Dear Wiki user, You have subscribed to a wiki page or wiki category on "Httpd Wiki" for change notification.
The following page has been changed by slive: http://wiki.apache.org/httpd/Recipes/DisableImageHotLinking The comment on the change is: Fix a bunch of inaccuracies, including a too-lax regex and empty-referer info. ------------------------------------------------------------------------------ 1. mod_rewrite 2. !SetEnvIfNoCase and !FilesMatch - Be warned that with new web privacy programs such as those from Symantec, the referrers may always be blocked, rendering your site unusable to visitors running those privacy tools if you implement these techniques. + ==== Using mod_rewrite ==== {{{RewriteEngine on RewriteCond %{HTTP_REFERER} !="" - RewriteCond %{HTTP_REFERER} !example\.com [NC] + RewriteCond %{HTTP_REFERER} !^http://([^/]*)?example\.com/ [NC] RewriteRule \.(jpe?g|gif|png)$ - [F,NC] }}} @@ -20, +20 @@ ==== Using SetEnvIfNoCase and FilesMatch ==== - {{{SetEnvIfNoCase Referer "example\.com" local_ref=1 + {{{SetEnvIfNoCase Referer "http://([^/]*)?example\.com/" local_ref=1 + SetEnvIf Referer ^$ local_ref=1 <FilesMatch "\.(jpe?g|gif|png)$"> Order Allow,Deny @@ -28, +29 @@ </FilesMatch> }}} - This first checks the referer and sets a local environment variable if the referer contains your domain. The !FilesMatch then matches the request for jpep, png, and gif files. If there's a match in the filename, then access to that resource is only allowed if the local environment variable is set.[[BR]][[BR]] + This !SetEnvIf checks the referer and sets a local environment variable if the referer contains your domain. The !FilesMatch then matches the request for jpep, png, and gif files. If there's a match in the filename, then access to that resource is only allowed if the local environment variable is set.[[BR]][[BR]] In both methods, you might want to add patterns to the referer checks since there might be more ways your site will be accessed by - localhost for localhost testing, IP address, LAN hostname, etc. - [[BR]][[BR]] + The same holds true for the file extension match. For any other kind of resources you would like to protect, add their file extensions to the file extension pattern. - [[BR]][[BR]] - You should note that there really is no way to keep everyone from stealing your images/bandwidth. If someone really wants to hot link to your resources, they will. Checking the referer value is not reliable. Anyone can send whatever referer value they want... provided they know how. + In both cases, requests that do not specify a referer are allowed entry in order to keep the site working for users that disable the referer for privacy reasons. This does not materially affect the usefulness of the recipes, because the people inlining images on their websites cannot control the referer header sent by visiting clients. + + Note that the misspelling of referer above is intentional and necessary due to a spelling error in the original HTTP specification. +
