htaccess prevent hotlink also prevents external links

Question

I've got this code in my .htaccess file to prevent hotlink of images and pdf files but it is also preventing normal external links to work. My htaccess file:

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mywebsite.com/.*$ [NC]
RewriteRule .*\.(gif|jpg|pdf|png)$ http://www.mywebsite.com/images/notallowed.jpe [NC,R,L]

Problem is that a legitime external link to say a pdf file will cause the replacement image to appear instead of the pdf file. ¿Is this normal or what am I doing wrong/missing? Thanks in advance.

Answer 1

Use SetEnvIf instead:

SetEnvIf Referer ^http remote

<FilesMatch "\.(png|gif|jpg|pdf)">
  order deny,allow
  deny from env=remote
  allow from all
</FilesMatch>

Answer 2

I'd give this a try...

RewriteCond %{HTTP_REFERER} ^$ [OR]
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)?mywebsite\.com(?:$|/) [NC] [OR]
# Repeat the next line as needed for each allowed site
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)?allowedsite1\.com(?:$|/) [NC] [OR]
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)?allowedsite2\.com(?:$|/) [NC]
RewriteRule ^(.*)\.(gif|jpg|pdf|png) http://www.mywebsite.com/images/notallowed.jpe [NC,R,L]

Might be kind of inconvenient to manually add each allowed site, but it should give you some control... Other possible drawback would be that the people visiting a raw image, for example, would have to do so via an existing link found within the site.

Example: typing http://www.mywebsite.com/logo.png into your browser and trying to directly view the file logo.png wouldn't work, but you shouldn't have a problem viewing the same file if you click on <a href="http://www.mywebsite.com/logo.png"><img src="http://www.mywebsite.com/logo.png" /></a>.

Hope that helps someone...