bandwidth protection help

Fix it!!

Postby netmedia » Sun Oct 07, 2001 11:51 am

I have a problem on a protected picture area.
I am using mod_rewrite and apache 1.3.9

I protect the directories from in-line linking by using these lines in my http.conf file.

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^*$ [NC]
RewriteCond %{HTTP_REFERER} !^*$ [NC]
RewriteCond %{HTTP_REFERER} !^*$ [NC]
RewriteCond %{HTTP_REFERER} !^*$ [NC]
RewriteRule .*.*$ [L,R]

While this works fine for any linking from other pages, it doesn't stop anyone from just "typing in" the URL of the picture in the browser and linking that way.

I can disable the "type in" by commenting out the line:
RewriteCond %{HTTP_REFERER} !^$

Now here is the problem,
I use a .cgi program to call the pictures for a gallery and the .cgi program doesn't send a HTTP_REFERER header so mod_rewrite thinks that it is a "type in", thus if I comment out the first line then my gallery program doesn't work.

Is there some other veriable or rule that I can use to protect the pictures subdomain? Maybe SERVER_NAME or DOCUMENT_ROOT or something like that.
I was thinking of adding a rule before this one to pre-qualify referers comming from this server.

I tried this but couldn't make it work.

RewriteCond %{SCRIPT_URL} !^/.*/imageFolio.cgi/$ [NC]
RewriteRule .*/.*$ [L,R]

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^*$ [NC]
RewriteCond %{HTTP_REFERER} !^*$ [NC]
RewriteCond %{HTTP_REFERER} !^*$ [NC]
RewriteCond %{HTTP_REFERER} !^*$ [NC]
RewriteRule .*.*$ [L,R]


Thanks in advance,

Carroll Guthrie
Net Media Internet Services
Dedicated servers as low as $149/mo
Bandwidth as low as $300/meg

<font size=-1>[ This Message was edited by: netmedia on 2001-10-07 15:54 ]</font>
Posts: 1
Joined: Sat Oct 06, 2001 4:00 pm

Postby Brett » Sun Oct 14, 2001 8:22 am

Hi Carol,

I think you can pre-qualify referers coming from your server by using the REMOTE_HOST or REMOTE_ADDR variables. Or, you can change the script itself so that it grabs the images through the file system instead of using an HTTP request.

However, be aware that some people browse the Internet using software that blocks referers ... and these people will think there is something wrong with your script if you change it so that the URL cannot just be typed in.

Note: For a list of server variables that can be used by mod_rewrite, see

<font size=-1>[ This Message was edited by: Brett on 2001-10-14 12:25 ]</font>
Posts: 82
Joined: Tue Jul 10, 2001 4:00 pm

Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: No registered users and 3 guests