11696 pointsCommunity rank #2Supreme DeityTrue DEVianLifetime member
Member
(joined April 2009)
Likes (0)
Hey Marty,
Yeah, editing the .htaccess to disable hotlinking would definitely disrupt things. Glad you found the culprit!
That being said, you've still got a problem. What about password-protecting your image folders? Then users could not directly download the files. Honestly, I'm not sure otherwise. Maybe somebody else from the community has a suggestion?
It would be great to build this in somehow. It gets over my head a little in this area. But the hotlinking is a big potential issue (especially since I am building a site for photographers!)
11696 pointsCommunity rank #2Supreme DeityTrue DEVianLifetime member
Member
(joined April 2009)
Likes (0)
Hiya,
I've tagged Aaron on this thread. He can provide some further suggestions as to the best way to go about this. Outside of password protection, I'm not sure either!
8459 pointsCommunity rank #4Supreme DeityWPMU DEV StaffLifetime member
Lead Developer
(joined May 2009)
Likes (0)
I don't know of anyway to prevent hotlinking via htaccess with domain mapping. Those protections work by checking the referrer, so you would have to have an uptodate list of all mapped domains.
If files link the normal way through the /files/ dir they are handled by php in the ms-files.php script, which could be modded by a plugin to stop hotlinking.
My initial thought was exactly that @joseph. add a section to htaccess that could be written to with mapped domains. Should be easy enough to keep current. I just haven't written to htaccess before and am reluctant to take it on just this second. One day...
Responses (9)
Member (joined February 2010) Likes (0)
Okay - figured it out. Typical slap your forehead kind of thing...
I had added a line to htaccess to disable hotlinking, which of course would see the new domain as an outside domain and make images not show up.
I removed it for now, but any idea if there could be a way to disable hotlinking while still enabling people to use their own domain?
Member (joined April 2009) Likes (0)
Hey Marty,
Yeah, editing the .htaccess to disable hotlinking would definitely disrupt things. Glad you found the culprit!
That being said, you've still got a problem. What about password-protecting your image folders? Then users could not directly download the files. Honestly, I'm not sure otherwise. Maybe somebody else from the community has a suggestion?
Member (joined February 2010) Likes (0)
It would be great to build this in somehow. It gets over my head a little in this area. But the hotlinking is a big potential issue (especially since I am building a site for photographers!)
Member (joined April 2009) Likes (0)
Hiya,
I've tagged Aaron on this thread. He can provide some further suggestions as to the best way to go about this. Outside of password protection, I'm not sure either!
Lead Developer (joined May 2009) Likes (0)
I don't know of anyway to prevent hotlinking via htaccess with domain mapping. Those protections work by checking the referrer, so you would have to have an uptodate list of all mapped domains.
If files link the normal way through the /files/ dir they are handled by php in the ms-files.php script, which could be modded by a plugin to stop hotlinking.
Member (joined February 2010) Likes (0)
hmm... Great idea Aaron. Will be looking into this and will post my findings.
Thx!
Volunteer support dude (joined November 2009) Likes (0)
Marty,
1st can you share the anti hotlinking htaccess code?
2nd can't you create an exception list which would need to be dynamically created from the domain entries.
Member (joined February 2010) Likes (0)
My initial thought was exactly that @joseph. add a section to htaccess that could be written to with mapped domains. Should be easy enough to keep current. I just haven't written to htaccess before and am reluctant to take it on just this second. One day...
I was using some ideas from:
http://perishablepress.com/press/2007/11/21/creating-the-ultimate-htaccess-anti-hotlinking-strategy/
Mostly the boiled down version:
# ultimate hotlink protection<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?domain\. [NC]
RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]
</ifModule>
This works fine for all subdomains - so anyone not using domain mapping could try the above.
The idea of using the IP address seemed promising so I added:
# ultimate hotlink protection<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png)$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?domain\. [NC]
RewriteCond %{HTTP_REFERER} !^http://123.123.123.123.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://123.123.123.123:80.*$ [NC]
RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]
</ifModule>
That didn't work for mapped domains, so I tried several combos using the IP address based on a bunch of different sites but could not get any to work.
Lead Developer (joined May 2009) Likes (0)
The referrer field is set by browsers, and they won't use the IP. You can only check what they send (and that can be spoofed).
Become a member