Solved

Apache .htaccess not working

Posted on 2012-12-26
7
432 Views
Last Modified: 2013-04-01
Hello,  I created a htaccess and passed it at the root of the html directory.  I even set it so that apache is the owner of the file.  However, I am still able to hotlink to my image or pdf file.  What could be the problem?  Please see my htaccess file below.

Thanks for your assistance.

#prevent viewing of .htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>

#prevent directory listing
IndexIgnore *

#custom error message
ErrorDocument 401 /custom-error/401.php
ErrorDocument 403 /custom-error/403.php
ErrorDocument 404 /custom-error/404.php
ErrorDocument 500 /custom-error/500.php

#prevent hotlinking to images (gif, png, jpg), documents (csv, pdf, xls, xlsx) and web files (javascript: js, css)
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|png|jpg|csv|pdf|xls|xlsx|js|css)$ - [F]
0
Comment
Question by:lgduong
7 Comments
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 300 total points
ID: 38721889
You may get a good answer on the Apache front, but in case you do not, or you want a little stronger way to discourage hotlinking, this article will show how to watermark hotlinked image files.  If the watermark is not enough for you, you could change the script a very little bit and render a picture of something else that would discourage further hotlinking...
www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_10065.html
0
 
LVL 26

Expert Comment

by:arober11
ID: 38723847
If you have root access, put the above block in the httpd.conf, as Apache will only have to parse and compile the rules once, at server start-up, rather than for every browser request received by Apache.

As to why it dosen't work, loose the first Http_referer condition, as that's allowing BLANK referer strings.
0
 
LVL 9

Expert Comment

by:abolinhas
ID: 38727655
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:lgduong
ID: 38745419
abolinhas -- i tried that and the code look the same to me.

arober11 - i don't think it is i the http_referer condition.  it is recommending to have the blank refere string and i do want that as part of the condition

ray_paseur - that is a good idea if images and other files aren't changing as often as it is here.

I am still hoping to use htaccess so that I have control over security instead of having to rely on system admin because they are the only one who can configure the httpd.conf file.

Does anyone else see or know why my code might not be working??
0
 
LVL 26

Expert Comment

by:arober11
ID: 38769166
If you want to see what's going on, have the admin temporarily paste the following into you httpd.conf  and restart Apache:

RewriteLog  /tmp/tmp_apace_rewrite.log
RewtiteLogLevel 9

Open in new window

0
 

Author Comment

by:lgduong
ID: 38835375
arober11 - I have the admin perform the modification to the httpd.conf and when I viewed the log file, I get the following:

 (2) init rewrite engine with requested uri /
 (3) applying pattern '^(/htdocs/.*)' to uri '/'
 (3) applying pattern '.*' to uri '/'
 (4) RewriteCond: input='GET' pattern='^(TRACE|TRACK)' => not-matched
 (1) pass through /
 (3) [perdir /var/www/html/] strip per-dir prefix: /var/www/html/ ->
 (3) [perdir /var/www/html/] applying pattern '\.(gif|png|jpg|csv|pdf|xls|xlsx|js|css)$' to uri ''
 (1) [perdir /var/www/html/] pass through /var/www/html

Does the log indicates what the problem might be?
0
 
LVL 26

Expert Comment

by:arober11
ID: 38962288
Nope, you've cut off the URI from the rules, was expecting output in the following format:

(3) [perdir  /var/www/html/] applying pattern '\.(js|ico|gif|jpg|png|css)$' to uri 'index.php'

So the output above is of little use, other than to prove the rule is in place and being invoked.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to dynamically set the form action using jQuery.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now