Problem with regex concerning HTTP_REFERER

New to mod_rewrite? This is a good place to start.

Problem with regex concerning HTTP_REFERER

Postby metzomagic » Sun May 24, 2009 11:27 am

Hi there,

New here, but only to mod_rewrite. I've been reading about it all over the web, but there's so much misinformation out there...

Anyway, to cut to the chase, I've configured my local Apache server (v1.3.33) to use mod_rewite. I'm trying to debug a condition/rule there before deploying it to my actual hosting service, and having zero luck. What I want is to make it so that users can't hot link to .mp3 files I'm hosting. So I've got a dir called:

localhost/music

and I've put the following rewrite stuff into the .htaccess file there:

# Prevent hot linking to all music!
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://localhost/ [NC]
RewriteRule ^(.*)$ - [F,L]

So basically, I'm trying to say that if the HTTP_REFERER is not an internal link from my site, then take the user to the Forbidden page.

I've debugged the referer that I want to allow with PHP, and I get this:

http://localhost/myTracks.php

So... why on earth won't that regex in the RewriteCond work?! What happens is that when I try to directly access the music via:

http://localhost/music/.../TrackName.mp3

I get the desired result, the user is forbidden access. But when I try to access it via an internal link from localhost, the same thing happens :-\ I'm darn sure that mod_rewrite is configured correctly, because when I try this condition:

RewriteCond %{HTTP_REFERER} ^garbage [NC]

The RewriteRule doesn't kick in. Any ideas as to what I might be doing wrong? And... if it's not something obvious, is there any way for me to get the HTTP_REFERER variable into the Apache logs so I can see what Apache thinks it is?

Thanks in advance,
Steve
metzomagic
 
Posts: 3
Joined: Sun May 24, 2009 10:53 am

Postby richardk » Sun May 24, 2009 1:59 pm

Are you sure your browser is sending the Referer header? Is $_SERVER['HTTP_REFERER'] set to http://localhost/something in PHP?

The Referer header is very unreliable, it is sent by the browser so it's value can be anything the user wants it to be. By disallowing empty Referer headers you will block people that do not send it (turned off, stripped by firewalls). You will also block users that have do not set it to the referring URL from accessing your files.
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby metzomagic » Sun May 24, 2009 3:14 pm

Richard, hi,

Thanks for the speedy reply.

I'm aware that the referer may be empty in a lot of cases, and those are the people I'm *especially* trying to keep out! I only want the URL's that are referenced by:

http://myDomain/

to work. So the answer I'm looking for is... why doesn't this regex work (on localhost):

RewriteCond %{HTTP_REFERER} !^http://localhost/ [NC]

I've also tried a variant of that the matches on the whole string:

!^http://localhost/.*$

And that doesn't work either. I must say that I'm getting really frustrated at this stage. I've been using regex in all sorts of environments for at least 10 years now, and it just boggles the mind that it won't work.

So... rather then trying to determine what's wrong with that regex, perhaps I'm better off asking: how do I get the HTTP_REFERER dumped to my Apache logs? Then I could see if it's the string I'm expecting...

Thanks,
Steve
metzomagic
 
Posts: 3
Joined: Sun May 24, 2009 10:53 am

Postby richardk » Sun May 24, 2009 3:41 pm

A RewriteLog will show what is happening. It needs to be set up in your httpd.conf file.
Code: Select all
RewriteLogLevel 9
RewriteLog "/path/to/rewrite.log"
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby metzomagic » Sun Nov 29, 2009 6:02 am

richardk, hi,

Thanks for the tip. Why I took so long to reply was... the site ran out of bandwidth towards the end of May, so I couldn't access it. In any event, I discovered that the problem was there were cases where HTTP_REFERER could be empty even if you came from your own site. So in the end, I wound up doing it with a cookie instead, like this:

# Prevent hot linking to all music! If "allowPreview" cookie not present, take user to splash page for site
RewriteEngine on
RewriteCond %{HTTP_COOKIE} !^.*allowPreview.*$ [NC]
RewriteRule ^(.*)$ http://localhost/index.html [R,L]

Cheers,
Steve
metzomagic
 
Posts: 3
Joined: Sun May 24, 2009 10:53 am


Return to Beginner's Corner

Who is online

Users browsing this forum: No registered users and 18 guests

cron