Link to home
Start Free TrialLog in
Avatar of MattKenefick
MattKenefickFlag for United States of America

asked on

Forbid Direct Link from my server, but allow file to be embedded in one of my pages. Htaccess. Help!!

I have a modrewrite that turns

Matt.php into New.php

New.php has a content-type of a gif and loads file contents of a gif file into it.. Therefore new.php basically IS a gif file.

I need something setup that will allow
<img src="Matt.php">
to work

but
http://myserver.com/Matt.php
is forbidden

Please help. URGENT!
Avatar of Jason Minton
Jason Minton
Flag of United States of America image
What you're wanting is to prevent what is called image 'hotlinking.'

You are correct that using .htaccess is the way to do this with apache.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]
RewriteRule widget\.png$ - [F]

This rule explained:
1. First the RewriteEngine (the mod_rewrite module apache loaded) is turned on

Note: RewriteEngine only needs to be turned on once before any conditions or rules are defined. You do not need to turn it on, on a per-rule basis. In fact setting RewriteEngine On multiple times will result in a server error.

RewriteEngine On

2. next, for any requests coming in with an http referrer, which does NOT match www.yourdomain.com or yourdomain.com, NOT case sensitive. . .

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]

3. and the referrer IS www.ebay.com, or the referrer IS ebay.com

RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]

4. for the file widget.png, send nothing, and forbid access (send a 403 Forbidden response header)

RewriteRule widget\.png$ - [F]

Alternatively: prevent hotlinking of all images (well, all .gif, .jpg/.jpeg, .png, and .bmp files) from ebay
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]
RewriteRule \.(gif|jpe?g|png|bmp)$ - [F]

Prevent hotlinking of all images (well, all .gif, .jpg/.jpeg, .png, and .bmp files) from anywhere but your own site
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule \.(gif|jpe?g|png|bmp)$ - [F]
--------------------------------------------------------------------------------
The "Fun" Solution: using mod_rewrite and .htaccess to seek revenge
Now that you understand how to forbid access to your images, we can provide an example with an image substitution and you will be able to follow along.

#RewriteCond %{HTTP_REFERER} !^$
#RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
#RewriteCond %{HTTP_REFERER} ^(www\.)?ebay.com/.*$ [NC]
#RewriteRule flatpanelTV.jpg images/crappysmashedTV.gif [L,NC]

Avatar of MattKenefick
MattKenefick
Flag of United States of America image

ASKER

no no no..

I know about hotlinking.. It's if they type in the URL to their address bar, I want them to get nothing.
I only want them to see something if it's being embedded through another page on my site.

So if they type http://mysite.com/image.jpg into their address bar, even though its on my server. I dont want them to see it.

Hotlinking should be stopped too yea, but them putting it in their address bar is what concerns me.


One way I thought of doing it was to put an authorization on it so they'd have to type a username and password to isee it.. then do like..

<img src="view.php">

and in the View.php put something like

$auth = "user"
$pass = "pass"
// validate credentials
header("Content-Type: image/jpeg")
echo $imageInformation;

that way , only the script could access it, and if they typed in the direct link to their address bar.. it'd give them the Username/Password box which they wouldnt know.
I dont know how to send the User/Pass to prevent the box from showing up through the script though.

So I'm open to other ideas.

This is extremely urgent if that matters :(
Avatar of Jason Minton
Jason Minton
Flag of United States of America image
I think the above method will work for what you are wanting, but you can also try the below.  

RewriteCond %{HTTP_HOST} !myserver.com$
RewriteRule   ^/.*  -  [F]
Avatar of MattKenefick
MattKenefick
Flag of United States of America image

ASKER

doesn't work =[
Avatar of MattKenefick
MattKenefick
Flag of United States of America image

ASKER

How do I say..

If the Referer doesn't equal http://seesaw2.net/matt/newSwfTest/

Then make it forbidden
Avatar of milanmk
milanmk
RewriteEngine On
RewriteCond %{HTTP_REFERER}  !^http://seesaw2\.net/matt/newSwfTest/$ [NC]
RewriteRule \.jpg$ - [F]
Avatar of Jason Minton
Jason Minton
Flag of United States of America image
dude, that is what I first showed you...  preventing hotlinks does just that... it says if the referrer is not whatever, forbid it.
Avatar of MattKenefick
MattKenefick
Flag of United States of America image

ASKER

Yes. But if you goto

Http://whatever.com/MyFile.FILE

There is no referer.
Besides the fact that Referer can easily be spoofed.
ASKER CERTIFIED SOLUTION
Avatar of ahoffmann
ahoffmann
Flag of Germany image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial