I've got problem, I want to prevent hotlinking from some subdomain in specified directory.
Let's say, that we've got images at:
http://s1.domain.com/media/image1.jpg
http://s1.domain.com/media/image2.jpg
As default it is access to these locations, and users can see this photos. I want to prevent
from hot linking, but with no error message, but with redirection, so if user put this address into browser (http://s1.domain.com/media/image1.jpg), i want to redirect it do PHP script, as: domain.com/filename/image1.jpg. I want to make it with .htaccess. So please, can you give me code to put into this file.
Thanks for responses!
in the httpd.conf try this..
SetEnvIfNoCase Referer "^http://www\.yourdomain\.com/" banimages=1
SetEnvIfNoCase Referer "^http://yourdomain\.com/" banimages=1
SetEnvIfNoCase Referer "^$" banimages=1
<FilesMatch "\.(gif|png|jpe?g)$">
Order Allow,Deny
Allow from env=banimages=1
</FilesMatch>
or
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule ^.*\.(bmp|tif|gif|jpg|jpeg|jpe|png)$ - [F]
or some other techniques also available..
Related
I am using this code in my htaccess file to block traffic from specific websites to my website and it works:
RewriteEngine On
SetEnvIfNoCase Referer "example.com" bad_referer
Order Allow,Deny
Allow from ALL
Deny from env=bad_referer
Now what I want is set a time for this code, for example, visitors from a specific website are only allowed to visit my website from 08:00 till 17:00
I tried this:
RewriteEngine On
RewriteCond %{TIME_HOUR}%{TIME_MIN} >0800
RewriteCond %{TIME_HOUR}%{TIME_MIN} <1700
SetEnvIfNoCase Referer " example.com " bad_referer
Order Allow,Deny
Allow from ALL
Deny from env=bad_referer
But does not seem to work, visitors are still blocked between the set time stamp
Thanks
Robert
You can't use SetEnv with RewriteRule as these two directives are part of two different apache modules. You can use mod-rewrite to achieve what you want to :
RewriteEngine On
RewriteCond %{TIME_HOUR}%{TIME_MIN} >=0800
RewriteCond %{TIME_HOUR}%{TIME_MIN} <=1700
RewriteCond %{HTTP_REFERER} example\.com [NC]
RewriteRule ^ - [R=403,L]
I've seen people redirect iPhone users by using this:
RewriteCond %{HTTP_USER_AGENT} iPhone
RewriteCond %{REQUEST_URI} !^/my-iPhone-site/
RewriteRule .* /my-iPhone-site/ [R]
But how could I make a webpage only accessible with a specific user agent? Instead of blacklisting iPhones, I would like to whitelist them, for example.
Let me know!
#MrWhite's answer didn't work for some reason, but this was how I figured it out.
SetEnvIf User-Agent .*iPhone* iPhone
Order deny,allow
Deny from all
Allow from env=iPhone
This will take all non iPhone users to 403.
To only allow requests to /my-iPhone-site/... from user-agents that contain iPhone then you could do something like the following using mod_rewrite in .htaccess (near the top):
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} !iPhone
RewriteRule ^my-iPhone-site/ - [F]
This blocks (403 Forbidden) any user that tries to access /my-iPhone-site/... that does not contain iPhone in the user-agent string.
The ! prefix on the CondPattern negates the regex. So, in this example, it is successful when the HTTP_USER_AGENT server variable does not contain the string "iPhone".
If you wanted to redirect such users instead then change the RewriteRule to read:
RewriteRule ^my-iPhone-site/ /non-iPhone-site/ [R,L]
NB: You should use the L flag when redirecting, otherwise processing continues through your file.
As far as I know, the L flag is only applicable to mod_rewrite and S to rewrite rules. However, I have some old indexed php pages, which I want to redirect to new URL. I have like zillion of lines like this:
RewriteRule ^example.php(/?.*) /example/$1 [R=301,L]
This would normaly work, but I have also this code in my .htaccess:
<Files *.php>
Order Deny,Allow
Deny from all
</Files>
I am wondering, if it is possible to skip this if the rule is met, as long as these two flags mentioned above do not apply.
You can keep all specific redirect rules at the top followed by a generic rule to deny access to .php files as below:
RewriteEngine On
# specific .php handlers
RewriteRule ^example\.php(/.*)?$ /example/$1 [R=301,L,NC]
# generic rule to deny .php files
RewriteCond %{REQUEST_URI} !^/index\.php [NC]
RewriteRule \.php$ - [F,NC]
I have tried the below code in htaccess to stop my images from being hotlinked, but it is not working.
SetEnvIfNoCase Referer "^http://www.example.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://www.example.comm$" locally_linked=1
SetEnvIfNoCase Referer "^http://example.com/" locally_linked=1
SetEnvIfNoCase Referer "^http://example.com$" locally_linked=1
SetEnvIfNoCase Referer "^$" locally_linked=1
<FilesMatch "\.(gif|png|jpe?g|css|js)$">
Order Allow,Deny
Allow from env=locally_linked=1
</FilesMatch>
Can anyone help me with how to prevent hotlinking?
This will show a fixed image whenever its hotlinked. (That image may have a message that Hotlinking in not allowed...)
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain\.com [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]
It checks Refererr is not nothing, and referer is not matching mydomain then it responds with the image nohotlink.jpg.
To understand hotlinking prevention better see these SO threads:
Apache .htaccess hotlinking redirect
Apache Hotlink Protection for Download Folder
A Basic tutorial http://altlab.com/htaccess_tutorial.html
This disallows anything from hotlinking unless the referer is from example.com.
SetEnvIf Referer example\.com localreferer
<FilesMatch \.(jpg|png|gif|css|js|pdf|doc|xls|txt)$>
Order deny,allow
Deny from all
Allow from env=localreferer
</FilesMatch>
I have my functions in a file called functions.inc in my website. How can I edit the .htaccess file to deny users from viewing it by directly going to http://example.com/functions.inc
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
Useful if you don't have mod_rewrite installed.
I use mod_rewrite for this. For images and so on this is a standard include:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://myhostname\.com/.*$ [NC]
RewriteRule \.(gif|jpe?g|png|js|css)$ - [F]
You can add "inc" into that extension list on the last rule.
But for preventing access to specific file types I prefer something like:
RewriteCond %{THE_REQUEST} ^\w+\ /include/ [OR]
RewriteCond %{THE_REQUEST} \.php\ HTTP/
RewriteRule ^.*$ - [R=404,L]
This does two things:
The first rule excludes access to the /include directory from external requests but you can still include/require them; and
The second rule restricts access to filenames ending in .php. You can use the same thing for .inc files.
In both cases Apache will give a 404 error (file not found), which I find is better. Generally it's better to say something doesn't exist (that you don't want people to see) rather than saying it's there but you can't access it. But that's just personal opinion.
As for why I'd restrict .php files from direct access: I use mod_rewrite to create "nice" URLs. Instead of:
/account/order.php
it's:
/account/order
There are many reasons to do this. Aesthetics is one. SEO is another (if instead of /account/order.php?item=123 you have /account/order/123).
I prefer to disguise files than just forbidding the access to it. Thus I prefer the mod_rewrite solution to response with a 404 status code (since Apache 2.2) as cletus already mentioned. But I would also use a fallback if mod_rewrite is not available as Byron mentioned.
So let’s combine both:
<IfModule mod_rewrite.c>
RewriteEngine on
# .inc files
RewriteRule \.inc(/|$) - [L,R=404]
# URI paths starting with /include/
RewriteRule ^include/ - [L,R=404]
</IfModule>
<IfModule !mod_rewrite.c>
<Files ~ "\.inc$">
Order allow,deny
Deny from all
</Files>
</IfModule>