Prevent image hotlinking from certain outside domains only.
Hi all, I know this is all over every forum and I have tried and tried but just can't get it to work.
It is for a free image hosting service that allows hotlinkning, but not abusive hotinking, so they need to stop images being hotlinked from certain outside domains only, all other websites/forums etc can hotlink, in the same way imgur block hotlinking to sites that break their terms of service.
The .htaccess file looks like this but images are still hotlinked to eBay, any ideas?
The second rule is designed to show an image when the image at a particular url has been deleted, that works perfectly.
We have also tried variations such as,
and
But nothing works, now we know its possible as imgur do it.
Any ideas?
Thanks
It is for a free image hosting service that allows hotlinkning, but not abusive hotinking, so they need to stop images being hotlinked from certain outside domains only, all other websites/forums etc can hotlink, in the same way imgur block hotlinking to sites that break their terms of service.
The .htaccess file looks like this but images are still hotlinked to eBay, any ideas?
RewriteEngine on
RewriteCond %{HTTP_REFERER} ^https://(.+\.)?vipr.ebaydesc\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^https://(.+\.)?vi.vipr.ebaydesc\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^https://(.+\.)?ebay\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^https://(.+\.)?ebaydesc\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^https://(.+\.)?www.ebay\.com/ [NC]
RewriteRule .*\.(jpeg|jpg|gif|bmp|png)$ https://mydomain.com/nohotlinking.gif [L]
RewriteEngine on
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f
RewriteRule \.(gif|jpe?g|png|bmp) 404.gif [NC,L]The second rule is designed to show an image when the image at a particular url has been deleted, that works perfectly.
We have also tried variations such as,
RewriteCond %{HTTP_REFERER} ^http(s)?://(.+\.)?vi.vipr.ebaydesc(.+)?\.com [NC]and
RewriteCond %{HTTP_REFERER} ^https://(.*\.)*ebay\.com [NC,OR]But nothing works, now we know its possible as imgur do it.
Any ideas?
Thanks
Steve Bink
The rules look good, assuming the host is accurate. Have you examined your logs to see which host is showing up? You can also try setting up rewrite logging to get some detail on what is actually being compared.
ASKER
Here is a line form the access log file
I tried to enable logging by adding
73.27.14.258 - - [09/Mar/2018:16:13:11 +0000] "GET /imgr/2018/02/14/handbag.th.jpg HTTP/1.0" 302 223 "https://vi.vipr.ebaydesc.com/ws/eBayISAPI.dll?I tried to enable logging by adding
RewriteEngine On
RewriteLog "/var/log/apache2/rewrite.log"
RewriteLogLevel 3
Which version of Apache are you using? If 2.4, follow the example shown in the Apache 2.4 mod_rewrite docs.
Please verify your server log format as well (LogFormat or CustomLog directives).
Please verify your server log format as well (LogFormat or CustomLog directives).
ASKER
Server version: Apache/2.4.29
Looking through those docs (right on the limit of mt knowledge to be honest) under RewriteCond Directive I found,
Looking through those docs (right on the limit of mt knowledge to be honest) under RewriteCond Directive I found,
In the below example, -strmatch is used to compare the REFERER against the site hostname, to block unwanted hotlinking.
RewriteCond expr "! %{HTTP_REFERER} -strmatch '*://%{HTTP_HOST}/*'"
RewriteRule "^/images" "-" [F]
I was actually referring to the instructions to set up logging. RewriteLogLevel is no longer a valid directive in Apache 2.4.
Regarding the use of expr, you don't really need it. The standard syntax for RewriteCond is a comparison between the test string and a regular expression - essentially the same as 'expr -strmatch'. Your rules should be working fine.
Regarding the use of expr, you don't really need it. The standard syntax for RewriteCond is a comparison between the test string and a regular expression - essentially the same as 'expr -strmatch'. Your rules should be working fine.
ASKER
I have added
RewriteEngine On
RewriteLog "/home/runcloud/logs/apache2/rewrite.log"
LogLevel alert rewrite:trace3
Go over the basics:
- Check permissions on that directory. Can the apache service user write to it?
- Have you restarted the apache service after making changes?
- Does your normal log file contain any relevant messages?
- Check permissions on that directory. Can the apache service user write to it?
- Have you restarted the apache service after making changes?
- Does your normal log file contain any relevant messages?
ASKER
Permissions correct, access log in same directory and updated.
Yes apache restarted.
Cant see anything.
Yes apache restarted.
Cant see anything.
Obviously not an ideal configuration, but try sending your rewrite log to your standard server log. Do you see any output there?
Can you post the directives or a copy of your virtual host config?
Can you post the directives or a copy of your virtual host config?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It would stand to reason that if the rules work with just Apache, and they don't work with Apache+(some other package), then (some other package) is interfering.
Running Nginx and Apache in parallel is possible, but it requires particular consideration for the configuration of each package. They are both web servers, and the default configuration for both attempts to leverage the same resources. Without actively configuring them to play nice with each other, there will be conflicts. In this case, it is likely that nginx was fielding the requests, meaning that nothing hit Apache.
I'm not familiar with RunCloud, but my guess they offer both packages and expect either only one to be used or that they will be configured appropriately.
Running Nginx and Apache in parallel is possible, but it requires particular consideration for the configuration of each package. They are both web servers, and the default configuration for both attempts to leverage the same resources. Without actively configuring them to play nice with each other, there will be conflicts. In this case, it is likely that nginx was fielding the requests, meaning that nothing hit Apache.
I'm not familiar with RunCloud, but my guess they offer both packages and expect either only one to be used or that they will be configured appropriately.
ASKER
I solved it