, you're out of luck.

For example.

If an user have this url: localhost/image1.jpg

Then he can open this url directly from localhost.

 

I want to avoid this.

In domain1.com I want to use my image ad

[img=localhost/image1.jpg]

So that this image will appear in domain1.com but if someone try to copy the URL and open it in another table trying to get access to localhost, this guy must not have access to this image.

Edited by ababba2

Share this post


Link to post
Share on other sites

...What do you think "localhost" is?

 

[edit] No, wait, this isn't going to work.

 

localhost is always the computer who is trying to look up what "localhost" is. If I click a link to http://localhost/image1.jpg then localhost is my computer. If your server tries to download that image to itself then localhost is your server.

What you're saying doesn't make sense. You cannot block localhost. Localhost is yourself. You are localhost.

 

Are you trying to stop hotlinking in general? If so then forget all this "localhost" stuff.

Edited by requinix

Share this post


Link to post
Share on other sites

And how does your server-side script determine valid requests? I mean, besides checking the referrer.

 

A session?

 

...What do you think "localhost" is?

 

Evil localhost, got to worry about that one :)

Share this post


Link to post
Share on other sites

Evil localhost, got to worry about that one :)

"lol /b/'s attacking me but I have mad hacker skillz I can see them coming from 'localhost' lol watch me ddos them back wtf why is my computer so slow guys stop it's not funny anymore"

Share this post


Link to post
Share on other sites

There's a fundamental difference between localhost and a public domain name, so that wasn't really a good example

 

Actually, I'm not even sure what you're saying now. That you have trouble with all sites and clients which suppress the referrer? Well, there's not much you can do about this. Really the only difference between an “internal” request from your site and an “external” request from a hotlinking site is the referrer.

 

If hotlinking is actually a serious problem for you (not just a vague fear), your only chance would be to not have publicly accessible images at all, to the disadvantage of usability and possibly performance:

  • Consider restricting the images to registered users.
  • It's also possible to embed the images directly into the page without ever making them available via a URL. Note that this will increase the effective image size by 1/3 (due to the encoding) and might have a negative impact on the (perceived) performance.
  • You could embed a nonce into the image URLs so that the image can only be loaded once right after the original HTML page. This again might come with a lot of problems, so I'd be careful with that.

But again: Is hotlinking really a problem? Have you actually analized the traffic caused by hotlinking?

Edited by Jacques1

Share this post


Link to post
Share on other sites

If the fear is that someone is preventing you from getting a valid referrer, why not write your code to demand a valid referrer and, in one's absence, reject the request.  Furthermore you could have any valid url requests include a POST value that has to be present as well.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.