Prevent image hotlinking from certain outside domains only.

Hi all, I know this is all over every forum and I have tried and tried but just can't get it to work.
It is for a free image hosting service that allows hotlinkning, but not abusive hotinking, so they need to stop images being hotlinked from certain outside domains only, all other websites/forums etc can hotlink, in the same way imgur block hotlinking to sites that break their terms of service.

The .htaccess file looks like this but images are still hotlinked to eBay, any ideas?

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^https://(.+\.)?vipr.ebaydesc\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^https://(.+\.)?vi.vipr.ebaydesc\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^https://(.+\.)?ebay\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^https://(.+\.)?ebaydesc\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^https://(.+\.)?www.ebay\.com/ [NC]
RewriteRule .*\.(jpeg|jpg|gif|bmp|png)$ [L]

RewriteEngine on
RewriteRule \.(gif|jpe?g|png|bmp) 404.gif [NC,L]

Open in new window

The second rule is designed to show an image when the image at a particular url has been deleted, that works perfectly.

We have also tried variations such as,

RewriteCond %{HTTP_REFERER} ^http(s)?://(.+\.)?vi.vipr.ebaydesc(.+)?\.com [NC]

Open in new window


RewriteCond %{HTTP_REFERER} ^https://(.*\.)*ebay\.com [NC,OR]

Open in new window

But nothing works, now we know its possible as imgur do it.

Any ideas?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steve BinkCommented:
The rules look good, assuming the host is accurate.  Have you examined your logs to see which host is showing up?  You can also try setting up rewrite logging to get some detail on what is actually being compared.
Leigh2004Author Commented:
Here is a line form the access log file - - [09/Mar/2018:16:13:11 +0000] "GET /imgr/2018/02/14/ HTTP/1.0" 302 223 "

Open in new window

I tried to enable logging by adding
RewriteEngine On
RewriteLog "/var/log/apache2/rewrite.log"
RewriteLogLevel 3

Open in new window

To the conf file but no log is created.
Steve BinkCommented:
Which version of Apache are you using?  If 2.4, follow the example shown in the Apache 2.4 mod_rewrite docs.

Please verify your server log format as well (LogFormat or CustomLog directives).
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Leigh2004Author Commented:
Server version: Apache/2.4.29

Looking through those docs (right on the limit of mt knowledge to be honest) under RewriteCond Directive I found,
 In the below example, -strmatch is used to compare the REFERER against the site hostname, to block unwanted hotlinking.
RewriteCond expr "! %{HTTP_REFERER} -strmatch '*://%{HTTP_HOST}/*'"
RewriteRule "^/images" "-" [F]

Open in new window

As I said running of knowledge here but does that mean htaccess rules are different in 2.4?
Steve BinkCommented:
I was actually referring to the instructions to set up logging.  RewriteLogLevel is no longer a valid directive in Apache 2.4.

Regarding the use of expr, you don't really need it.  The standard syntax for RewriteCond is a comparison between the test string and a regular expression - essentially the same as 'expr -strmatch'.  Your rules should be working fine.
Leigh2004Author Commented:
I have added
RewriteEngine On
RewriteLog "/home/runcloud/logs/apache2/rewrite.log"
LogLevel alert rewrite:trace3

Open in new window

To the httpd.conf file but still no log?
Steve BinkCommented:
Go over the basics:

- Check permissions on that directory.  Can the apache service user write to it?
- Have you restarted the apache service after making changes?
- Does your normal log file contain any relevant messages?
Leigh2004Author Commented:
Permissions correct, access log in same directory and updated.
Yes apache restarted.
Cant see anything.
Steve BinkCommented:
Obviously not an ideal configuration, but try sending your rewrite log to your standard server log.  Do you see any output there?

Can you post the directives or a copy of your virtual host config?
Leigh2004Author Commented:
I have managed to get things working by not using Nginx, let me know your thoughts on my theory also please.

The server the images are served from is managed by RunCloud which installs Nginx+Apache hybrid, so I set some test servers as below.

1st test - set up another server (CentOS7) this time I installed CentOS Web Panel which only installs Apache and the rules work.

2nd test - set another server still CentOS7 as first test only this time I installed VestaCP and set it as default options Nginx+Apache and the rules do NOT work.

3rd test - CentOS7 installed VestaCP again this time set the options to only install Apache and the rules work.

So my theory is as Nginx serves static content such as images, the rewrite rules involving images are ignored, correct?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Steve BinkCommented:
It would stand to reason that if the rules work with just Apache, and they don't work with Apache+(some other package), then (some other package) is interfering.

Running Nginx and Apache in parallel is possible, but it requires particular consideration for the configuration of each package.  They are both web servers, and the default configuration for both attempts to leverage the same resources.  Without actively configuring them to play nice with each other, there will be conflicts.  In this case, it is likely that nginx was fielding the requests, meaning that nothing hit Apache.

I'm not familiar with RunCloud, but my guess they offer both packages and expect either only one to be used or that they will be configured appropriately.
Leigh2004Author Commented:
I solved it
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.