How do I prevent directlinking from other sites except my own?

I know it is .htaccess that controls it but am not quite sure how to do this.

What I want is following:

- I have EE2 installed in ee my root directory
- photos are stored in a folder outside the ee folder and I want only EE and my own scripts to be allowed to read/link the photos in that folder

As it is today (I didn't check in 1.5) when a user views a photo the user can rightclick on via properties see the path to the image and then grab it and directlink to it. I want to prevent that.



ps. I know I can't prevent anybody from taking a copy of the image and host it elsewhere. It is the bandwitdh stealing I want to prevent.

Testing directlinking

This one is directlink
http://photo.klein-jensen.dk/photos/zoo050115lioness2.jpg


This one via my script (which btw also checks referer).
http://photo.klein-jensen.dk/photo.php?n=zoo050115lioness2.jpg


and this is the .htaccess file

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?klein-jensen\.dk/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /photos/illegal.jpe [L]

It would be great if you could get your script to use the EE database, then look at working with Pekka to integrate it into the EE release. Teamed with this sort of rewrite rule, it becomes a very powerful setup.



David

and this is the .htaccess file

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?klein-jensen\.dk/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /photos/illegal.jpe [L]


thanks, tommy! that gave me the incentive to implement roughly the same thing on my site... but i'm kinda confused because i see both pictures in the above... did you also put in an entry for pekka's site to see them?

i also stole a peek at your illegal.jpe file to get an idea for what to put up... i came up with the following... it has a transparent background, too :)

thanks, tommy! that gave me the incentive to implement roughly the same thing on my site... but i'm kinda confused because i see both pictures in the above... did you also put in an entry for pekka's site to see them?


Are you saying you see the same photo 2 times? Because if you do its not working :-( I see illegal link on the first and the second is fine because I use the special script to display that and that script allows linking from here.

Are you saying you see the same photo 2 times? Because if you do its not working :-( I see illegal link on the first and the second is fine because I use the special script to display that and that script allows linking from here.
yes, i'm seeing the same picture both places... check your server logs... it may be possible that i'm not sending a referrer... the code you posted is an AND code... both rewriteconds must be met for it to work...

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?klein-jensen\.dk/ [NC]
RewriteCond %{HTTP_REFERER} !^$the above says, "if the referrer is not in the *.klein-jensen.dk domain AND it is not blank, then do the rule"...

now, take a look at the following...

RewriteCond %{HTTP_REFERER} !^http://(.+\.)?klein-jensen\.dk/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^$the above says, "if the referrer is not in the *.klein-jensen.dk domain OR it is blank, then do the rule"...

mmmmmmm... try !^-$ on that second line for "not blank" if that is what you are trying to check for as i suspect you are... i'm also suspecting that the second one is the one you want... i'm gonna do a bit of googling to check, though... it has been a while since i've played with .htaccess rules ;)

Ahh. Yes if the referer is blank I want to sent illegal linking.

Hmm if I try either of your suggestions I get a red x instead of the illegal image.

Hmm if I try either of your suggestions I get a red x instead of the illegal image.
a red X?? how are you testing it? what are the properties of the X? did you switch the blank to have a dash in it? ie: ^-$

I test by reloading this page (CTRL F5). Yes right now the second line use !^-$

The properties show that the image is not changed to the illegal.jpe

ok, let's try from a clean slate... i've just done a bit of research and testing and i believe that i have a handle on it...

##########################
## .htaccess file for my.site.invalid ##
##########################

Options +FollowSymLinks
RewriteEngine on
RewriteBase /

## this ruleset is to stop hotlinking from sites
## other than mine and others allowed.
RewriteCond %{REQUEST_URI} .*\.(bmp|gif|jpeg?|jpg|mov|png|tiff?|wmv|xbm)$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?my\.site\.invalid/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^-$
RewriteCond %{REQUEST_URI} !^/illegal_link\.gif [NC]
RewriteRule .*\.(bmp|gif|jpeg?|jpg|mov|png|tiff?|wmv|xbm)$ /illegal_link.gif [L]

################
## end of .htaccess ##
################the above says the following...

if the request_filename is in the set AND
if the http_referer is NOT one of my subdomains OR
if the http_referer is blank AND
if the request_uri is NOT our replacement.gif THEN
send our replacement.gif for any of those in the set.it is possible that the lack of the +FollowSymLinks option is what is keeping it from working as desired...

you may want to allow google and other search engines to properly display their cached and translated versions of your site... if so, there're more lines you need to add to pass them on thru... it is also possible that some may have to have both domain names as well as ip numbers so that all of their machines can pass... for example, google's translate stuff i see only as ip numbers but all their other stuff is a domain name...

I see red X in first image and the actual image the second time FYI

I test by reloading this page (CTRL F5). Yes right now the second line use !^-$

The properties show that the image is not changed to the illegal.jpe
i've been doing some more research and i can see where one may want to allow blank referers access... if i type the direct url into my address bar and in the case of web spiders indexing your site...

to facilitate this, i've revised my .htaccess to remove the ",OR" as well as returning to your initial !^$ so we're looking at this...

##########################
## .htaccess file for my.site.invalid ##
##########################

Options +FollowSymLinks
RewriteEngine on
RewriteBase /

## this ruleset is to stop hotlinking from sites
## other than mine and others allowed.
RewriteCond %{REQUEST_URI} .*\.(bmp|gif|jpeg?|jpg|mov|png|tiff?|wmv|xbm)$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?my\.site\.invalid/ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_URI} !^/illegal_link\.gif [NC]
RewriteRule .*\.(bmp|gif|jpeg?|jpg|mov|png|tiff?|wmv|xbm)$ /illegal_link.gif [L]

################
## end of .htaccess ##
################

it is a subtle difference but it does affect how things work...

FWIW: in testing this stuff, i'm always clearing my browser cache as well as refreshing with the SHIFT key held down to force a request for new data and attempt to bypass any proxies that may be between myself and the site i'm working on...

FWIW2: this time, i do not see the first image nor do i see a X or your image file... i do, however, see the second image just fine...

just to recap on the above .htaccess file, it allows blank referrers thru while blocking all else not in your domain... it checks the extension of the uri before processing and it allows access to the image so that you don't put the server into a loop by blocking the image you're trying to serve ;)