MattKenefick
asked on
Forbid Direct Link from my server, but allow file to be embedded in one of my pages. Htaccess. Help!!
I have a modrewrite that turns
Matt.php into New.php
New.php has a content-type of a gif and loads file contents of a gif file into it.. Therefore new.php basically IS a gif file.
I need something setup that will allow
<img src="Matt.php">
to work
but
http://myserver.com/Matt.php
is forbidden
Please help. URGENT!
Matt.php into New.php
New.php has a content-type of a gif and loads file contents of a gif file into it.. Therefore new.php basically IS a gif file.
I need something setup that will allow
<img src="Matt.php">
to work
but
http://myserver.com/Matt.php
is forbidden
Please help. URGENT!
also, here is a good explaination:
http://www.dagondesign.com/articles/hotlink-protection-with-htaccess/feed/
http://www.dagondesign.com/articles/hotlink-protection-with-htaccess/feed/
ASKER
no no no..
I know about hotlinking.. It's if they type in the URL to their address bar, I want them to get nothing.
I only want them to see something if it's being embedded through another page on my site.
So if they type http://mysite.com/image.jpg into their address bar, even though its on my server. I dont want them to see it.
Hotlinking should be stopped too yea, but them putting it in their address bar is what concerns me.
One way I thought of doing it was to put an authorization on it so they'd have to type a username and password to isee it.. then do like..
<img src="view.php">
and in the View.php put something like
$auth = "user"
$pass = "pass"
// validate credentials
header("Content-Type: image/jpeg")
echo $imageInformation;
that way , only the script could access it, and if they typed in the direct link to their address bar.. it'd give them the Username/Password box which they wouldnt know.
I dont know how to send the User/Pass to prevent the box from showing up through the script though.
So I'm open to other ideas.
This is extremely urgent if that matters :(
I know about hotlinking.. It's if they type in the URL to their address bar, I want them to get nothing.
I only want them to see something if it's being embedded through another page on my site.
So if they type http://mysite.com/image.jpg into their address bar, even though its on my server. I dont want them to see it.
Hotlinking should be stopped too yea, but them putting it in their address bar is what concerns me.
One way I thought of doing it was to put an authorization on it so they'd have to type a username and password to isee it.. then do like..
<img src="view.php">
and in the View.php put something like
$auth = "user"
$pass = "pass"
// validate credentials
header("Content-Type: image/jpeg")
echo $imageInformation;
that way , only the script could access it, and if they typed in the direct link to their address bar.. it'd give them the Username/Password box which they wouldnt know.
I dont know how to send the User/Pass to prevent the box from showing up through the script though.
So I'm open to other ideas.
This is extremely urgent if that matters :(
I think the above method will work for what you are wanting, but you can also try the below.
RewriteCond %{HTTP_HOST} !myserver.com$
RewriteRule ^/.* - [F]
RewriteCond %{HTTP_HOST} !myserver.com$
RewriteRule ^/.* - [F]
ASKER
doesn't work =[
ASKER
How do I say..
If the Referer doesn't equal http://seesaw2.net/matt/newSwfTest/
Then make it forbidden
If the Referer doesn't equal http://seesaw2.net/matt/newSwfTest/
Then make it forbidden
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://seesaw2\.net/matt/newSwfTest/$ [NC]
RewriteRule \.jpg$ - [F]
RewriteCond %{HTTP_REFERER} !^http://seesaw2\.net/matt/newSwfTest/$ [NC]
RewriteRule \.jpg$ - [F]
dude, that is what I first showed you... preventing hotlinks does just that... it says if the referrer is not whatever, forbid it.
ASKER
Yes. But if you goto
Http://whatever.com/MyFile.FILE
There is no referer.
Besides the fact that Referer can easily be spoofed.
Http://whatever.com/MyFile.FILE
There is no referer.
Besides the fact that Referer can easily be spoofed.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You are correct that using .htaccess is the way to do this with apache.
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]
RewriteRule widget\.png$ - [F]
This rule explained:
1. First the RewriteEngine (the mod_rewrite module apache loaded) is turned on
Note: RewriteEngine only needs to be turned on once before any conditions or rules are defined. You do not need to turn it on, on a per-rule basis. In fact setting RewriteEngine On multiple times will result in a server error.
RewriteEngine On
2. next, for any requests coming in with an http referrer, which does NOT match www.yourdomain.com or yourdomain.com, NOT case sensitive. . .
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
3. and the referrer IS www.ebay.com, or the referrer IS ebay.com
RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]
4. for the file widget.png, send nothing, and forbid access (send a 403 Forbidden response header)
RewriteRule widget\.png$ - [F]
Alternatively: prevent hotlinking of all images (well, all .gif, .jpg/.jpeg, .png, and .bmp files) from ebay
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]
RewriteRule \.(gif|jpe?g|png|bmp)$ - [F]
Prevent hotlinking of all images (well, all .gif, .jpg/.jpeg, .png, and .bmp files) from anywhere but your own site
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule \.(gif|jpe?g|png|bmp)$ - [F]
--------------------------
The "Fun" Solution: using mod_rewrite and .htaccess to seek revenge
Now that you understand how to forbid access to your images, we can provide an example with an image substitution and you will be able to follow along.
#RewriteCond %{HTTP_REFERER} !^$
#RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
#RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]
#RewriteRule flatpanelTV.jpg images/crappysmashedTV.gif