Reputation: 1
Preventing hotlinking and .htaccess
In Hotlink Protection not working with .htaccess the problem of preventing hotlinking by means of .htaccess directives was discussed, but the answers there do not provide a solution for my problem.
This is my problem:
In https://janis-joplin.servidor-alicante.com/ I have the following .htaccess:
DirectoryIndex index.php index.html index.htm
Options -Indexes
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://janis-joplin.servidor-alicante.com [NC]
RewriteCond %{HTTP_REFERER} !^https://janis-joplin.servidor-alicante.com [NC]
RewriteCond %{HTTP_REFERER} !^https://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^https://(www\.)?facebook.com [NC]
RewriteCond %{HTTP_REFERER} !^https://(www\.)?twitter.com [NC]
RewriteRule \.(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$ https://janis-joplin.servidor-alicante.com/_res/janis.jpg [NC,R,L]
RewriteRule ^ads.txt$ ads_tm.php [L]
RewriteRule ^janis-joplin/(.*) /$1 [L]
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.+) - [PT,L]
RewriteRule ^(.+) index.php?url=$1
In https://jimi-hendrix.servidor-alicante.com/_dev/test.htm I have:
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>test</title>
</head>
<body>
<img src="http://janis-joplin.servidor-alicante.com/_photos/wolman.gif">
<img src="https://janis-joplin.servidor-alicante.com/_photos/wolman.gif">
</body>
</html>
But in jimi-hendrix subdomain I can see the images in the janis-joplin subdomain.
What am I doing wrong? TIA
Upvotes: 0
Views: 114
Answers (1)
Reputation: 45829
You need to check the network traffic - HTTP request headers (which you can do in the browser dev tools)... is the Referer header being sent in the request for those images? What is the Referer header set to?
RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://janis-joplin.servidor-alicante.com [NC] RewriteCond %{HTTP_REFERER} !^https://janis-joplin.servidor-alicante.com [NC]
The Referer header will not be sent (by default) in the first image request, since you are making an HTTP (insecure) request from an HTTPS (secure) page. Default browser behaviour suppresses the Referer header in this instance. You explicitly allow an empty Referer header (first condition above) in your "hotlinking" rule block so you would expect the first image to be displayed. (Realistically, you do need to allow an empty Referer header.)
It's not clear why the second image is displayed (assuming your .htaccess directives are being processed) without looking at the HTTP request headers (and knowing what HTTP Referrer-Policy is set on the referring page).
Upvotes: 1
Related Questions
- Stop hotlinking from another IP
- hotlinking prevention via htaccess doesn't work
- how to generic .htaccess to prevent hotlink
- using hotlink prevention
- .htaccess anti-hotlinking for one specific folder
- htaccess prevent hotlink also prevents external links
- How to protect images from being hotlinked?
- Efficient Method for Preventing Hotlinking via .htaccess
- htaccess hotlink protection
- Prevent hotlinking from harassing domain by showing an image or iframe? .htaccess