Anti-Hotlinking in plain English, please?

Pagan · 2009-05-27, 01:42 AM

I will admit this is one area I need a better guide to. When I have tried this or that technique in the past, I shot myself in the foot and was unable to see any images on my domain. I can't get by on just mimicking what I see others doing - I need to really understand this area as I have now been hit by the third round of hotlinking. I have used anti-hotlinking functions available through the control panels on two of the three hosts, but obviously there is a work around and/OR I didn't do it right for my needs.

Let's say I have two domains on the same host, under the same account. Let's call them Domain A and Domain B just to be simple and clear. Both domains have freesites and galleries plus blogs. Domain A never shares anything with Domain B except for text links. All graphics and images for the sites on Domain A are housed in subdirectories. Same goes for Domain B. I don't call any images or files from Domain B on sites on Domain A and vice versa.

When I build a freesite, I have a structure similar to this:
Domain A
Freesite or Gallery folder
Individual Site
folder for pics
folder for thumbs
index.html
site pages
folder for mirror 1
folder for mirror 2

Individual Site
folder for pics
folder for thumbs
index.html
site pages
folder for mirror 1
folder for mirror 2

Rinse, lather, repeat

My folders for mirrors only contain the .html pages, and I call the images from one directory level up, so to call an .jpg up from mirror one, it is ../images/pornpic.jpg. I do have a very few sites on my oldest domain that call sponsor banners from a central image folder, but it is all within that domain.

So, if I wanted to write anti-hotlinking for my .htaccess file to block everyone but me from hotlinking within the one domain, what is the best way to do it? What about the handful of link lists that want a tiny preview image - better to put those in a directory and allow access? Does it vary from server to server? What is the most efficient way for page load time and server load? Are there ways for the determined hotlinkers to get around it? I did read through several earlier discussions about .htaccess but am not afraid to admit it didn't really make sense and the sites I have hit on the mainstream side of the house were not much better.

Now be gentle guys, please. I know the logic is there if I can only find the beginning of the thread to follow.

Thanks much!

pc · 2009-05-27, 06:35 AM

Pagan I have this in my .htaccess and works great but you need to include so many url's as you need to enable hotlinking.

## DISABLE HOTLINKING
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?lezzietown.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?rearentrylovers.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?eroticove.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?whatever.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?whatever.net/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?whatever.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?whatever.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|png|js|css)$ - [F]

I hope this helps

Cleo · 2009-05-27, 07:55 AM

Try this
http://www.htaccesstools.com/hotlink-protection/

cd34 · 2009-05-27, 12:25 PM

From Greenguy and Jim FAQ you could use those rules. Raymor refined those and I find them to be about as bulletproof as you can get.

Code:

RewriteEngine on
# leave this line in allow empty referrers, remove to disallow empty referrers
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*@)?([a-z0-9-]+\.)?yourdomain\.com([0-9]+)?(/.*)?$ [NC]
RewriteRule .*\.(asf|mpg|mpeg|wmv|avi|rm|gif|jpeg|jpg|zip)$ - [NC,F,L]

You can add in additional lines above the RewriteRule like:

Code:

RewriteEngine on
# leave this line in allow empty referrers, remove to disallow empty referrers
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*@)?([a-z0-9-]+\.)?yourdomain\.com([0-9]+)?(/.*)?$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*@)?([a-z0-9-]+\.)?anotherdomain\.com([0-9]+)?(/.*)?$ [NC]
RewriteRule .*\.(asf|mpg|mpeg|wmv|avi|rm|gif|jpeg|jpg|zip)$ - [NC,F,L]

or, you could do something like:

Code:

RewriteEngine on
# leave this line in allow empty referrers, remove to disallow empty referrers
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.*@)?([a-z0-9-]+\.)?(yourdomain\.com|anotherdomain\.com|andathirddomain\.com)([0-9]+)?(/.*)?$ [NC]
RewriteRule .*\.(asf|mpg|mpeg|wmv|avi|rm|gif|jpeg|jpg|zip)$ - [NC,F,L]

as far as performance, every line that is in your .htaccess file needs to be parsed. The fewer lines you have, the quicker it is going to parse it and the regexp engine within apache is pretty good.

For ease of use, a separate line for each domain probably won't be much of a performance hit.

Cleo · 2009-05-27, 02:05 PM

It this line case sensitive the way you have it written?

Quote:

RewriteRule .*\.(asf|mpg|mpeg|wmv|avi|rm|gif|jpeg|jpg|zip)$ - [NC,F,L]

Also if you want to serve up a hotlink image do you write it like this.

Code:

RewriteRule .*\.(asf|mpg|mpeg|wmv|avi|rm|gif|jpeg|jpg|zip)$ path/to/hot.gif [NC,F,L]

cd34 · 2009-05-27, 02:58 PM

The NC in the rule means, NoCase

yes, you can write it like that, but, you should put a RewriteEngine off in the .htaccess in the directory where your hotlink image to display is.

Cleo · 2009-05-27, 03:26 PM

Your example seems to work really well in my brief testing that I just did and my htaccess has gone from hundreds of lines to just 30 lines.

I added a few more file types into mine.

Code:

RewriteRule .*\.(css|asf|mpg|mpeg|wmv|avi|rm|gif|jpeg|jpg|zip|png|swf|mp4|m4v)$ - [NC,F,L]

cd34 · 2009-05-27, 05:04 PM

remember that .wmv isn't able to be protected -- windows media player doesn't send a referrer.

Cleo · 2009-05-27, 05:26 PM

Yeah it is kind of ironic that you can hotlink protect just about anything except a wmv file.

That is the reason I never use them.

Pagan · 2009-05-27, 09:53 PM

Hmmm.. okay. I am starting to understand it a little. Is it better to do an .htaccess for each domain?

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?eroticove.com [NC]
RewriteRule \.(jpg|gif)$ - [NC,F,L]

If I follow you all right, that should be only what I need to protect my images (I only use .jpg and .gif) from all outside hotlinkers, but allow my sites to share those images. But can something so light be enough? Are there ways around it? Do I really need to block IPs?

Here's the .htaccess file I had up through March, and I still had a ton of issues with hotlinking.

#--ANTI-HOTLINK--
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^(http://|https://)(www.)?(eroticove.com).*$ [NC]
RewriteRule \.(jpe?g|gif|bmp|png|.wmv)$ - [F]
#++ANTI-HOTLINK++
ErrorDocument 404 /error.html
ErrorDocument 403 /error.html
ErrorDocument 500 /error.html

cd34 · 2009-05-27, 10:40 PM

From the hotlinking I've seen in the access logs, those rules should have worked.

The IP address blocks are not really that useful. I usually tend to use referrer blocking, allowing the empty referrer because some personal privacy software sends a blank or invalid referrer and leave it at that. If you start blocking IPs, you're going to get a very long list very quickly and are going to have to continue adding IPs as you find them.

I can see that those rules are currently working. My assumption is that for some reason, AllowOverride was disabled for your webspace and your rules weren't being used, or, an .htaccess file further down in your directory structure turned RewriteEngine off or specified a different rule. Without RewriteOptions Inherit, any RewriteRules placed in a lower directory take precedence.

Pagan · 2009-05-28, 07:47 PM

uh, folks.. this is why Sparky rocks. Any guy that takes the time and patience to check things out carefully, explain it to dummies, and then make logical recommendations is at the top of the list in my book. I am not a new webmistress by any means, but having to deal with issues like this and a code where one character can spell ruin is beyond most of our skillsets. I do wish the host I was with for the last 5 years had taken the time to do this. It would have saved me hours and hours of work and stress.

flip.green · 2009-06-22, 05:34 PM

Good advise on htaccess rules, as far as load is concerned. Any modern server should be able to handle blocking hotlink requests, without increasing load under normal circumstances.

nate · 2009-06-22, 07:49 PM

.htaccess is utterly impotent against hotlinkers using javascript on the client's computer to steal your images... unless you reject blank referrers.

Tanker · 2009-06-23, 02:22 PM

I love Htaccess! its saved me a ton over the years but WMV not being protected has always drove me nuts

2009-05-27, 01:42 AM	#1
Pagan Perverted Empress Join Date: Feb 2005 Location: Finland Posts: 5,068	Anti-Hotlinking in plain English, please? I will admit this is one area I need a better guide to. When I have tried this or that technique in the past, I shot myself in the foot and was unable to see any images on my domain. I can't get by on just mimicking what I see others doing - I need to really understand this area as I have now been hit by the third round of hotlinking. I have used anti-hotlinking functions available through the control panels on two of the three hosts, but obviously there is a work around and/OR I didn't do it right for my needs. Let's say I have two domains on the same host, under the same account. Let's call them Domain A and Domain B just to be simple and clear. Both domains have freesites and galleries plus blogs. Domain A never shares anything with Domain B except for text links. All graphics and images for the sites on Domain A are housed in subdirectories. Same goes for Domain B. I don't call any images or files from Domain B on sites on Domain A and vice versa. When I build a freesite, I have a structure similar to this: Domain A Freesite or Gallery folder Individual Site folder for pics folder for thumbs index.html site pages folder for mirror 1 folder for mirror 2 Individual Site folder for pics folder for thumbs index.html site pages folder for mirror 1 folder for mirror 2 Rinse, lather, repeat My folders for mirrors only contain the .html pages, and I call the images from one directory level up, so to call an .jpg up from mirror one, it is ../images/pornpic.jpg. I do have a very few sites on my oldest domain that call sponsor banners from a central image folder, but it is all within that domain. So, if I wanted to write anti-hotlinking for my .htaccess file to block everyone but me from hotlinking within the one domain, what is the best way to do it? What about the handful of link lists that want a tiny preview image - better to put those in a directory and allow access? Does it vary from server to server? What is the most efficient way for page load time and server load? Are there ways for the determined hotlinkers to get around it? I did read through several earlier discussions about .htaccess but am not afraid to admit it didn't really make sense and the sites I have hit on the mainstream side of the house were not much better. Now be gentle guys, please. I know the logic is there if I can only find the beginning of the thread to follow. Thanks much! __________________ Is it naptime yet?

2009-05-27, 06:35 AM	#2
pc Shift Out / X-On Join Date: Jul 2007 Location: unknown Posts: 2,298	Pagan I have this in my .htaccess and works great but you need to include so many url's as you need to enable hotlinking. ## DISABLE HOTLINKING RewriteEngine on # Options +FollowSymlinks RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?lezzietown.com/.$ [NC] RewriteCond %{HTTP_REFERER} !^http://(www\.)?rearentrylovers.com/.$ [NC] RewriteCond %{HTTP_REFERER} !^http://(www\.)?eroticove.com/.$ [NC] RewriteCond %{HTTP_REFERER} !^http://(www\.)?whatever.com/.$ [NC] RewriteCond %{HTTP_REFERER} !^http://(www\.)?whatever.net/.$ [NC] RewriteCond %{HTTP_REFERER} !^http://(www\.)?whatever.com/.$ [NC] RewriteCond %{HTTP_REFERER} !^http://(www\.)?whatever.com/.$ [NC] RewriteRule \.(gif\|jpg\|jpeg\|png\|js\|css)$ - [F] I hope this helps Last edited by pc; 2009-05-27 at 06:37 AM.. Reason: if there is more efficient technique i will also like to hear*

2009-05-27, 07:55 AM	#3
Cleo Subversive filth of the hedonistic decadent West Join Date: Mar 2003 Location: Southeast Florida Posts: 27,936	Try this http://www.htaccesstools.com/hotlink-protection/ __________________ Free Rides on Uber and Lyft Uber Car: uberTzTerri Lyft Car: TZ896289

2009-05-27, 02:58 PM	#6
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	The NC in the rule means, NoCase yes, you can write it like that, but, you should put a RewriteEngine off in the .htaccess in the directory where your hotlink image to display is. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2009-05-27, 03:26 PM	#7
Cleo Subversive filth of the hedonistic decadent West Join Date: Mar 2003 Location: Southeast Florida Posts: 27,936	Your example seems to work really well in my brief testing that I just did and my htaccess has gone from hundreds of lines to just 30 lines. I added a few more file types into mine. Code: RewriteRule .\.(css\|asf\|mpg\|mpeg\|wmv\|avi\|rm\|gif\|jpeg\|jpg\|zip\|png\|swf\|mp4\|m4v)$ - [NC,F,L] __________________ Free Rides on Uber and Lyft* Uber Car: uberTzTerri Lyft Car: TZ896289

2009-05-27, 05:04 PM	#8
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	remember that .wmv isn't able to be protected -- windows media player doesn't send a referrer. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2009-05-27, 05:26 PM	#9
Cleo Subversive filth of the hedonistic decadent West Join Date: Mar 2003 Location: Southeast Florida Posts: 27,936	Yeah it is kind of ironic that you can hotlink protect just about anything except a wmv file. That is the reason I never use them. __________________ Free Rides on Uber and Lyft Uber Car: uberTzTerri Lyft Car: TZ896289

2009-05-27, 09:53 PM	#10
Pagan Perverted Empress Join Date: Feb 2005 Location: Finland Posts: 5,068	Hmmm.. okay. I am starting to understand it a little. Is it better to do an .htaccess for each domain? RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?eroticove.com [NC] RewriteRule \.(jpg\|gif)$ - [NC,F,L] If I follow you all right, that should be only what I need to protect my images (I only use .jpg and .gif) from all outside hotlinkers, but allow my sites to share those images. But can something so light be enough? Are there ways around it? Do I really need to block IPs? Here's the .htaccess file I had up through March, and I still had a ton of issues with hotlinking. #--ANTI-HOTLINK-- RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^(http://\|https://)(www.)?(eroticove.com).$ [NC] RewriteRule \.(jpe?g\|gif\|bmp\|png\|.wmv)$ - [F] #++ANTI-HOTLINK++ ErrorDocument 404 /error.html ErrorDocument 403 /error.html ErrorDocument 500 /error.html __________________ Is it naptime yet? Last edited by Pagan; 2009-05-27 at 10:14 PM.. Reason: found old .htaccess file*

2009-05-27, 10:40 PM	#11
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	From the hotlinking I've seen in the access logs, those rules should have worked. The IP address blocks are not really that useful. I usually tend to use referrer blocking, allowing the empty referrer because some personal privacy software sends a blank or invalid referrer and leave it at that. If you start blocking IPs, you're going to get a very long list very quickly and are going to have to continue adding IPs as you find them. I can see that those rules are currently working. My assumption is that for some reason, AllowOverride was disabled for your webspace and your rules weren't being used, or, an .htaccess file further down in your directory structure turned RewriteEngine off or specified a different rule. Without RewriteOptions Inherit, any RewriteRules placed in a lower directory take precedence. __________________ SnapReplay.com a different way to share photos - iPhone & Android

2009-05-28, 07:47 PM	#12
Pagan Perverted Empress Join Date: Feb 2005 Location: Finland Posts: 5,068	uh, folks.. this is why Sparky rocks. Any guy that takes the time and patience to check things out carefully, explain it to dummies, and then make logical recommendations is at the top of the list in my book. I am not a new webmistress by any means, but having to deal with issues like this and a code where one character can spell ruin is beyond most of our skillsets. I do wish the host I was with for the last 5 years had taken the time to do this. It would have saved me hours and hours of work and stress. __________________ Is it naptime yet?

2009-06-22, 05:34 PM	#13
flip.green WHO IS FONZY!?! Don't they teach you anything at school? Join Date: Jun 2009 Posts: 43	Good advise on htaccess rules, as far as load is concerned. Any modern server should be able to handle blocking hotlink requests, without increasing load under normal circumstances.

2009-06-22, 07:49 PM	#14
nate I can now put whatever you want in this space :) Join Date: Mar 2009 Location: Merica! Posts: 543	.htaccess is utterly impotent against hotlinkers using javascript on the client's computer to steal your images... unless you reject blank referrers. __________________ Its just a jump to the left.

2009-06-23, 02:22 PM	#15
Tanker I'm going to the backseat of my car with the woman I love, and I won't be back for TEN MINUTES Join Date: Sep 2005 Posts: 84	I love Htaccess! its saved me a ton over the years but WMV not being protected has always drove me nuts __________________ Kickstart your webmaster program