.htaccess questions

[finearts]

I keep subfolders in my webspace that contain files I share privately with friends/acquaintences; that is, there are no navigation links on my webpages that lead to those folders. I send the URLs via email when I want to allow others to view the contents. Obviously, it's more convenient to provided a single URL that generates an indexed sub-directory than to provide individual URLs for each and every file in a given directory. After Sonic recently disabled default directory indexing, I contacted tech support who kindly provided me with the needed .htaccess code to restore indexing in the subfolders I want to share. I implemented the very straightforward code and all is well with that issue.

During the process, I looked into other functionality controlled by .htaccess files at the Apache site and also at http://www.javascriptkit.com/howto/htaccess.shtml. I am interested in preventing hot linking of my images, which may be occurring more than I realize. In fact, some of my art images have actually been plagiarized from my website for print reproduction purposes in foreign countries – and this despite the fact that my online images are low-resolution by publishing standards. I know I can't prevent copying imagery from my site, but the hotlinking issue is bandwidth theft. Maybe I can do something about that.

I note that the author of the article on preventing hotlinking maintains that in order for it to work, mod rewrite needs to be enabled on the server. I experimented with two versions of anti-hotlinking .htaccess files. One version caused broken images when simply viewing my site via proper access (such as loading the home page from a link). The other version is in my finearts (Sonic username) directory now. The site looks and behaves normally, but I don't know how to test to see if hot-linking is foiled or not. So... three questions:

1. Is mod rewrite enabled on Sonic's servers? 2. How can I tell if hotlinking has been prevented by the .htaccess file lodged in my finearts directory? 3. Do I need to create a similar .htaccess file (or add to the current one) for the "sonic.net" domain? The anti-hotlinking .htaccess file reads as follows...

Code: Select all

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?keithhalonen.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css)$ - [F]

Thanks in advance to anyone who can offer advice on this.
Keith
keith@keithhalonen.com
http://www.keithhalonen.com

[thulsa_doom]

Ages ago I used the following to prevent folks from hot-linking images from my directory:

Code: Select all

SetEnvIfNoCase Referer "sonic.net/" local_ref=1
        <FilesMatch ".(gif|jpg)">
            Order Allow,Deny
            Allow from env=local_ref
        </FilesMatch>

Then I had my 404 error for that directory point at a rather insulting .gif file, and I laughed and laughed.

The problem being that if the visitor doesn't give a referrer in the request, it looks like you are the one stealing other folks' stuff. So I added another SetEnvIfNoCase for "^$" also.

[finearts]

Thanks, John. The code currently in my .htaccess file (see my post at the top) came from http://www.javascriptkit.com/howto/htaccess10.shtml.

The code you display in your above reply is similar to the code I first tried from Sonic's .htaccess wiki here: https://wiki.sonic.net/wiki/.htaccess. That code looks like this...

Code: Select all

SetEnvIfNoCase Referer "sonic\.net" local_ref=1
SetEnvIf Referer "^$" local_ref=1
<FilesMatch "\.(gif|jpg)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>

I note that the "^$" you mentioned appears in this version. I can't pretend to understand exactly how these codes perform their magic, because I don't understand. But I'm a champ at CTRL+C followed by CTRL+V because I got my first personal computer back in 1983, when BASIC was king of DOS and a hard drive was motoring nonstop from San Francisco to Milwaukee with three pals.

However, when I use the Sonic .htaccess wiki code in my website directory, all the GIF and JPG images on my pages appeared broken when I attempt to view them on IE8. The instructions on that page state, This will specifially deny access to any file whose name ends with ".gif" or ".jpg" if the referring URL is not from "sonic.net" or if no referer is provided. If you have a multihomed domain name, you will want to replace "sonic\.net/" with "yourdomain\.tld" instead. I did substitute my domain followed by the "\.tld" but I am wondering what the ".tld" extension signifies... and why is there a forward-slash in the phrase "sonic\.net/" in the instructions? Should I be using "keithhalonen\.com" instead?

The most annoying aspect of this trial-and-error approach is that I can't test my own defensive code. So far, the code from javascriptkit.com is the only one that even allows me to properly view my own GIF and JPG images when I load my site. But I still have no way of knowing whether or not it's working. Someone, please, try to hotlink an image from my site and report back to me here. Thanks again for any and all help and advice.

[thulsa_doom]

The "\.tld" is meant to be .com or .net or .to or whatever your site's top-level domain is. The '\' character is there to mean that the '.' after it is a period, not a wildcard character.

Like the '.' the '^' and '$' are special characters. '.' means "any character, while '^' means the beginning of a line and '$' means the end of a line. So "^$" means the beginning of the line is immediately followed by the end of the line, so it's a way of specifying an empty value.

[finearts]

Again thanks, John. I've re-experimented with the proper "keithhalonen\.com" in place. The Sonic .htaccess wiki code now works properly (unlike my earlier ignorant attempt) insofar as my ability to load my own website with all its JPGs and GIFs visible. However, I can only assume that this code is disabling hot linking to my images, as I have no way to test it by my lonesome. So, if anyone who's reading this would kindly attempt to hot-link any image from my website to their own or to a forum somewhere (for instance, this forum), I would keenly appreciate hearing about the success or failure of your attempt.

Keith
(who masters his own website in the simplest HTML possible and greatly appreciates your kind assistance)

[toast0]

It looks like it works. I linked your image from http://ruka.org/~toast/chess.html and it does not show up. (Note I added a query parameter, which should prevent your browser from showing you a cached version of the image, which is a good way to get confused.

[finearts]

Thanks mightily, toast0. I used your link and the warm red X confirmed your test. You may remove the link now and you have my gratitude for going the extra mile on my behalf. I actually do have a couple friends who have their own websites and could probably have done this for me, but I would have had to walk them through the whole process as their techno-savvy is even "iffier" than my own.

[nosewatt]

Here are two links to similar .htaccess answers and tools from a good resource site

http://tools.dynamicdrive.com/password/
http://tools.dynamicdrive.com/userban/

Cheers

[finearts]

Thanks, nosewatt, for these links. I figure myself to be a demigeek, as I seem to be the tech consultant to my extended family. I am curious as to other potential attributes of the .htaccess file and will visit these pages as soon as the dust clears from installing new flooring in my "real-world" hovel.

http://tools.dynamicdrive.com/password/
http://tools.dynamicdrive.com/userban/

Again, muy thanx