Hotlinking – How to Prevent Image and Bandwidth Theft on Your Site

.htaccessapache-2.2bandwidth-controlhotlinking

I'm trying to write the "ultimate" anti hot linking .htaccess…

You can find many examples/tutorials/generators on the net but many of them are wrong or incomplete (or even both).

These are the features I'm looking for:

Must block hot linking for a list of file extensions when HTTP_REFERER is an foreign site.
Must allow hot linking for the current domain (duh) without harcoding it in the .htaccess.
- For the current domain it must work under http and https.
- For the current domain it must work with www and without www.
Must be able to add exceptions domains to these rules (like our friend Google) and these domains must work under http and https and with www or without www.

This is what I've achieved so far:

<IfModule mod_rewrite.c>

Options +FollowSymlinks
RewriteEngine On

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com/.*$ [NC]
RewriteRule \.(gif|jpe?g|png|zipx?)$ - [NC,F]

</IfModule>

My questions:

How to avoid to hardcode mydomain.com in the .htaccess? (It would be great to be able to deploy this .htaccess to all my domains without having to modify it for each of them.)
In my RewriteRule, gif|jpe?g|png|zipx? is equivalent to gif|jpg|jpeg|png|zip|zipx right? (Sorry still new at regular expressions.)
Do you see anything bad in my .htaccess that I'm unaware of?

For #1 I know it's somewhat possible. The closest I found is this snippet that removes the www from the URL without hardcoding the domain. Is there a way to use this method to my question #1?

RewriteCond %{HTTP_HOST} ^www\.(.+)
RewriteCond %{HTTPS}s/%1 ^(on(s)|offs)/(.+)
RewriteRule ^ http%2://%3%{REQUEST_URI} [L,R=301]

Update:

I'm aware of solutions that will serve a watermarked image instead of the regular one. But I'm not looking for this kind of solution. I want a universal solution (serve 403 errors) that will work for all kind of binary files (zip, exe, iso, jpg, png, gif…).

Best Answer

No matter what you do you will be "wasting" CPU cycles (to determine if the referrer site (the one doing the linking) is authorized or not you must do some processing of the request data).
The only thing you can do is save bandwidth while wasting a minimum of CPU cycles.

There are some examples in the Apache Docs that do exactly what you want. This one:

SetEnvIf Referer example\.com localreferer
<FilesMatch \.(jpg|png|gif)$>
Order deny,allow
Deny from all
Allow from env=localreferer
</FilesMatch>

seems to be the most applicable (and doesn't require the full weight of mod_rewrite).
You can add additional valid referrers with additional SetEnvIf and Allow directives.

Related Solutions

Tomcat – Apache2 – mod_expire and mod_rewrite not working in httpd.conf – serving content from tomcat

Probably the ProxyPass / directive you have in your config routes all requests to the Tomcat backend, bypassing all your mod_rewrite directives. You can try to remove the ProxyPass directive and use RewriteRule with the [P] flag after your other rewrites:

mod_rewrite: P|proxy

For the expire headers the situation is worse — in another similar question a solution was not found.

Option +FollowSymLinks would be needed for using mod_rewrite in .htaccess files; in your case it is not required, because you can put everything in the Apache config. Moving rules from config to .htaccess is pointless and can only make things slower. However, there is an important difference between .htaccess and the Apache config — in .htaccess patterns in RewriteRule are matched against relative filesystem paths (which never start with /), while in the VirtualHost context these patterns are matched against the URL path after the hostname, which always starts with /. Therefore at least one of your rules is incorrect:

RewriteRule ^content/(js|css)/([a-z]+)-([0-9]+)\.(js|css)$ /content/$1/$2.$4

should be

RewriteRule ^/content/(js|css)/([a-z]+)-([0-9]+)\.(js|css)$ /content/$1/$2.$4

(note the additional slash in the beginning).

Linux – How to disable hot linking and direct linking to files on the site

The problem with the first excerpt may be the RewriteRule line.

Where you have:

RewriteRule \.(mp3|pdf)$ - [F,NC,L]

perhaps you want:

RewriteRule .*\.(mp3|pdf)$ - [F,NC,L]

As is, I think you're matching the specific files '.mp3' or '.pdf'. You want to match 'foo.mp3' or 'bar.pdf' (for varying foo and bar).

On the second excerpt.. The start looks suspect. I don't know why you need the SetEnvIf and SetEnvIfNoCase combination. Perhaps try something like this:

SetEnvIf Referer "^http://(www\.)?mydomain.com/.*$" legit_referal
SetEnvIf Referer "^$" legit_referal
<LocationMatch "\.(pdf|mp3)$" >
   Order Deny,Allow
   Deny from all
   Allow from env=legit_referal
</LocationMatch>

Best Answer

Related Solutions

Tomcat – Apache2 – mod_expire and mod_rewrite not working in httpd.conf – serving content from tomcat

Linux – How to disable hot linking and direct linking to files on the site

Related Topic