hotlink protection but only allow from a different domain

Fix it!!

hotlink protection but only allow from a different domain

Postby bbuser » Sat Dec 15, 2007 2:30 am

Here is my scenario...

I have files hosted on downloads.mydomain.com but they should only be downloadable from site.mydomain.com via direct link. Otherwise forwarded to a page or image.

I've been looking all over and tried many examples over the past week, but I cant get nothing to work.

Can some one help me?
bbuser
 
Posts: 5
Joined: Sat Dec 15, 2007 2:18 am

Postby bbuser » Sat Dec 15, 2007 2:49 am

oops,

I forgot what I have so far...

Code: Select all
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^https://site.mydomain.com(/.*)$ [NC]
RewriteRule .*\.(zip|exe|pdf)$ https://site.mydomain.com/index.php?_m=downloads&_a=view [R,NC,L]


I placed this in a .htaccess in the web root of download.mydomain.com

It blocks all attempts to direct link, but it's not allowing the referer through
bbuser
 
Posts: 5
Joined: Sat Dec 15, 2007 2:18 am

Postby richardk » Sun Dec 16, 2007 3:24 pm

The referer header is unreliable. Try
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{HTTP_REFERER} !^(https://site\.mydomain\.com(/.*)?)?$ [NC]
RewriteRule \.(zip|exe|pdf)$ https://site.mydomain.com/index.php?_m=downloads&_a=view [NC,R,L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby bbuser » Tue Dec 18, 2007 7:06 am

Thanks,

well, it somewhat works. It works fine if I click on a link from the directory (redirects to the url), but it still allows direct linking to everyone.
bbuser
 
Posts: 5
Joined: Sat Dec 15, 2007 2:18 am

Postby richardk » Tue Dec 18, 2007 11:02 am

If you stop people typing it into the browser address bar you will block users that do not send the referer header.
Code: Select all
!^https://site\.mydomain\.com(/.*)?$
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby bbuser » Fri Jan 04, 2008 6:05 am

Thanks richardk.

I tried

Code: Select all
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^(https://sub2\.domain2\.com(/.*)?$ [NC]
RewriteCond %{HTTP_REFERER} !^(http://sub\.domain2\.com(/.*)?$ [NC]
RewriteCond %{HTTP_REFERER} !^(https://sub\.domain2\.com(/.*)?$ [NC]
RewriteRule \.(zip|exe|pdf)$ https://site.domain.com/index.php [NC,R,L]


But this gives Error 500
bbuser
 
Posts: 5
Joined: Sat Dec 15, 2007 2:18 am

Postby richardk » Fri Jan 04, 2008 2:00 pm

You have two "(" but only one ")". It's supposed to end in ")?)?$".

Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{HTTP_REFERER} !^(https://(sub|sub2)\.domain2\.com(/.*)?)?$ [NC]
RewriteCond %{HTTP_REFERER} !^(http://sub\.domain2\.com(/.*)?)?$ [NC]
RewriteRule \.(zip|exe|pdf)$ https://site.domain.com/index.php [NC,R,L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am

Postby bbuser » Fri Jan 04, 2008 2:11 pm

Oh Ok, but that allows someone to direct link. After words you pasted

Code: Select all
!^https://site\.mydomain\.com(/.*)?$
to correct that.


Can you please confirm?

Thanks
bbuser
 
Posts: 5
Joined: Sat Dec 15, 2007 2:18 am

Postby richardk » Fri Jan 04, 2008 2:17 pm

Yeah. So you need
Code: Select all
Options +FollowSymLinks

RewriteEngine On

RewriteCond %{HTTP_REFERER} !^https://(sub|sub2)\.domain2\.com(/.*)?$ [NC]
RewriteCond %{HTTP_REFERER} !^http://sub\.domain2\.com(/.*)?$ [NC]
RewriteRule \.(zip|exe|pdf)$ https://site.domain.com/index.php [NC,R,L]
richardk
 
Posts: 8800
Joined: Wed Dec 21, 2005 7:50 am


Return to Security with Mod_Rewrite

Who is online

Users browsing this forum: Google [Bot] and 2 guests

cron