-
Any htaccess pros out there?
Just wondering if this htaccess file is appropriate to stop hotlinkers and bookmarkers. It was passed to me by a webmaster and I'm confused about a couple of things. First, I've never seen the AuthType Basic, so I don't know what it means; second, I'm not sure why mancheck has an * before it's URL and the others don't. (The ???? are replaced by the webmaster's domain.)
AuthType Basic
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.????????.com [NC]
RewriteCond %{HTTP_REFERER} !^http://???????.com [NC]
RewriteCond %{HTTP_REFERER} !^http://.+\.avsofchoice\.com/* [NC]
RewriteCond %{HTTP_REFERER} !^http://.+\.cybersexnetwork\.com/* [NC]
RewriteCond %{HTTP_REFERER} !^http://.+\.********\.com/* [NC]
RewriteCond %{HTTP_REFERER} !^http://.+\.****\.com/* [NC]
RewriteCond %{HTTP_REFERER} !^http://.*mancheck.com/.* [NC]
RewriteCond %{HTTP_REFERER} !^http://www.globalmalepass.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://globalmalepass.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.gmpass.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www1.gmpass.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://gmpass.com/ [NC]
RewriteCond %{HTTP_REFERER} !^https://secure.globalmalepass.com/ [NC]
RewriteRule /* http://www.??????.com/ [R,L]
Thanks
Dzinerbear
-
If I'm reading this right, it's more likely to prevent access from outside an AVS site (the ones listed). The * would just mean www.mancheck.com, www2.mancheck.com, www99.mancheck.com all get treated the same (i.e., allowed). Anyone not coming from one of those URLs would get kicked out. AuthType Basic is generally used for password-protection via .htaccess - I don't think that will work well here, depends on your server. You also need mod_rewrite enabled for this to work.
If all you want to do is stop hotlinking, though, the htaccess you have is the wrong tool. Something like :
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://domain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domain.com/.*$ [NC]
RewriteRule .*\.gif$ - [L]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://domain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domain.com/.*$ [NC]
RewriteRule .*\.jpg$ - [L]
Should stop jpg/gif files from being hotlinked. As a side effect, though, people using security software that blocks referring URL will not be able to view images, even when they're supposed to be able to, in some cases.
-d
-
crescentx,
Thanks so much for the comprehensive reply. I appreciate it. Could you do us a favour, could you then show us what the proper htaccess file would be to only allow access from the webmasters site and two AVS, let's use Mancheck and Global Male Pass.
Thanks much
Dzinerbear
-
okay...well I still am not 100% sure your original post's syntax is perfectly correct, but that is basically it.
AuthType Basic
RewriteEngine On
These two set up the "rewrite" function of Apache. You must have mod_rewrite enabled in httpd.conf for this to work or unpleasantness will occur.
These lines:
RewriteCond %{HTTP_REFERER} !^http://www.referringdomain.com [NC]
Say "Rewrite Condition. If the Variable "HTTP_REFERER" (which is an environment variable, referring URL) is NOT (that's the exclamation mark) like http://www.referringdomain.com ... [NC] is next condition.
So if you have a series of lines like this, it tries each one. If it successfully matches referringdomain.com or whatever you put in there, it allows access. If it gets to the last line without successfully matching any of the RewriteCond:
RewriteRule /* http://www.failedurl.com [R,L]
It sends all these requests that did not match any condition to http://www.failedurl.com/
The key is the RewriteCond lines - one for each URL that you want to allow in
RewriteCond %{HTTP_REFERER} !^http://www.yourdomain.com/members [NC]
for example allows referring URLs http://www.yourdomain.com/members
A tricky thing also to remember is not just www.yourdomain.com but yourdomain.com needs to be allowed (no "www") - and be careful because this can make things go haywire with Internet Security programs on users' browsing software.
-d
-
crescentx,
Good lord, where did you come from? Two posts on the board and you're hitting my top 10 list of GWW's Most Helpful People. 
Since you seem to know a bit about htaccess can I pick your brain a little more?
What does the + in this line mean?
RewriteCond %{HTTP_REFERER} !^http://.+\.cybersexnetwork\.com/* [NC]
Is this a sort of wild card taking care of the www. and non-www versions?
And you're right about it throwing off security software. The line in my own htaccess for MANcheck is as follows:
RewriteCond %{HTTP_REFERER} !^http://.+\.mancheck\.com/* [NC]
And I get about 1-2 people a week who complain they can't get in. It seems to be an issue with XP firewall, Norton's anti-virus or firewall, or Zone Alarm. Is it better to leave out the + and use
RewriteCond %{HTTP_REFERER} !^http://www.mancheck.com/* [NC]
RewriteCond %{HTTP_REFERER} !^http://mancheck.com/* [NC]
Or can you think of any other way around this problem, it's really a pain.
Again thanks so much for your help.
Dzinerbear
-
Personally, I would keep the syntax as simple as possible. Just do a line for mancheck.com and www.mancheck.com (and any other subdomain they have). Regexp's aren't my favorite pets, but the one with the + <b>should</b> (emphasis, should) do all of that, though.
As far as firewall, well, not really as far as I am aware. Referring URL verification is dicey. It's not just firewall, either - sometimes it's the browser, or targeting can throw it off. You will be certain, however, referring URL is correct if they're getting your images ;-O
-doug
-
You do realize by 'gay' I mean a man who has sex with other men?
Originally posted by crescentx
Personally, I would keep the syntax as simple as possible.
THAT has got to be the best advice ive seen anyone post about .htaccess.
To often people forget that complicating things can often lead to tech stuff not working especially when someone isnt sure what is and what isnt allowed by ther hosting provider :thumbsup:
Regards,
Lee
-
crescentx,
I've just reread your posts and Googled a couple of things I didn't understand, like regexp and, for the first time, I understand this stuff a whole lot better.
One further question. You posted the following would prevent hotlinking of jpg images:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://domain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domain.com/.*$ [NC]
RewriteRule .*\.jpg$ - [L]
If I added this:
RewriteCond %{HTTP_REFERER} !^http://www.mancheck.com/.*$ [NC]
Does that give MANcheck permission to hotlink?
Thanks so much. And BTW, I've been checking out the program in your sig, is that yours?
Dzinerbear
-
Regexp is one of those dark arts that no amount of googling can expose :-) Trust me. Yes, if you add that and don't forget:
RewriteCond %{HTTP_REFERER} !^http://mancheck.com/.*$ [NC]
You should be okay - unless there's another mancheck.com server like avs.mancheck.com etc. (there appear to be some out there!) So the + syntax might be smarter - if it works. You also have the first line
RewriteCond %{HTTP_REFERER} !^$
After re-reading what I copy-pasted from the internet before, I don't think it is necessary. It at best would allow sites with no referring URL to hotlink. I am trying out hotlinking without this line and seeing what happens. True, safer for the firewalled people...but I'd prefer safer for me :-) You pretty much have to take the .htaccess file one line at a time with regexps. Add a line, delete one, watch out for typos. And always check your logs to make sure you aren't inadvertently blocking legitimate use.
Almost forgot, Yes - XYCash is our program...one of the older gay programs out there.
-doug
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
Reply With Quote
Bookmarks