I'm having a bit of trouble getting my .htaccess setup to stop hotlinking using mod_rewrite. I've followed a few threads on here, and even used some code generators on the 'net, but cannot seem to get it working.

I need to block hotlinking of the following file types: gif, jpg, mov, mpg, mpeg, wmv

The code I'm trying to use is:


RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://xx.xx.xx.xx/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://xx.xx.xx.xx/.*$ [NC] RewriteRule .*\.(gif|GIF|jpg|JPG|mov|MOV|mpg|MPG|mpeg|MPEG|wmv|WMV)$ - [F,L]



When I load my main page after implementing this code I get:


Forbidden
You don't have permission to access / on this server.



Anyone got any ideas why this is happening? I'm a somewhat beginner at this stuff. Never really used mod_rewrite before. I've tried a few different variations of the above code, all with the same results.

I confirmed that mod_rewrite is a loaded module (it was listed in a phpinfo). OS is RH 7.1

What other directives are on the entire .htaccess file? What are the permissions on the .htaccess file?

Did you try removing the L in "[F,L]"?

-rwxr-x--- 1 admin1 admin1 555 May 12 09:59 .htaccess


Should it be chown'd root, or by the user? I've chmod'd it to 750, although I didn't think that was neccessary.

There are no other directives in that .htaccess file.

Originally posted by Zutroy
-rwxr-x--- 1 admin1 admin1 555 May 12 09:59 .htaccess


Should it be chown'd root, or by the user? I've chmod'd it to 750, although I didn't think that was neccessary.

There are no other directives in that .htaccess file.

Owned by the user and set to 644. Apache currently doesn't have permission to read that file.

chown is on the user.
chmod'd to 644

Gives the error:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Originally posted by Zutroy
chown is on the user.
chmod'd to 644

Gives the error:

Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Well, you're a step closer to getting this solved now. The server error is due to incorrect syntax i nthe directives, or your user doesn't have permission to use and specify mod_rewrite directives in your .htaccess file. Try to remove the L from [F,L] and also remove (or comment out) the RewriteBase directive. You can put them back, after you rule those out as being the cause. In fact, the RewriteBase looks okay itself, but I've never used that directive myself before, so I don't know if there needs to be anything else. However, I'm not sure that you want the L in the failure/forbiddin error for the last rewrite rule. If those changes don't work, then you probably don't have access to use mod_rewrite or even to be able to specify your own directives/rules in an .htaccess file (and you'll need to allow your user that access). However, rule out the other directive/syntax aspects first.

Well I'm back on the "Forbidden" error after making those syntax changes you suggested. Actually, I think I may have just screwed it up originally with changes I was making, and the Internal Server Error was never an actual issue.

Forbidden
You don't have permission to access / on this server.


This is a dedicated box, and I'm logged on as root. How can I find out if I (or this user...which is me) have access to mod_rewrite?

Originally posted by Zutroy
Well I'm back on the "Forbidden" error after making those syntax changes you suggested. Actually, I think I may have just screwed it up originally with changes I was making, and the Internal Server Error was never an actual issue.

Forbidden
You don't have permission to access / on this server.


This is a dedicated box, and I'm logged on as root. How can I find out if I (or this user...which is me) have access to mod_rewrite?

You were closer to solving the problem when you get the server errors. The forbidden error issue should have been resolved when you set the permissions to the correct setting (644). Did you change that back? My suggestion of the changes, shouldn't have resulted in a forbidden error.

Put this in, just to see if this will work without error (this should not error):


RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://xx.xx.xx.xx/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://xx.xx.xx.xx/.*$ [NC]
RewriteRule .*\.(gif|jpg|mov|mpg|mpeg|wmv)$ - [NC,F]



In fact, that should provide you with the original solution anyway, and this might be the directives you want. Nonetheless, it shouldn't error. Also, be sure the file is owned by the user, not root and is set at the permissions of 644. If that doesn't work, check the web server's configuration file. It can be anywhere, but is usually located at /etc/httpd/conf/httpd.conf or /usr/local/apache/conf/httpd.conf That is the file you need to check, but only the server administrator can make the changes to allow your user permission to use the .htaccess file and in what manner.

One way you can check if you have _any_ permission, is to try and just set (only) some ErrorDocument directives. If that forbids permission or errors, you'll know you don't have the web server set up to allow you to use the .htaccess control file and you're server administrator will need to make the appropriate changes -- not to allow you to set your own mme-types, handlers and whatnot, but to at least be able to do authentication, limits, and error documents -- as well as rewrite rules (without opening up full permission for user's to do crazy stuff).

Copied the code you provided, inserted my domain names and IP where required.

chown admin1:admin1 .htaccess
chmod 644 .htaccess

Same forbidden error.


Checked in httpd.conf .. there were 2 lines:

LoadModule rewrite_module modules/mod_rewrite.so

AddModule mod_rewrite.c


So it's loading in httpd.


Did the ErrorDocument test as you suggested. I added the line:


ErrorDocument 403 /index.php


This worked. It displayed the correct webpage.


So I'm really stumped. Apache is processing the .htaccess file, but not the Rewrite stuff. D'oh!

Originally posted by Zutroy
Copied the code you provided, inserted my domain names and IP where required.

chown admin1:admin1 .htaccess
chmod 644 .htaccess

Same forbidden error.


Checked in httpd.conf .. there were 2 lines:

LoadModule rewrite_module modules/mod_rewrite.so

AddModule mod_rewrite.c


So it's loading in httpd.


Did the ErrorDocument test as you suggested. I added the line:


ErrorDocument 403 /index.php


This worked. It displayed the correct webpage.


So I'm really stumped. Apache is processing the .htaccess file, but not the Rewrite stuff. D'oh!

Well, it would seem then, that the server administrator needs to allow more open permission on the control file then. Check your httpd.conf file to see what the current configuration has specified for the .htaccess control file, as well as the <Directory ...> directives, such as Options and AllowOverride and what they might have specified.

Just so you know, I'm the the admin of the box ... just a personal dedicated server for my website. :D


Checked the httpd.conf ... I believe this is the section you mentioned:


# This should be changed to whatever you set DocumentRoot to.
#
<Directory /var/www/html>

#
# This may also be "None", "All", or any combination of "Indexes",
# "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
Options FollowSymLinks Includes

#
# This controls which options the .htaccess files in directories can
# override. Can also be "All", or any combination of "Options", "FileInfo",
# "AuthConfig", and "Limit"
#
AllowOverride All

#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>

Try copy/paste all the domains again but for the second copy remove the "/" at the end of the domains...

I had this problem before and this is how I fixed it, hope this helps you.

I've tried what you suggested smacx ... same Forbidden error. *sigh*

Originally posted by smacx
Try copy/paste all the domains again but for the second copy remove the "/" at the end of the domains...

I had this problem before and this is how I fixed it, hope this helps you.

That shouldn't make on bit of difference, not for an error like this. Even without an error, I'm not sure how that change would fix anything for your previous situation? That's an odd one. What problems did you have which that fixed?

Originally posted by Tim_Greer


That shouldn't make on bit of difference, not for an error like this. Even without an error, I'm not sure how that change would fix anything for your previous situation? That's an odd one. What problems did you have which that fixed?

It fixes the problem when the person browsing requests http://www.domain.com the system he had was only setup to allow http://www.domain.com/

While most browsers these days add the trailing slash to the end of the query, some dont...I found that I couldn't access my site unless I added the domains without the slash...

Sorry this didn't work for you.

Thanks for updating the thread. Hmm, I've never seen that problem before, but I'll look into it if I get time.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://xx.xx.xx.xx/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://xx.xx.xx.xx/.*$ [NC]
RewriteRule .*\.(gif|jpg|mov|mpg|mpeg|wmv)$ - [NC,F]

The problem is in the last line, change it to:

RewriteRule .*\.(gif|jpg|mov|mpg|mpeg|wmv)$ [F]

CHMOD 644 is correct (should be the automatic setting actually) and the .htaccess file should be uploaded in ASCII.

See what happens now.

Thank you for your help WR. I have a friend who was really upset about people linking to his files from other sites, and I have put this .htaccess on his site (modified for zip files). But I was wondering, is there a way to circumvent this type of 'protection' from people raping files? And if so, I guess at least this keeps the more apathetic people away. Again, many thanks for helping out here!

Originally posted by Website Rob
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://xx.xx.xx.xx/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://xx.xx.xx.xx/.*$ [NC]
RewriteRule .*\.(gif|jpg|mov|mpg|mpeg|wmv)$ - [NC,F]

The problem is in the last line, change it to:

RewriteRule .*\.(gif|jpg|mov|mpg|mpeg|wmv)$ [F]

CHMOD 644 is correct (should be the automatic setting actually) and the .htaccess file should be uploaded in ASCII.

See what happens now.

Well Website Rob, I tried what you suggested, and I'm still getting the "Forbidden" error.

Just so it's clear, I am editing these files directly on the server with vi, so they are in ASCII format.

I'm starting to think it's some weird misconfiguration on the server. It is running Ensim (ugh) if that makes any difference.

Originally posted by Website Rob
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://xx.xx.xx.xx/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://www.domain.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https://xx.xx.xx.xx/.*$ [NC]
RewriteRule .*\.(gif|jpg|mov|mpg|mpeg|wmv)$ - [NC,F]

The problem is in the last line, change it to:

RewriteRule .*\.(gif|jpg|mov|mpg|mpeg|wmv)$ [F]

CHMOD 644 is correct (should be the automatic setting actually) and the .htaccess file should be uploaded in ASCII.

See what happens now.


Weird, [NC,F] always worked for me??? Did you try that and have it error? Nonetheless, it should not give a "forbidden" error, but an Internal Server error, if it's wrong. This person's admin needs to make the proper changes to give them access, unless I'm mising something (this is possible).

Tim, I *am* the admin on the server (just a personal dedicated server @ RS). From everything I can see, I *do* have access to be doing this. Unless Ensim is messing it up, I'm pretty much out of ideas.

Sorry for missing that statement of yours saying you are the admin. Well, other than perhaps posting (or attaching) the relevant (or entire) httpd.cond and *maybe* the access.conf, if it's used, it's difficult to tell where the problem lies in you not being able to use this feature in your .htaccess file. Finally, if you can't figure that part out (it shouldn't be difficult, if you can post it, but it's difficult to tell there's nothing else to it -- I don't see why there would be), then you can always just put the directives in the actual virtual host block.

I would have to agree with Tim that an "Internal Server Error" is what should be showing, if there is a problem. Getting a "Forbidden" makes me wonder if you have your .htaccess file in your Root Directory -- same place as the Home Page for the site.

Two options left that I can think of

1. remove everything but "gif & jpg". I tried using the same method and included "zip" files, but got the "Internal Server Error" msg. Soon as I went back to just images "gif|jpg|png" the problem cleared up.

2. I use a redirect: RewriteRule .*\.(gif|jpg)$ http://www.domain.com/somefile.txt [R]

Now I get an Error shown in my log files which shows the IP of whoever is trying to use an image, and not from my site. Makes it easy to track them down. :D


BTW, does anyone know what "L" stands for?

I know that [NC] is NoCase, [F] is Fail, [R] is Redirect, any others to be aware of besides [L]?

The file extension shouldn't make it error or have any bearing on that, whatsoever. This is quite odd to have happen! You must have made a typo or had some oversight to have it error and work only if you used it for jpg and gif files.

My thoughts are also, that he might be getting the forbidden error, because it's actually wanting to output the 500 (server error) message, but it's probably configured to display a 500 error page (which is what happens to be forbidden). Zutroy, next time you try this and get the forbidden error, please check your site's (or web server) error logs. I am thinking that it's trying to display or redirect to a 500 error page and it's forbidden because that page has low permission settings, or perhaps because the 500 error directive isn't correct. This will rule that out (or not) and we can know if it's indeed the web server's configuration (or not). (Unless you can indeed successfully make the .htaccess file display a 500 Internal server error message, in which case this theory is proven to be wrong and it is yout web server's settings).

Wait a second, I noticed your above example, you said to use:

"RewriteRule .*\.(gif|jpg|mov|mpg|mpeg|wmv)$ [F]"

You forgot the - ??

Anyway, I still wonder why the "- [NC,F]" failed to work for you? What version of Apache and mod_rewrite are you using? I doubt it's the versions, and I don't understand why that would result in an error??? It works fine for me.

Tim ... I tried with the "-" in there, same error.

- Forbidden is actually 403, not 500 (I think this because I setup an ErrorDocument to re-direct 403, and it was doing it in this case).

- I am testing from a sub-folder called /test

- Nothing in /var/log/httpd/error_log that is timestamped anywhere near when I'm doing my testing (last entry was 4 hours ago).

- not using access.conf and I did post a section of my httpd.conf that I felt was relevant.


Website Rob -

- initial testing was without anything but jpg/gif ... I seriously doubt that having more file types in there is causing the problem.

- tried swapping in your Redirect code ... still get the Forbidden error.

No, I didn't forget the dash. Everytime I used it I got a 500 error. Take it out (and make sure there is only one space between $ [F]) and there is no problem.

Tim, did you catch my part about what does 'L' stand for? Would'va thought that be an easy one for you. ;)

Originally posted by Zutroy
Tim ... I tried with the "-" in there, same error.


That's weird!


- Forbidden is actually 403, not 500 (I think this because I setup an ErrorDocument to re-direct 403, and it was doing it in this case).


I know what it is, I was saying that if you had your ErrorDocument set to display a 500 error page and that 500 error page doesn't have the right permissions, when you gets a 500 error, you will actually end up getting a 403 because the 500 error doesn't have permission to be displayed. I.e., masking the problem at hand.



- I am testing from a sub-folder called /test

- Nothing in /var/log/httpd/error_log that is timestamped anywhere near when I'm doing my testing (last entry was 4 hours ago).


You don't get a 500 or 403 error logged, even when your seeing that when you are testing these changes?


- not using access.conf and I did post a section of my httpd.conf that I felt was relevant.


Okay, sorry if I wasn't clear and that wasn't the part of it that was relevant and it would have just been easier to tell by seeing the relevant parts, as well as ensuring that there was nothing else off. Good luck.

Originally posted by Website Rob
No, I didn't forget the dash. Everytime I used it I got a 500 error. Take it out (and make sure there is only one space between $ [F]) and there is no problem.

Tim, did you catch my part about what does 'L' stand for? Would'va thought that be an easy one for you. ;)

I'm a little thrown off of why that gave you an error. Hmmm... Maybe my version of the rewrite module is broken and that's why it's (the [NC,F]) is working for me. Nonetheless, it's hard to imagine why the other file extensions would result in an error as well for you. Perhaps there's an issue with your version? Oh, I'm just reaching now. :-)

The [L], I really don't know for sure, I've not used it. I think it's to do stuff like:

RewriteEngine On
RewriteRule ^/path/ - [ L ]
RewriteRule ^/(.*) \
http://otherhost/VirtualHostRoot/$1 [ P ]

or like:

RewriteEngine On
RewriteCond %{HTTP_HOST} ^(www\.)?yourdomain$ [NC,OR]
RewriteCond %{REQUEST_URI} ^/?subdomains/ [NC]
RewriteRule ^. - [L]
RewriteCond %{HTTP_HOST} ^(www\.)?[^.]+\.yourdomain$ [NC]
RewriteCond %{REQUEST_URI} !^(www\.)?[^.]+\.yourdomain$ [NC]
RewriteRule ^(.+) %{HTTP_HOST}/$1 [NC]
RewriteRule ^(www\.)?([^.]+)\.yourdomain/(.*) /subdomains/$2/$3 [L]

Where it works by saving the value to be used later? (just guessing, but I think that's correct?)

Tim

Ok, thanks for that. But I see you've thrown a [P] into the equation which I'm not familiar with? :eek:


Zutroy

We all know that when troubleshooting, one must look at the problem from 2 or 3 different angles and whenever possible, start with the simplest and work from there.

As you are getting a "403 Forbidden" msg. which should not be showing, I would suggest you have a look at your .htaccess file with another program (an FTP program) and confim the .htaccess is set at 0644. Confirming it two ways, through Vi & an FTP program eliminates a problem there. Next I would remove everything from the .htaccess except the Rewrite code and I would only use 3 addresses; site IP, with "WWW", and without.

This is just the method I would use as it takes it to its simplest form. If you still get a Forbidden 403 msg., then it would be safe to say the problem is somewhere within the Server setup files. The fact that nothing is showing up in the Error logs is also indicative of problems somewhere else.

Well, I've not used it, so it's not such an 'easy one' for me. :-)

Here's what I found:

http://www.apacheref.com/ref/mod_rewrite/RewriteRule.html

"Apache Reference: mod_rewrite, RewriteRule

RewriteRule

Rewrite Rule
Syntax: RewriteRule url-pattern url-new [[flag,...]]
Example: RewriteRule ^/foo/(.*)$ /bar/$1 [R,L]
Since: Apache 1.2

This directive is the real rewriting workhorse. It can occur more than once. Each directive then defines a single rewriting rule. The definition order of these rules is important, because it is used when applying the rules at runtime. The url-pattern is a regular expression that is applied to the current URL, where ``current'' means at the time when this rule is applied. The current URL may not be the original requested URL, because any number of rules could have already matched and altered it.

The url-new argument is the string that is substituted for the original URL matched by the url-pattern. Beside plain text, you can use back-references ($N) to the url-pattern, back- references (%N) to the last matched RewriteCond pattern, server variables such as RewriteCond test strings (%{NAME}), and mapping function calls (${map-name:look==up-key|default-value}) for this argument.

In addition, you can set special flags for url-new by appending one or more flag arguments. The flag argument is actually a comma-separated list of the following flags: redirect (or R) to force an HTTP redirect; forbidden (or F) to forbid access; gone (or G) to eliminate the URL; proxy (or P) to pass the URL to mod_proxy; last (or L) to stop processing; next (or N) to start the next round of processing; chain (or C) to chain the current rule with the following one; type (or T) to force a particular MIME type; nosubreq (or NS) to ensure that the rule applies only if no internal sub-request is performed; nocase (or NC) to force the URL matching to be case-insensitive; qsappend (or QSA) to append a query string part in url-new to the existing one instead of replacing it; passthrough (or PT) to pass the rewritten URL through to other Apache modules; skip (or S) to skip the next rule; and env (or E) to set an environment variable. For more details, see the mod_rewrite online documentation."

Mod rewrite has so much cool stuff, I can't even remember 1/2 of it!

Oh, and in case anyone missed that, the [L], I was wrong about that. It seems that it's for "last", as mentioned in the text above, meaing it'll break out of the rules, once it finds that first condition to be met. Sort of like "last" or "break" in a language. Neat! :-)

Thanks a bunch Tim. I've amended my RewriteRules accordingly and even added the "zip" extension -- no problems. It was on my last Server that "zip" didn't work and does not appear to be a problem on the new Server I'm on. :D

Thanks for the update, I was beginning to really wonder what the problem was and why that wouldbn't work. Did you try to confirm that [NC,F] worked in place of [F]? I'm curious. I use NC, because I don't want to type (html?|HTML?), etc.

Just want to say that you guys are great for helping me with this. I'm still having no luck though.


Here is the current and full contents of my .htaccess file:


RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://zutroy.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.zutroy.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://64.246.32.129/.*$ [NC]
RewriteRule .*\.(gif|jpg|mov|mpg|mpeg|wmv)$ - [F]


It is located in a subfolder called test ... URL: http://www.zutroy.org/test

Confirmed that it is chmod'd to 644 via shell and FTP:

-rw-r--r-- 1 admin1 admin1 322 May 13 16:31 .htaccess


Still gives forbidden.


Attached is my httpd.conf file (renamed to httpd.txt so it'll let me attach it). I haven't made any modifications to it, except add in the mod_gzip module. Maybe one of you gurus can spot an error in it.

Sorry that I'm not very familiar with Ensim. Check your /etc/appliance*/apacheconf/apache file, and see if:

Changing:

<Directory /home/virtual>
Options +FollowSymLinks
</Directory>

To:

<Directory /home/virtual>
Options All
AllowOverride All
</Directory>

And, or chaning:

<Directory /var/www/html/>
Options Includes FollowSymLinks
DirectoryIndex index.shtml index.html index.php
</Directory>

To add the:
Options All
AllowOverride All

To that directive as well, will help. Sorry that I don't know the path your file is in either. I really know little about Ensim. Of course, restart Apache after the changes and let us know if that works.

Tim

I have found, and still find, the using [F] doesn't do squat. Only when using:

RewriteRule .*\.(gif|jpg|zip)$ http://www.domain/whatever [R]

do I get results. You'll notice I still don't use the dash, though.


Zutroy

Now this maybe a funny question, but if you remove the .htaccess file or code in question, is the "test" directory still accessable?

[Edit: just thought I'd point out that I had mentioned this .htaccess file should be in the "Root Dir" for the site, not in the "test" dir. The code being used is "site-wide" code and putting it the "test" dir. could be one of the reasons for the problem.]

Your welcome for the help, but this does seem to be a perplexing problem. After viewing your site I do understand why this is important to you. It's a nice site and can image all kinds of people doing hotlinking.

I have noticed, depending upon the browser and it's caching, that when testing the F option, it's difficult to tell. You can usually see though, that the error log will say the user is forbidden. Still, when testing, it's difficult to tell and it *seems* like it's not working. A redirect is a fine solution, and you're right, you don't use the - (hypen) there for that (the redirect).

I just wonder how it'll work when you have someone link a lot of images or files and it wants to redirect for each one, rather than fail. It will, however, still break the image, but it's still going to make a call to that page and transfer that amount of data for each file they are getting redirected for. Perhaps it would be an idea to have it redirect to an off site server. Maybe back to them/their server.

PS: If you use upper case in those file extensions, you can still use [NC,R]

PSS: I haven't messed with the rewrite module for a long time. I really should, as this reminds me of how cool it is.

How goes this problem/solution, Zutroy?

That was a good idea Tim mentioned, "Maybe back to them/their server." and I know I'm curious as to how that can be done. For my setup I use a transparent gif (43 bytes) so doesn't add up to much in Data Transfer. Noticed lately I see a lot of image refusals so I know others had been hotlinking and are now getting nothing.

About the caching I would agree. Probably the biggest pain in troubleshooting or setting up this process. Once the Browser has the image, you do need to remember to always clear the cache before running the next test. I've noticed sometimes I even had to restart Windows, in order to clear everything.

Hi, I'd just write a script, or function, or hack the Apache source to just throw it back at the referrer. If there isn't one, maybe add the IP to a blocked server list... Hmmm, I'm not sure, but it shouldn't be difficult, assuming that they have a referrer -- after all, if they don't, they won't be blocked with this method anyway. I still think a script is the best way to go, but what a waste of processing. Anyone interested in an Apache module for this, specifically for this? (Something more to the point and effective, and is a little more fail safe).

I've started a thread on that very Subject (http://www.webhostingtalk.com/showthread.php?threadid=50261), Tim, only I limit it to Virus attempts for MS Servers.


Adding more fuel to the fire :) I've just discovered another problem.

I currently (through WHM) have Domain2 Pointed to Domain1. In my .htaccess file for Domain1, I have added Domain2 as an "allowed" Domain for receiving images. Does not work any whichway I try???

Trying to protect media files are a pain and almost impossible. Windows media player streams them off your server anyways.

Originally posted by Zutroy
Just want to say that you guys are great for helping me with this. I'm still having no luck though.


Here is the current and full contents of my .htaccess file:

If you are running under Ensim, you will need to add the following to your .htaccess file:

Options +FollowSymlinks

This should fix you right up. More on this here (http://www.ensim.com/ubb/Forum1/HTML/000164.html)


-Bob

TMX - Thank you! That fixed the 403 error, however hotlinking still works when I tested it. I'll have to play around with that when I've got some more time. Thanks again.

I am having the same problem and three yeas later TMX's link to Ensim's site is depricated :(

Finally I'v emanaged to crack it!!!

In the .htaccess file created by Ensim in the root directory you need to add the following.

Options +FollowSymLinks +SymLinksIfOwnerMatch