Preventing hotlinking using htaccess is well documented. However, I want to prevent hotlinking for multiple domains without adding a rule per domain.
My idea is to match the referrer with the hostname, this seems like a good solution to me.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?%{HTTP_HOST}/.*$ [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
</IfModule>
Is this is a proper and safe solution to prevent hotlinking?
This won't work when the request comes with www. but the referrer doesn't. That's because your rule would effectively try to match the following which wouldn't work.
RewriteCond http://domain.com/index.php !^http://(www\.)?www\.domain\.com/.*$
The correct way is to use the following:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} ^https?://(www\.)?([^/]+)/.*$ [NC]
RewriteCond %2#%{HTTP_HOST} !^(.+)#(www\.)?\1$ [NC]
RewriteRule \.(bmp|gif|jpe?g|png|swf)$ - [F,L,NC]
This takes care of SSL (https:) as well. Take a look here to see how it works.
Related
I am looking for a way to create a short URL path for a longer URL on my page
the long url is: domain.com/tagcloud/user.html?t=1234ABCD
i would like to offer a short version of the URL to easy access it:
domain.com/t/1234ABCD
I tried a few examples but I just don't get it how I could forward these rules.
RewriteRule ^(.*)/t/$ /tagcloud/user.html?t=$1 [L]
I am also using MODX so they already use rules.
in addition my htaccess file
RewriteEngine On
RewriteBase /
# Always use www
RewriteCond %{HTTP_HOST} .
RewriteCond %{HTTP_HOST} !^www\.domain\.com [NC]
RewriteRule (.*) http://www.domain.com/$1 [R=301,L]
# The Friendly URLs part
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
I must keep the code snippets above in my htaccess file. The first one simply forwards http://domain.com requests to www.domain.com
The friendly URLs part is needed to translate the internal IDs of my CMS with the alias of the URL. This feature must remain because the entire site cannot be influencted by the changes I try to make in htaccess...
I simply would like to add a listener that only if the URL matches www.domain.com/t/abcd1234
Therefore I need something that identifies the www.domain.com/t/ URL
your help is much appreciated
Try this:
RewriteCond %{REQUEST_URI} ^/t/.*
RewriteRule ^t/(.*)$ /tagcloud/user.html?t=$1 [R=301,L]
We're currently using folders inside webroot to store images and videos which we're loading in views (using the usual html image helper) that require log in.
How can I prevent outside visitors from just doing a site.com/img/photos/1.jpg url and having access to the images?
From what I understand I can't really use media views to render an image inside a proper view, and I can't figure out if there's a solution through htaccess manipulation.
Which is the best practise for this?
Perhaps choosing to go with a non-webroot folder would be best (although that would make it harder in the file-storing part)?
As poncha suggested, I tried editing the main .htaccess file into this
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !localhost
RewriteCond %{REQUEST_URI} ^app/webroot/img/
RewriteRule .* / [L,F]
RewriteRule ^$ app/webroot/ [L]
RewriteRule (.*) app/webroot/$1 [L]
</IfModule>
But the rewrite base line seems to be forbidding access to the whole site, and without it there seems to be no change in img access.
Edit 2:
Editing the htaccess inside webroot:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [QSA,L]
# this RewriteCond is needed to avoid rewrite loops
RewriteCond %{REQUEST_URI} !^/app/webroot/
RewriteRule (.*) app/webroot/$1 [L,R]
RewriteCond %{HTTP_REFERER} !127.0.0.1
RewriteCond %{REQUEST_URI} ^/app/webroot/img/
RewriteRule .* - [L,F]
</IfModule>
This checks if Referer http header is set to something containing your domain, and denies access to img/ folder if not.
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} !site.com
RewriteCond %{REQUEST_URI} ^img/
RewriteRule .* / [L,F]
Note: it is easy enough to "break" this protection if someone wants to steal your content, however, it does prevent hotlinking without the need to produce some sort of script that would pass thorugh all the images/videos to check if access should be granted.
EDIT:
In case your website is not in /, You have two options:
Change RewriteBase to reflect the base uri of the site (eg RewriteBase /app/webroot/)
Change RewriteCond to reflect the path from / (eg RewriteCond ^app/webroot/img/)
The second option is preferred in your case because you have other rules there
EDIT2:
In your case, the whole set should look like this:
RewriteEngine on
RewriteBase /
# this RewriteCond is needed to avoid rewrite loops
RewriteCond %{REQUEST_URI} !^/app/webroot/
RewriteRule (.*) app/webroot/$1 [L,R]
RewriteCond %{HTTP_REFERER} !localhost
RewriteCond %{REQUEST_URI} ^/app/webroot/img/
RewriteRule .* - [L,F]
Based on what I read on Apache I used the following example they provided to do a 301 Redirect on all my web sites.
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [L,R=301]
This is not quite working as they said it would. If I try www.domain.com it works. If I try domain.com I get www.domain.com//home/www/public_html/www.domain.com
Looks like it wants to include the DOCUMENT_ROOT in the redirect. Am I better off to create an individual .htaccess for each web site?
What is faster to run - Apache or HTACCESS?
Try this instead. Make sure you include the RewriteBase /
RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTP_HOST} !^$
RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
If you still get the old result, your previous 301 redirect is probably cached, retest in Private (Incognito) Browsing Mode.
Using Apaches httpd.conf is faster since accessing the .htaccess file adds a small overhead—Apache checks every directory—and parent directory—for the file and it will be loaded for every request.
Using the httpd.conf is better when you have access to it. Use .htaccess if you don't have access to the main configuration file.
In ExpressionEngine, what’s the best way to mod_rewrite a directory to a subdomain, while keeping index.php out of the picture?
For example:
http://www.domain.com/index.php/group/template -> group.domain.com/template
I’ve seen variations that take ANY group and rewrite them to subdomains, but I only need one.
I’ve been tasked with porting over a subsite from a different server (that was also running EE). Normally, I’d just redirect group.domain.com to domain.com/group (index.php removal was already working), but that’s been deemed an unacceptable solution. And of course, this is time-sensitive.
I’ve been diving into Google and the EE docs/wiki for going on twelve hours and I’m starting to go cross-eyed. Can anyone give me a hand?
Thanks in advance.
Here's how I would craft your .htaccess file:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/(group|group/.*)$
RewriteRule ^(.*)$ http://group.domain.com/template/$1 [L]
RewriteCond %{REQUEST_METHOD} !=POST
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1 [L]
</IfModule>
This example uses the "File and Directory Check" Method of removing index.php from the URL and uses a RewriteCond Directive to instruct Apache to handle the requests for the "group" directory and all its sub-directories differently.
Any links to domain.com/group/template will be redirected to group.domain.com/template/.
If you care about letting crawlers know your content has moved and want to make the transition as seamless as possible, you can add a 301 Redirect to your RewriteRule:
RewriteCond %{REQUEST_URI} ^/(group|group/.*)$
RewriteRule ^(.*)$ http://group.domain.com/template/$1 [R=301,L]
This will ensure that users and search engines are directed to the correct page.
I am looking for a way to rewrite non-www-domains to www-domains, while at the same time not redirecting direct IP-requests.
I have multiple sites on the same server - that is: a default (virtual)host and one VirtualHost with a ServerName and multiple ServerAlias'es, which work perfectly. I prefer the domainnames to start with "www". So I have hacked the following code together, which works great:
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ http://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
It doesn't handle https, but the biggest problem is that requests to the server-IP are also rewritten from eg. "123.45.67.8" to "www.123.45.67.8". I could add the line below to solve that:
RewriteCond %{HTTP_HOST} !^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$
... but it is it effective? And what about IPv6?
Being no mod_rewrite-wiz, I have been trying to figure out how other people have solved this problem, but with no luck.
That's because your condition is only checking if it starts with www, try this instead (I left the optional https code):
RewriteCond %{HTTP_HOST} ^(yourdomain|thisdomain|thatdomain)\.com
#RewriteCond %{HTTPS} =on
#RewriteRule .* https://www.%{SERVER_NAME}%{REQUEST_URI} [R,L]
RewriteRule .* http://www.%{SERVER_NAME}%{REQUEST_URI} [R,L]