Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Forbid Direct Link from my server, but allow file to be embedded in one of my pages. Htaccess. Help!!

Posted on 2007-07-22
10
Medium Priority
?
178 Views
Last Modified: 2013-12-25
I have a modrewrite that turns

Matt.php into New.php

New.php has a content-type of a gif and loads file contents of a gif file into it.. Therefore new.php basically IS a gif file.

I need something setup that will allow
<img src="Matt.php">
to work

but
http://myserver.com/Matt.php
is forbidden

Please help. URGENT!
0
Comment
Question by:MattKenefick
10 Comments
 
LVL 17

Expert Comment

by:jasonsbytes
ID: 19544619
What you're wanting is to prevent what is called image 'hotlinking.'

You are correct that using .htaccess is the way to do this with apache.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]
RewriteRule widget\.png$ - [F]

This rule explained:
1. First the RewriteEngine (the mod_rewrite module apache loaded) is turned on

Note: RewriteEngine only needs to be turned on once before any conditions or rules are defined. You do not need to turn it on, on a per-rule basis. In fact setting RewriteEngine On multiple times will result in a server error.

RewriteEngine On

2. next, for any requests coming in with an http referrer, which does NOT match www.yourdomain.com or yourdomain.com, NOT case sensitive. . .

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]

3. and the referrer IS www.ebay.com, or the referrer IS ebay.com

RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]

4. for the file widget.png, send nothing, and forbid access (send a 403 Forbidden response header)

RewriteRule widget\.png$ - [F]

Alternatively: prevent hotlinking of all images (well, all .gif, .jpg/.jpeg, .png, and .bmp files) from ebay
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]
RewriteRule \.(gif|jpe?g|png|bmp)$ - [F]

Prevent hotlinking of all images (well, all .gif, .jpg/.jpeg, .png, and .bmp files) from anywhere but your own site
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule \.(gif|jpe?g|png|bmp)$ - [F]
--------------------------------------------------------------------------------
The "Fun" Solution: using mod_rewrite and .htaccess to seek revenge
Now that you understand how to forbid access to your images, we can provide an example with an image substitution and you will be able to follow along.

#RewriteCond %{HTTP_REFERER} !^$
#RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
#RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]
#RewriteRule flatpanelTV.jpg images/crappysmashedTV.gif [L,NC]

0
 
LVL 17

Expert Comment

by:jasonsbytes
ID: 19544621
0
 
LVL 4

Author Comment

by:MattKenefick
ID: 19544634
no no no..

I know about hotlinking.. It's if they type in the URL to their address bar, I want them to get nothing.
I only want them to see something if it's being embedded through another page on my site.

So if they type http://mysite.com/image.jpg into their address bar, even though its on my server. I dont want them to see it.

Hotlinking should be stopped too yea, but them putting it in their address bar is what concerns me.


One way I thought of doing it was to put an authorization on it so they'd have to type a username and password to isee it.. then do like..

<img src="view.php">

and in the View.php put something like

$auth = "user"
$pass = "pass"
// validate credentials
header("Content-Type: image/jpeg")
echo $imageInformation;

that way , only the script could access it, and if they typed in the direct link to their address bar.. it'd give them the Username/Password box which they wouldnt know.
I dont know how to send the User/Pass to prevent the box from showing up through the script though.

So I'm open to other ideas.

This is extremely urgent if that matters :(
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 17

Expert Comment

by:jasonsbytes
ID: 19544684
I think the above method will work for what you are wanting, but you can also try the below.  

RewriteCond %{HTTP_HOST} !myserver.com$
RewriteRule   ^/.*  -  [F]
0
 
LVL 4

Author Comment

by:MattKenefick
ID: 19544797
doesn't work =[
0
 
LVL 4

Author Comment

by:MattKenefick
ID: 19544800
How do I say..

If the Referer doesn't equal http://seesaw2.net/matt/newSwfTest/

Then make it forbidden
0
 
LVL 2

Expert Comment

by:milanmk
ID: 19544827
RewriteEngine On
RewriteCond %{HTTP_REFERER}  !^http://seesaw2\.net/matt/newSwfTest/$ [NC]
RewriteRule \.jpg$ - [F]
0
 
LVL 17

Expert Comment

by:jasonsbytes
ID: 19544905
dude, that is what I first showed you...  preventing hotlinks does just that... it says if the referrer is not whatever, forbid it.
0
 
LVL 4

Author Comment

by:MattKenefick
ID: 19545025
Yes. But if you goto

Http://whatever.com/MyFile.FILE

There is no referer.
Besides the fact that Referer can easily be spoofed.
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 1000 total points
ID: 19545531
> .. but them putting it in their address bar is what concerns me.
you can't unless you control the browser
Using a wrapper script with authentication is what you need to do, see http:/Q__22713019.html#19545299
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
Dramatic changes are revolutionizing how we build and use technology. Every company is automating, digitizing, and modernizing operations. We need a better, more connected way to work together as teams so we can harness the insights from our system…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question