Protecting Files with Advanced Mod_Rewrite Anti-Hotlinking
« Crazy Advanced Mod_Rewrite TutorialAdvanced WordPress wp-config.php Tweaks »
If you have files on your site that you don’t want indexed by malicious search engines, grabbed and leeched by malicious spammers, or stolen and made available elsewhere, you can use mod_rewrite to drastically reduce or totally reduce that activity.
The Worst Kind of People
Spammers, and Leechers. They operate like this: Let’s say you have some mp3 files on a server, and SOMEWHERE on the web there is a link to that mp3 file’s location. This includes in javascript files, css files, robots.txt files, the spammers and leechers robots check all those files looking for the type of link they are looking for. Then they try to request that file usually utilizing a number of different types of requests to get access to the file. Then they use it for personal gain, at your peril.
Some robots perform valuable services for the world wide web community, and other leeching programming is pretty cool, so not all these activities are perpetrated by nefarious spammers.
Blocking by IP COOKIE
Ok so if a link exists to your file, it is going to be requested by a robot eventually, so the way to defeat them is by doing something on your site that modifies the way a user would request it. Robots for the most part are not javascript-capable, so the most-common advanced method is to set a cookie using javascript, and then we can check for that cookie in the request for the file using mod_rewrite.
So if your site sets a cookie named fspammers, and furthermore gives that cookie a value of 445, then this is what the request sent by an HTTP Client like Firefox looks like.
GET /hotlink/lovefreedom.mp3 HTTP/1.1 Host: z.askapache.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729) Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.askapache.com/wordpress/seo-in-wordpress.html Cookie: fspammers=455
Mod_Rewrite HTTP Headers
The mod_rewrite module has access to ALL the HTTP Headers sent in a request, so for each of the HTTP Headers in the request example above, we can use mod_rewrite to validate.
Mod_Rewrite .htaccess Example
Finally, now that everyone is on the same page about what is really going on, here is the .htaccess code that blocks any requests for anything in the /hotlink/ folder.
Here are the triggers this code blocks access based on.
- Cookie: Checks if fspammers cookie is present, and that it has the value of 445.
- HTTP Protocol: Checks if HTTP 1.1 is being used (many robots use 1.0)
- Host: Checks that the HOST Requested was z.askapache.com
- Referer: Checks for Referring site is z.askapache.com or www.askapache.com
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_COOKIE} !^.*fspammers=445.*$ [NC,OR]
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ /(.*)\ HTTP/1\.1 [NC,OR]
RewriteCond %{HTTP_HOST} !^z\.askapache\.com$ [NC,OR]
RewriteCond %{HTTP_REFERER} !^http://(www|z)\.askapache\.com.*$ [NC]
RewriteRule ^hotlink/.*$ - [F]</p>
« Crazy Advanced Mod_Rewrite Tutorial
Advanced WordPress wp-config.php Tweaks »
Similar Reads
- .Htaccess rewrites, Mod_Rewrite Tricks and Tips
- Links to htaccess tutorials and articles
- .htaccess – Wikipedia
- htaccess HTTPS / SSL Tips, Tricks, and Hacks
- 301 Redirect with mod_rewrite or RedirectMatch
- .htaccess Plugin Blocks Spam, Hackers, and Password Protects Blog
- Rewrite underscores to hyphens for SEO URL
- .htaccess mod_rewrite rewrite examples
- WordPress RewriteRules Viewer
- Smart HTTP and HTTPS .htaccess Rewrite
- htaccess rewrite, htaccess
- Apache HTTPD Google CSE
- .htaccess trick to show Alternate CSS file based on IP
- PHP htaccess tips and tricks
- Apache HTTPD and Module API Versions
- mod_rewrite Fix for Caching Updated Files
- Redirect index.php to root
My Picks
- THE Mod_Rewrite Cheatsheet
- AskApache .bash_profile
- Elite Log Viewing
- THE Ultimate Htaccess
- Intense Windows Speed
- DNS: Round Robin Speed
- Fsockopen: Nuts
Related Articles
- .Htaccess rewrites, Mod_Rewrite Trick
- Links to htaccess tutorials and artic
- .htaccess – Wikipedia
- htaccess HTTPS / SSL Tips, Tricks, an
- 301 Redirect with mod_rewrite or Redi
- .htaccess Plugin Blocks Spam, Hackers
- Rewrite underscores to hyphens for SE
- .htaccess mod_rewrite rewrite example
- WordPress RewriteRules Viewer
- Apache HTTPD Google CSE
- .htaccess trick to show Alternate CSS
- PHP htaccess tips and tricks
- Apache HTTPD and Module API Versions
- mod_rewrite Fix for Caching Updated F
Newest Posts
- Update: Best Free Online Banking
- Firefox Add-ons for Web Developers
- Optimizing Servers and Processes for Speed with ionice, nice, ulimit
Random
- Boost SEO, Drive Traffic with the 404 Error Page Plugin
- Rigging the DreamHost Site of the Month Contest
Donate
Please consider donating to support active development of the free software and articles here.
Good Causes
The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. Tim Berners-Lee
Reader Comments
It's very simple - you read the protocol and write the code. -Bill Joy
HTML | DCMI | GRDDL | XOXO | XDMP | XFN | DOM | XML | XHTML 1.1 Strict | CSS 2.1 | W3C | TLDP | WAI | DISA | ICSI | GIAC | SANS RR | GHOST | DEFCON | NIST | DHS CYBER | NIST
↑ TOPExcept where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. HTTPD based on NCSA HTTPd
Hi, Thank for the nice prof. information shared with us! I was looking find a way to mask folder and file name seen in the URL after de domain address/ (
/Folder/subfolder/index.php?modname=xxxx&op=yyyyy). Just to fix and show the static address (/) ……what ever the user is browsing.Can you help?
Best regards