UBB.Developers Forums Community Development Programming Web Hosting Protect Images with .htaccess

just had a bunch of people stealing bandwidth by using graemlins from our server. this is basic, but worth posting:

how to block stealing of .gif and .jpg using .htaccess:



if you place this in the root of your public http directory it will protect all images on your site.

An excellent resource.

Thanks.

The question is... Will it work on Windows?

As far as I know windows does not allow files without a name hence the .htaccess is not a valid filename...

Thanks for sharing chillin

It works on windows, but you need an apache.
But using the rewrite engine can cause problems on high traffic sites. It increases the load of the server and the overhead of every request.

There are some other ways to prevent the direct linking to images.
For example using a php script that looks for a valid session before displaying the image.

I am using apache and I am lazy to write the script LOL. It would be a bummer to try and hack photopost so that every image display checks for the session id.

I was wondering if you can change the .htaccess file name to make it something like access.htaccess so that it becomes a valid windows file name.

Sure:

[]AccessFileName directive
Syntax: AccessFileName filename [filename] ...
Default: AccessFileName .htaccess
Context: server config, virtual host
Status: core
Compatibility: AccessFileName can accept more than one filename only in Apache 1.3 and later

When returning a document to the client the server looks for the first existing access control file from this list of names in every directory of the path to the document, if access control files are enabled for that directory. For example:

AccessFileName .acl

before returning the document /usr/local/web/index.html, the server will read /.acl, /usr/.acl, /usr/local/.acl and /usr/local/web/.acl for directives, unless they have been disabled with

<Directory />
AllowOverride None
</Directory> [/]

RewriteCond %{HTTP_REFERER} !^$

Get rid of that line. It will cause you no end of heartache and headache.

Leterally it's making one of the matching conditions : no referrer.

So, if I open my browser, click my bookmark to your site I get no referrer, thus no images. If I hit refresh the same thing happens. Usually at that point I've left your site, but If I haven't left your site after that and actually clicked a link now I have your site as a referrer and I'll get pictures. But.. that ain't gonna happen because after the first time I refreshed if I had no pictures I left.

Besids, if anybody is linking to your pictures there would be a referrer.

You also missed GIF JPG PNG and png.

If you have downloads you'll also want to add .exe and .zip.

Nikos, Windows will allow an .htaccess file. You just can't make one with notepad or try to rename a file to .htaccess. (edit - wrong, see below)

I open a file with UltraEdit32, put in what I need, save as .htaccess and it works fine. Notepad will make it .htaccess.txt if it even does anything.

You might be able to get away with setting notepad to save file type all files then for the file name surround it in quotes. ".htaccess"


.


.

yup, just tried it. that works. I have an .htaccess on my desktop doing it just that way.

I'm able to write a .htaccess file in Notepad if I save it as a text file (for example, I can call it Bob.txt), but then rename it after I upload it to my server.

Who's Bob?

[]JoshPet said:
Who's Bob? [/]

My goldfish. He's so smart, he can say his own name!

he he

I tried that Dave but it didn't work. Windows 2000 did not allow the file to be renamed. Since I don't have Ultraedit I followed coy7's advice and it worked just fine.

However when I put up a link up in a browser (I haven't logged in on my forum or anything like that) it will start bringing up an image.

There I go for the investigation. I found out that the Rewrite modules were commented out. So I uncommented the .so and the .c rewrites on my apache conf file and restarted the server. Unfortunately I could still hook up with the file

Any ideas?

Does anyone have the code to add to the directive to allow some referrers through?? We have a site or two that we share images with, and I'd like to use this, but need to be able to allow them.

Cheers,

Chris

"However when I put up a link up in a browser (I haven't logged in on my forum or anything like that) it will start bringing up an image."

No Referrer. I mentioned that. Try linking the image from a different website and see what happens. Make a post here in the test forum with a linked image. that will be a better test.

Raconteur, you want to allow certain sites to link? Add them to the exceptions conditions

RewriteCond %{HTTP_REFERER} !^http://(www\.)?yoursite.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourothersite.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?anothergoodsite.com/.*$ [NC]

Thanks Navajo!! Is there an online reference that divulges the meaning of the codes for this thing?? Like what does [NC] mean, and [F], etc...

Ack... spoke too soon...

Here is what I have:



And MOST of my images on my own site are not coming up... some do however...

My avatar here is linked from an image on our site and it seems fine, though...

I haven't seen any really good down to earth guides for mod rewrite.

Here is the rewrite guide from apache.org
http://httpd.apache.org/docs/misc/rewriteguide.html

and the reference documentation
http://httpd.apache.org/docs/mod/mod_rewrite.html

The top one tells you what the [R] [L], and [NC] notations are If I recall. If not then it is in the second.

Thanks. Any idea why images are not showing up for me?

http://www.hotlinking.com/

That site lets you test whether or not your .htaccess files are working to protect images on your site. I had to employ it today as a check of my stats revealed that a Star Trek message board, of all things, was hotlinking to my graemlins! Aren't those people geeky enough to want their own graemlins?

Hey... shouldn't this:



prevent someone from 10.X.X.X from accessing our site?? I keep getting these morons from a competing site with no content pilfering our intellectual property by logging in as anonymized guests.

I have my .htaccess file in the root of our site, with that code and nothing else but I am seeing a user with IP 10.1.1.6 online right now...

a 10. number?

that's a nonroutable number. are you quite sure that your own server doesn't have an internel 10. Ip address, or one on your network?

the 10 range is the same as the 192.168 range, it's nonroutable.

10.x.x.x is in the I.A.N.A. according to http://ws.arin.net/cgi-bin/whois.pl

We are getting hits from folks that we know who are who are using black hole generating web-sites to get to us. I put a ban on 10.%.%.% but was still seeing them on our site... especially in our Library (where most of our intellectual content resides), and realized two things:

1) I had not added the ban check code to the library access files.

2) The ban check code (I think it is from Josh's "Better Ban Mod") had a bug where it was checking for a user id OR an IP. Guests get an ID of zero, so if there was another guest on the site at the same time this person was the result from the query returned more than one row, and the code was only looking at the first one.

So I fixed both, and now it is just a waiting game to see if they show up again.

I was hoping to block in a more authoritative and decisive fashion using .htaccess or something similar... if that won't work, do you have any suggestions??

Thanks!

Chris

I've been using this on my site, but my replacement image does not work. This would be an image that shows instead of the image requested. Here is my code:



As you can see below, it does not work....

[]http://www.drumlines.org/mural.jpg[/]

Yes, the URL is correct!

Of course it doesn't work. Look at what it does.

replace every gif in / and any directory under it with hotlink.gif if there is no refferer or the referrer is not drumlines.org.

hotlink.gif IS A GIF!

LOL

That made me laugh navaho.

For some reason my rewrite rules don't work at all.

I have Apache 2 and I have enabled the loadmodule rewrite.so.

My .htaccess file is located at the root of the web site (which is my understanding that will "protect" all the rest of the subfolders) and it is:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www.schuey.de/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://ffff.niden.net/.*$ [NC]
RewriteRule \.(gif|jpg|zip|png|jpeg|wmv|mpg|GIF|JPG|ZIP|PNG|JPEG|WMV|MPG)$ - [F]

Now I tried it with the RewriteCond %{HTTP_REFERER} !^$ and without it and it doesn't work

Any ideas?

I figured it was something like that, but thought that the last line was supposed to override the rule. There is a way, right? So how is it done?

Substitue a png if you use no other png files on the site. Or point to a hotlink.gif on another site that you own (a subdomain JUST for a hotlink image maybe?). Or, better yet subsitute no image at all "-" . Why use your bandwidth serving hotlink.gif? The object of the exercise is to save your bandwidth dollars that hotlinkers are costing, right? So give them no image

Yeah, I need to re-enable it before all my gallery content flies out the window.... I just used to serve the broken image.

Hey Navajo,

Can you give me some guidance with this 10.x.x.x problem... it is really plaguing me... I have code in the ban_check function now to specifically look for this particular 10. IP address that keeps hitting our site, but I am still seeing the person in our Library.

Is there no way to use .htaccess to prevent this?? If not, any other solutions??

Thanks!

I'll try, but it will be later today before I can get to it.

Thanks a ton!

Alright, after battling back and forth over this with our host, I have gotten some information... however, I am not sure how accurate it is. Can someone help me verify this stuff?

[]
Hello,

It is much more likely to be a bug in your application where a http connection
is being initiated to itself. This is the only possible cause for an internal
server farm IP to appear in the CGI Environment.


Let me know if I can help you further.

Regards,

Paul Trebilco.
[/]

My response with his comments interspersed:
[]
Hello,


"Christopher Burns" <[email protected]> wrote:

--Start Snip--

> Hi Paul,
>
> Not sure I follow. If I go through Anonymizer.com or use any of the
> existing softwares out there to hide my IP, it seems the spoofing my IP to
> 10.x.x.x would be the way to go, wouldn't it?

Except that 10.x.x.x is a non routing IP, the replies would never ever ever get
back out past our router. 10.1.1.6 is the internal access address of our server
farm. If you see that address in the logs then it means your application has
connected to itself. ie and fopen command was initiated to the resident website.
There are any number of reasons why this may occur. Most likely if your app uses
templates then it may fopen to itself. It's not ideal but I do see some forum
software using the method.

>
> When you say it is more likely a bug in the app where an http connection is
> being initiated to itself, can you give me an example of that situation? I
> cannot think of anywhere on our site (as I understand what you are saying)
> that this could be the case... but, alas, I am admittedly ignorant here.
>

Did you not submit a support request not so long ago RE a PHP fopen function?
Perfect example right there.

> The offending IP seems to isolate to one specific area of our site, the
> Library. Is there any sort of server logs you guys keep that would show
> someone with the IP 10.1.1.6 accessing our site and what they are doing?

Give me specific dates. But like we keep telling you, that ip is a legitimate
ip of our webfarm. Quite a few customer forums see that ip in request logs.
It does not reverse resolve to any host name because it is a private address.
Our private address.

>
> Thanks,
>
> Chris
[/]

My response:
[]
Hi Paul,

Ok... so you are saying that is someone attaches to our site with the IP 10.1.1.6 they won't be able to view anything?? This person is obviously navigating to a specific place on our site. Now, granted I have not caught him at any time other than being in the Library, so I do not know if there actually was a trail that he followed. IF he just appeared in there, then I can definitely see what you are saying.

The fopen issue was being use to test valid URLs for our links gallery, and they would not be accessing our own site.

The latest hit we got was on 4/21/03 at 8:48pm (Pacific Standard Time). Also on 04/18/03 10:55pm (Central Standard Time). Then again at 04/18/03 08:58pm (S. Australia Time). Our first notice was on 03/31/03 07:25pm (Pacific Standard Time).

Hope those help! It sounds like we may be over-reacting to some coincidental stimulus, and your inherent operations... is that true?

Cheers,

Chris
[/]

His response:
[]
Hello,

Here is a log entry for 1 particular occurance I found in the server logs.

10.1.1.6 sr - [22/Apr/2003:22:58:18 +1000] www.syngnathid.org 80 "GET
/ubbthreads/articlesLibrary.php HTTP/1.0" 200 6812 "-" "PHP/4.2.3" "-" syngnathids

The Ip address and the User agent (PHP/4.2.3) definitely point to a php fopen
command originating on the webfarm.

A quick serach of your home directory reveals this;


index.php: include
"http://www.syngnathid.org/ubbthreads/articlesLibrary.php";
index.php: include
"http://www.syngnathid.org/ubbthreads/articlesLibrary.php";
templates/default/ubbt_registerednav.tmpl:<a href =
"$phpurl/articlesLibrary.php" $target>{$ubbt_lang['LIBRARY']}</a>

I'm pretty sure the include statements in your index.php page are invoking the
php fopen subclasses.

Let me know if I can help you further.

Regards,

Paul Trebilco.
[/]

My response:
[]
Hi Paul,

So would that not say that if I were to go login as myself, and the view articles in the library, we should see the 10.1.1.6 IP address popup in our Who's Online and your logs?

It seems that for the most part this IP is in there with other more natural IPs, but I do seem to recall seeing it in the Library all alone on more than one occasion...

Let me know, and maybe we can try to test this.

Cheers,

Chris
[/]

Their latest comment (this one sounds fishy to me):
[]

As Paul mentioned, the presence of that IP can only be originating from an internal call within your script because 10.X IP ranges are only routable to our internal network and not to the outside. You do not need to worry about it.

Regards,

Martial Herbaut.
[/]

I know you can go through an anonymizing portal that will wipe your real IP and give you a bogus one, along the lines of 10.x.x.x So for them to say that the user with that IP is being generated by internal systems doesn't sound kosher to me.

On top of that, if I go in to the Library and poke around, I can watch the Online table and see that no user with IP 10.1.1.6 EVER shows up...

So, I guess I am looking for the truth of the matter here... can anyone edify me? Please?!?!!?

I agree with Paul.
It seems like your aricleLibrary.php scripts inserts the values in your w3t_online so that they show up.
I think it uses the user-information from the index.php file. The ip is 10.x.x.x cause of the fopen, like paul said.

Looks like you are both correct, Astaran... I just did some experimentation and found the cause. Here is the weird thing... if I try to enter the Library from the normal menu links at the top of the screen, I get in no problem. If I try to enter via the IIP Pals Menu links, I get the 10.1.1.6 address and a ban check.

I need to look into why this is... any input greatly appreciated!

Are you still using the fopen function to include the site?
If you use an include statement, it should work correct.
I can't say for sure, cause i don't now your scripts.

The ONLY place fopen is used is in Mark's Links code and that is just used to check the validity/accessibility of a link.

I am using includes in the Library code... The weird thing is from the Pals menu I am just calling articlesLibrary.php, which is exactly what I am calling from the primary threads menu. I get the failure and generation of 10.1.1.6 from the Pals menu, but not the threads menu...