I have tried the below code in htaccess to stop my images from being hotlinked, but it is not working.
SetEnvIfNoCase Referer "^http://www.example.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://www.example.comm$" locally_linked=1
SetEnvIfNoCase Referer "^http://example.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://example.com$" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(gif|png|jpe?g|css|js)$">
Order Allow,Deny
Allow from env=locally_linked=1
</FilesMatch>
Can anyone help me with how to prevent hotlinking?
This will show a fixed image whenever its hotlinked. (That image may have a message that Hotlinking in not allowed...)
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain\.com [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]
It checks Refererr is not nothing, and referer is not matching mydomain then it responds with the image nohotlink.jpg.
To understand hotlinking prevention better see these SO threads:
Apache .htaccess hotlinking redirect
Apache Hotlink Protection for Download Folder
A Basic tutorial http://altlab.com/htaccess_tutorial.html
This disallows anything from hotlinking unless the referer is from example.com.
SetEnvIf Referer example\.com localreferer
<FilesMatch \.(jpg|png|gif|css|js|pdf|doc|xls|txt)$>
Order deny,allow
Deny from all
Allow from env=localreferer
</FilesMatch>
Related
I want to disable GZip for certain pages. I have this in my .htaccess, but it still turns GZip on (Content-Encoding: gzip) when visiting dashboard/index.
<ifmodule mod_deflate.c>
AddOutputFilterByType DEFLATE text/text text/html text/plain text/xml text/css application/x-javascript application/javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
SetEnvIfNoCase Request_URI /dashboard/index no-gzip dont-vary
I tried to add Header set MyHeader %{REQUEST_URI} to see what the Request_URI was, but it gave an Internal Server Error.
I also tried the regex dashboard/index, dashboard/index.*, "/dashboard/index", etc., and tried SetEnvIfNoCase REQUEST_URI ..., but GZip was still on.
If I comment #AddOutputFilterByType, then GZip is turned off.
I'm using Apache 2.4.16, Yii 2.0.7, PHP. I'm using FPM in production, so apache_setenv() is not available.
You're probably using rewrites to get rid of index.php in the URL. Due to the stage at which SetEnvIf runs during the request, index.php will be part of the Request_URI var used (which is distinct from %{REQUEST_URI}).
It's nowadays quite common to not use PATH_INFO for rewrites, but just plainly rewrite to index.php, where code just reads the original REQUEST_URI info. In that case, Request_URI in SetEnvIf will be just "index.php", so you'd need to set a flag env var in a special dummy rewrite for that URL, and reference it later with a REDIRECT_ prefix (as there is an internal redirect stage on rewrites where mod_rewrite prefixes all existing env vars with REDIRECT_):
RewriteRule ^dashboard/index - [E=no-gzip:1]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule . index.php [L]
SetEnvIf REDIRECT_no-gzip 1 no-gzip
There is a slightly less verbose way if you rewrite to PATH_INFO (so "/foobar" turns to "/index.php/foobar" using e.g. a RewriteRule (.*) index.php/$1 rule):
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule (.*) index.php/$1 [L]
SetEnvIfNoCase REQUEST_URI ^/index.php/dashboard/index.*$ no-gzip dont-vary
But that seems more brittle since it'll break if you change the RewriteRule mechanics.
I have a subdomain called cdn.domain.com, from which I serve CSS, JS and some images.
When I run Google Chrome's audit, it says that I can imporve speed by serving those files from a cookieless domain.
I've searched on the internet and found mostly this:
<FilesMatch "\.(js|css|jpg|png|jpeg|gif|xml|json|txt|pdf|mov|avi|otf|woff|ico|swf)$">
RequestHeader unset Cookie
Header unset Cookie
Header unset Set-Cookie
</FilesMatch>
But when I add this to my .htaccess in my root, I see no change in my requests, when I add this to the .htaccess of the cdn.domain.com, nothing happens as well.
When I look into the request headers I always see this:
Cookie:__utma=124771992.1672641002.1393489852.1393489852.1393489852.1; __utmz=124771992.1393489852.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); cve=7%2BOFANPFY6bPsm9274j8hJIz%2BPvLQRT%2FJZG9ftr2o7c%3D; cvp=dNuYumBN%2F642JaRgONUeEq1upp2y%2F%2FtDjt%2BBbV87W%2BA%3D
The subdomain is a subfolder of the global domain.
Both the global and the subdomain have this .htaccess:
# http://www.askapache.com/htaccess/htaccess.html
## ERRORDOCUMENTS
# http://askapache.com/htaccess/apache-status-code-headers-errordocument.html
ErrorDocument 400 /include/html/errorPages/400.html
ErrorDocument 403 /include/html/errorPages/403.html
ErrorDocument 404 /include/html/errorPages/404.html
ErrorDocument 500 /include/html/errorPages/500.html
<IfModule mod_headers.c>
SetEnvIf Origin "http(s)?://(www\.)?(copperviper.com)$" AccessControlAllowOrigin=$0$1
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials true
</IfModule>
<FilesMatch "\.(js|css|jpg|png|jpeg|gif|xml|json|txt|pdf|mov|avi|otf|woff|ico|swf)$">
RequestHeader unset Cookie
Header unset Cookie
Header unset Set-Cookie
</FilesMatch>
order deny,allow
deny from all
allow from 62.132.244.73
# Possible values for the Options directive are "None", "All", or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
RewriteEngine On
RewriteBase /cdn/
# REWRITE TO WWW
RewriteCond %{REQUEST_URI} !^/robots\.txt$ [NC]
RewriteCond %{HTTP_HOST} !^www\.[a-z-]+\.[a-z]{2,6} [NC]
RewriteCond %{HTTP_HOST} ([a-z-]+\.[a-z]{2,6})$ [NC]
RewriteRule ^/(.*)$ http://%1/$1 [R=301,L]
# REWRITE TO SEF URL'S
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/(.*)/(.*)/(.*) index.php?a=$1&b=$2&c=$3&d=$4 [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/(.*)/(.*) index.php?a=$1&b=$2&c=$3 [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/(.*) index.php?a=$1&b=$2 [QSA,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*) index.php?a=$1 [QSA,L]
# COMPRESSION
SetOutputFilter DEFLATE
AddOutputFilterByType DEFLATE text/plain text/html text/x-php text/xml text/css application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript application/x-httpd-php application/octet-stream image/svg+xml application/font-woff image/svg+xml
# REMOVE BROWSER BUGS
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent
# enable PHP error logging
php_flag log_errors on
php_flag display_startup_errors on
php_flag display_errors on
php_flag html_errors on
php_value docref_root 3
php_value docref_ext 3
php_value upload_max_filesize 2000M
php_value post_max_size 2000M
php_value max_execution_time 200000
php_value max_input_time 200000
# CACHED FOREVER
# MOD_REWRITE TO RENAME EVERY CHANGE
ExpiresActive On
ExpiresDefault A29030400
Header set Cache-Control "public"
Header set Expires "Thu, 15 Apr 2010 20:00:00 GMT"
Header unset Last-Modified
# PROTECT .htaccess
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
# Commonly used filename extensions to character sets.
AddDefaultCharset UTF-8
DefaultLanguage en-US
# Set the Time Zone of your Server
SetEnv TZ Etc/GMT
# ServerAdmin: This address appears on some server-generated pages, such as error documents.
SetEnv SERVER_ADMIN bug#copper-viper.com
# SEND CUSTOM HEADERS
Header set P3P "policyref='http://www.askapache.com/w3c/p3p.xml'"
Header set X-Pingback "http://www.askapache.com/xmlrpc.php"
Header set Content-Language "en-US"
Header set Vary "Accept-Encoding"
# ADD VALUES FROM HTTP HEADERS
SetEnvIfNoCase ^If-Modified-Since$ "(.+)" HTTP_IF_MODIFIED_SINCE=$1
SetEnvIfNoCase ^If-None-Match$ "(.+)" HTTP_IF_NONE_MATCH=$1
SetEnvIfNoCase ^Cache-Control$ "(.+)" HTTP_CACHE_CONTROL=$1
SetEnvIfNoCase ^Connection$ "(.+)" HTTP_CONNECTION=$1
SetEnvIfNoCase ^Keep-Alive$ "(.+)" HTTP_KEEP_ALIVE=$1
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
SetEnvIfNoCase ^Cookie$ "(.+)" HTTP_MY_COOKIE=$1
# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of: On | Off | EMail
ServerSignature On
## LIMIT UPLOAD FILE SIZE TO PROTECT AGAINST DOS ATTACK
#bytes, 0-2147483647(2GB)
LimitRequestBody 10240000
## MOST SECURE WAY TO REQUIRE SSL
# http://www.askapache.com/htaccess/apache-ssl-in-htaccess-examples.html
#SSLOptions +StrictRequire
#SSLRequireSSL
#SSLRequire %{HTTP_HOST} eq "askapache.com"
#ErrorDocument 403 https://askapache.com
# Safe Request Methods
# Denies any request not using GET,PROPFIND,POST,OPTIONS,PUT,HEAD[403]
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST|PROPFIND|OPTIONS|PUT)$ [NC]
RewriteRule .* - [F,NS,L]
# Forbid Proxies ^
# Denies any POST Request using a Proxy Server. Can still access site, but not comment. http://perishablepress.com/press/2008/04/20/how-to-block-proxy-servers-via-htaccess/
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule .* - [F,NS,L]
# HTTP PROTOCOL ^
# Denies any badly formed HTTP PROTOCOL in the request, 0.9, 1.0, and 1.1 only
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ .+\ HTTP/(0\.9|1\.0|1\.1) [NC]
RewriteRule .* - [F,NS,L]
# SPECIFY CHARACTERS ^
# Denies any request for a url containing characters other than "a-zA-Z0-9.+/-?=&" - REALLY helps but may break your site depending on your links.
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ [a-zA-Z0-9\.\+_/\-\?\=\&]+\ HTTP/ [NC]
RewriteRule .* - [F,NS,L]
# BAD Content Length ^
# Denies any POST request that doesnt have a Content-Length Header
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Length} ^$
RewriteRule .* - [F,NS,L]
# BAD Content Type ^
# Denies any POST request with a content type other than application/x-www-form-urlencoded|multipart/form-data
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:Content-Type} !^(application/x-www-form-urlencoded|multipart/form-data.*(boundary.*)?)$ [NC]
RewriteRule .* - [F,NS,L]
# Missing HTTP_HOST ^
# Denies requests that dont contain a HTTP HOST Header.
RewriteCond %{HTTP_HOST} ^$
RewriteRule .* - [F,NS,L]
# Bogus Graphics Exploit ^
# Denies obvious exploit using bogus graphics
RewriteCond %{HTTP:Content-Disposition} \.php [NC]
RewriteCond %{HTTP:Content-Type} image/.+ [NC]
RewriteRule .* - [F,NS,L]
# No UserAgent, Not POST ^
# Denies POST requests by blank user-agents. May prevent a small number of visitors from POSTING.
RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* - [F,NS,L]
What am I doing wrong here?
This is what the manual page for setcookie() explains about the $domain argument:
Setting the domain to 'www.example.com' will make the cookie available
in the www subdomain and higher subdomains. Cookies available to a
lower domain, such as 'example.com' will be available to higher
subdomains, such as 'www.example.com'. Older browsers still
implementing the deprecated » RFC 2109 may require a leading . to
match all subdomains.
This implies that in modern browsers (I suppose that means almost all in practice) any cookie set for domain.com will be sent back by the browser to cdn.domain.com as well. That's how the cookie spec works and I don't think there's a clean solution.
Ideally, your cookieless domain should use an entirely different top level domain; or your site should be hosted in a subdomain, such as www.domain.com, so you can fine-tune cookies. I guess none are reasonable options for you at this point so you'll probably have to live with it.
I want to allow access only to my country(using cloudflare) and user agents (for SEO bots). So actually my country and user agents (for SEO) will have access to allow/index.html, while everybody else is redirected to others.html
I use this in .htaccess :
RewriteCond %{HTTP:CF-IPCountry} ^(IT)$
RewriteCond $1 !^(allow)
RewriteRule ^(.*)$ /allow/index.html [L]
DirectoryIndex others.html
SetEnvIfNoCase User-Agent .*google.* search_robot
SetEnvIfNoCase User-Agent .*yahoo.* search_robot
SetEnvIfNoCase User-Agent .*bot.* search_robot
SetEnvIfNoCase User-Agent .*ask.* search_robot
Allow from env=search_robot
I need to know if it is correct especially user agents access.
I would like to disable gzip compression for some media files which are already compressed on an Apache server via the .htaccess file.
Reason: as it's written on e.g. jPlayer's site, gzip encoding should be disabled for media files: "Media files are already compressed and the GZIP will just waste CPU on your server. The Adobe Flash Plugin will experience issues if you GZIP the media."
I'm currently having the problem that Content-Length header is not properly set when gzip is enabled - so when playing some mp3-files with a SoundManager2 player, the track's length progress bar doesn't work appropriately (so maybe that's the problem they told about on jPlayer's site).
I can test if a content is served gzipped here.
I do have mod_deflate, mod_mime and mod_rewrite modules enabled on the server.
According to a phpinfo(), here is a list of all the loaded modules:
core mod_log_config mod_logio itk http_core mod_so mod_alias mod_auth_basic mod_authn_file mod_authz_default mod_authz_groupfile mod_authz_host mod_authz_user mod_autoindex mod_cgi mod_dav mod_dav_svn mod_authz_svn mod_deflate mod_dir mod_env mod_mime mod_negotiation mod_php5 mod_reqtimeout mod_rewrite mod_setenvif mod_ssl mod_status
I'm using Drupal 6, so I already have a RewriteRule, which is the following:
# Rewrite URLs of the form 'x' to the form 'index.php?q=x'.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
I've already tried these to disable gzip, but they didn't work (there are 6 different tries! - maybe some of them would have to be set globally in Apache's httpd.conf?!):
# http://www.cyberciti.biz/tips/speed-up-apache-20-web-access-or-downloads-with-mod_deflate.html
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.pdf$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.avi$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mov$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mp3$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.mp4$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.rm$ no-gzip dont-vary
## Step 2. here: http://www.mydigitallife.info/how-to-enable-mod_deflate-gzip-compression-on-cpanel-web-hosts/
<IfModule mod_deflate.c>
SetOutputFilter DEFLATE
RemoveOutputFilter mp3
# Don’t compress already-compressed files
SetEnvIfNoCase Request_URI .(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .(?:exe|t?gz|zip|bz2|sit|rar)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .(?:avi|mov|mp3|mp4|rm|flv|swf|mp?g)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI .pdf$ no-gzip dont-vary
</IfModule>
RemoveOutputFilter mp3
# for files that end with ".mp3"
<FilesMatch \.mp3$>
SetEnv no-gzip 1
</FilesMatch>
RewriteRule \.mp3$ - [NS,E=no-gzip:1,E=dont-vary:1]
RewriteRule ^((.*)\.mp3)$ $1.mp3 [NS,E=no-gzip:1,E=dont-vary:1]
The only one which works correctly, and disables gzip compression, BUT it is global:
RewriteRule ^(.*)$ $1 [NS,E=no-gzip:1,E=dont-vary:1]
Response headers for an mp3-file when NOT using this RewriteRule: http://pastebin.com/AkUZ6m5Y
Response headers for an mp3-file when using this RewriteRule: http://pastebin.com/b8j3NF6D
I had to disable compression for odp files for use by external plugin
Just added the following rule in .htaccess file
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \.odp$ no-gzip dont-vary
And the server disabled compression for odp files
Make sure to clear the browser cache before testing
Are you not going about this the wrong way round by using the directive SetOutputFilter DEFLATE and then trying to disable this for stream which already include some form of compresstion? Isn't it a lot easier not to use this directive and then compress the stream that are compressible. E.g.
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml text/css application/x-javascript application/javascript application/ecmascript application/rss+xml
</IfModule>
And possibly adding a Vary header:
<IfModule mod_headers.c>
<FilesMatch "\.(js|css|xml|html)$">
Header append Vary Accept-Encoding
</FilesMatch>
</IfModule>
OK this may miss the odd type that you've not thought of, but it will achieve 99+% of your compression potential.
To disable gzip compression on just Adobe Flash Player files (SWFs) on my Apache server, I added this to my .htaccess file:
<IfModule mod_headers.c>
<FilesMatch "\.swf$">
RewriteRule ^(.*)$ $1 [NS,E=no-gzip:1,E=dont-vary:1]
</FilesMatch>
</IfModule>
If you wanted to, you could disable gzip compression for other file types as well:
<IfModule mod_headers.c>
<FilesMatch "\.(js|css|swf)$">
RewriteRule ^(.*)$ $1 [NS,E=no-gzip:1,E=dont-vary:1]
</FilesMatch>
</IfModule>
I think you are not using compression in your media. Did you check that you are in fact deflating files? The module can be loaded in memory, but that doesn't mean it's compressing files. If your .htaccess only has rewrite rules chances are you are not compressing any kind of content.
this seems outdated : https://www.varnish-cache.org/docs/3.0/tutorial/compression.html#gzip-and-esi
GZIP and ESI
If you are using Edge Side Includes you'll be happy to note that ESI
and GZIP work together really well. Varnish will magically decompress
the content to do the ESI-processing, then recompress it for efficient
storage and delivery.
I know this thread is old, but I have gone through the same path.
Two things I have done.
I enabled .htaccess and disabled gzip for a folder completely.
<Files "*.gz.asc">
RemoveEncoding .gz
</Files>
put a reqwrite rule to disable
RewriteRule "\.js\.gz$" "-" [T=text/javascript,E=no-gzip:1]
Both of these worked for me I would suggest going to Apache documentation first before searching on forums.
for more information please go to Apache website.
https://httpd.apache.org/docs/2.4/mod/mod_deflate.html
https://httpd.apache.org/docs/2.4/mod/mod_mime.html#addtype
I've got problem, I want to prevent hotlinking from some subdomain in specified directory.
Let's say, that we've got images at:
http://s1.domain.com/media/image1.jpg
http://s1.domain.com/media/image2.jpg
As default it is access to these locations, and users can see this photos. I want to prevent
from hot linking, but with no error message, but with redirection, so if user put this address into browser (http://s1.domain.com/media/image1.jpg), i want to redirect it do PHP script, as: domain.com/filename/image1.jpg. I want to make it with .htaccess. So please, can you give me code to put into this file.
Thanks for responses!
in the httpd.conf try this..
SetEnvIfNoCase Referer "^http://www\.yourdomain\.com/" banimages=1
SetEnvIfNoCase Referer "^http://yourdomain\.com/" banimages=1
SetEnvIfNoCase Referer "^$" banimages=1
<FilesMatch "\.(gif|png|jpe?g)$">
Order Allow,Deny
Allow from env=banimages=1
</FilesMatch>
or
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule ^.*\.(bmp|tif|gif|jpg|jpeg|jpe|png)$ - [F]
or some other techniques also available..