English Version of htaccess Code

Server Config
1

Sitepoint Members,

This cose I found on your site looks like the right one for me:

  1. RewriteCond %{HTTP_REFERER} !^$
  2. RewriteCond %{HTTP_REFERER} !^http://(www\.)?your_domain\.com/ [NC]
  3. RewriteCond %{HTTP_REFERER} !^http://www.trusted\.com/ [NC]
  4. RewriteRule \.(gif|jpe?g)$ blank.txt [NC]

Is the English on this

  1. When the server sees a visitor from anysite (defined by nothing between ^ and the $) coming to my site
  2. Except for mysite .com
  3. Except for google.com
  4. Then for my .gif files and .jpeg files serve a blank page I’ve placed at mysite.com/blank.txt instead of the forle requested.

Is the reason why
RewriteCond %{HTTP_REFERER} !^http://(www\.)?your_domain\.com/

is in there is so the images can be seen on my site?

Also, is there an advantage using blank.txt over blank.html?

Thanks,

Chris

2

The way I read it is with "if"s i.e.

if HTTP_REFERER is not empty - and
if not my site - and
if not trusted site
requests will be served text file

This will stop some hot-linking of those image files

Of course if HTTP_REFERER is empty (or spoofed) the images will be served.

3

Yes, that’s exactly it :slight_smile:

Seeing as they are images, I would either serve up an image (with some text on it, like “hotlinking not allowed”), or change [NC] in the Rule to [NC,F] to just forbid access (so it returns a 403 access denied).

Your English translation of the code is correct btw :tup:

4

Mittineague and ScallioXTX - The best two SitePoint gurus,

Thanks for the help.

So you mean change
RewriteRule \.(gif|jpe?g)$ blank.txt [NC]
to
RewriteRule \.(gif|jpe?g)$ blank.txt [NC,F]

so the hotlinking site gets a 403 error, right?

The one thing I don’t understand is where the differentiation in the code is.

If you boil the meaning of these lines of code to

RewriteCond %{HTTP_REFERER} !^$ NO Accsess To image
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite\.com/ [NC] OK
RewriteCond %{HTTP_REFERER} !^http://www.trusted\.com/ [NC] OK

Then what is the code in these lines that says no action on this, take action on this other?

Thanks,

Chris

5

Yup :slight_smile:

Those three lines are all conditions. All three conditions (refererer [sic] must not be empty, and must not be the domain of your site, and must not be the domain of you trust). If and only if all conditions match will the rule be evaluated.

(Internally it’s the other way around, the Rule is validated first, and only if it matches will the Conds be validated, but that’s not really relevant here ;))

6

ScallioXTX,
So RewriteCond means
“The server is to rewrite if the visitor is NOT” the visitors I chose.

The end result (for this example) is to rewrite for every visitor except nameless (^$), my site, and google’s site.

Why are nameless visitors allowed? It seems there’s a necessity for ^$.

Thanks,

Chris

7

When people turn on privacy settings in their browser the referrer doesn’t get passed and will therefore be blank.

The same can be done using the security settings in some firewalls.

Whether or not the referrer actually gets passed is a tradeoff between your security and your visitor’s security.

8

^ What he said :slight_smile:

Plus, some scripts like DD_BelatedPNG re-request PNG files without any referer. So if you don’t have the line with ^$ those scripts won’t work.

(I learned that the hard way one night from one a.m. until about three a.m. :-/)

9

Felgall,
So RewriteCond %{HTTP_REFERER} !^$ is code for blank referers (due to a privacy setting visitors use in their browsers) has what purpose in my .htaccess? It prevents or enables what?

Thanks,

Chris

10

It makes sure that if people have disabled the sending of a referer in their browser, they will still see the images on your website.

I’d leave it in there.

11

-continued-

I agree, but do I have the mechanics of it right?

Does it allow visitors using a privacy setting to see the images (or whatever files) on my site and the reason it would be put in my htaccess is because a blank user agents don’t look anything like a regular useragents - regular user agents of people visiting a site are identified as having a certain format, and websites visiting my site to use an image (or use something else) have a different format. A blank useragent has no format, so with the code being discussed, if I didn’t have RewriteCond %{HTTP_REFERER} !^$ then people using a privacy settig wouldn’t be able to see the images on my site.

Chris

12

Yep, that’s exactly right :slight_smile:

13

Scallio,

When you get a chance can you give me an example of a user agent from a visitor to my site and an example of a user agent to my site from another website.

Thanks,

Chris

14

It’s just a header in the HTTP request that indicates the URL the user came from. So if I go from page A to page B, the browsers sends the URL of page A as the referer for page B.
Also, when you are on page B and that page has images on it, the browser will send the URL of page B as the referer for those images.
Basically the referer answers the question “why is the visitor downloading this file?”

Does that make sense?

The User Agent and Referer are not connected in any way btw. Okay, in certain User Agents you can disable or fake the referer, but that’s the extent of it.

15

Scallio,
I thought the user agent was that bit of code in a browser you find by typing in about:blank (or something like that). I thought referrrer was the same thing.

You say it’s just a header in the HTTP request. Doesn’t a request from a human visitor on a browser to my website look different than a request from a website contacting my website (e.g. hot linking).

Thanks,

Chris

16

I think we have different definitions of hot linking.

My definition of hot linking is: people putting an image on their own website by putting an <img> on there with the URL of my website in there.

So if my website is example.com and somewebsite.com has <img src="http://www.example.com/image.gif" alt="Some image" /> on their website then somewebsite.com is hotlinking from me.

It’s got nothing to do with User Agents.
It sounds like what you are referring to is scraping, which is something else entirely.

17

Scallio,
It’s too deep for me. I need a vacation.

How about this last part.

You were sayig - … or change [NC] in the Rule to [NC,F] to just forbid access (so it returns a 403 access denied).

If I do that
RewriteRule \.(gif|jpg|css|png)$ blank.txt [NC,F]

what about “blank.txt”. I don’t think the file type would matter anymore since it won’t be served. Would I just remove this address?

RewriteRule \.(gif|jpg|css|png)$ [NC,F]

Thanks,

Chris

18

No you can’t remove it, because a RewriteRule always needs to have at least a regular expression and a new URL. You can use a a dash though, which means “don’t rewrite at all”.


RewriteRule \\.(gif|jpg|css|png)$ [color="red"]-[/color] [NC,F]

:slight_smile:

19

ScallioXTX,
Nifty.

So this appears to be my final
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.google\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.yahoo\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.bing\.com/ [NC]
RewriteRule \.(gif|jpg|css|png)$ - [NC,F]

Which allows visitors using some blanking privacy setting, allows images to show up on my site and google, yahoo, bing, and every one else gets F-ed (Four O three-ed).

Should that “css” be in there, I saw it somewhere else? What would somone gain by linking to my css?

Thanks,

Chris

20

That would be blanking of referers. That sentence may mean different things to different people. Sorry.