From: Rich Bowen Date: Mon, 2 Nov 2009 23:12:26 +0000 (+0000) Subject: Moves the 'image theft' recipe from rewrite_guide to access X-Git-Tag: 2.3.3~81 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4e13ecbde781aaa6ac84afec305fadff0750050e;p=thirdparty%2Fapache%2Fhttpd.git Moves the 'image theft' recipe from rewrite_guide to access git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@832182 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/rewrite/access.html.en b/docs/manual/rewrite/access.html.en index cc0f1743a85..37f9e3ea62d 100644 --- a/docs/manual/rewrite/access.html.en +++ b/docs/manual/rewrite/access.html.en @@ -35,9 +35,92 @@ them, rather than merely cutting and pasting the examples into your configuration.

-

See also

+

See also

top
+

Forbidding Image "Hotlinking"

+ + + +
+
Description:
+ +
+

The following technique forbids the practice of other sites + including your images inline in their pages. This practice is + often referred to as "hotlinking", and results in + your bandwidth being used to serve content for someone else's + site.

+
+ +
Solution:
+ +
+

This technique relies on the value of the + HTTP_REFERER variable, which is optional. As + such, it's possible for some people to circumvent this + limitation. However, most users will experience the failed + request, which should, over time, result in the image being + removed from that other site.

+

There are several ways that you can handle this + situation.

+ +

In this first example, we simply deny the request, if it didn't + initiate from a page on our site. For the purpose of this example, + we assume that our site is www.example.com.

+ +
+RewriteCond %{HTTP_REFERER} !^$
+RewriteCond %{HTTP_REFERER} !www.example.com [NC]
+RewriteRule \.(gif|jpg|png)$    -   [F,NC]
+
+ +

In this second example, instead of failing the request, we display + an alternate image instead.

+ +
+RewriteCond %{HTTP_REFERER} !^$
+RewriteCond %{HTTP_REFERER} !www.example.com [NC]
+RewriteRule \.(gif|jpg|png)$    /images/go-away.png   [R,NC]
+
+ +

In the third example, we redirect the request to an image on some + third-party site.

+ +
+RewriteCond %{HTTP_REFERER} !^$
+RewriteCond %{HTTP_REFERER} !www.example.com [NC]
+RewriteRule \.(gif|jpg|png)$ http://other.site.com/image.gif   [R,NC]
+
+ +

Of these techniques, the last two tend to be the most effective + in getting people to stop hotlinking your images, because they will + simply not see the image that they expected to see.

+ +
+ +
Discussion:
+ +
+

If all you wish to do is deny access to the resource, rather + than redirecting that request elsewhere, this can be + accomplished without the use of mod_rewrite:

+ +

+ SetEnvIf Referer example\.com localreferer
+ <FilesMatch \.(jpg|png|gif)$>
+ Order deny,allow
+ Deny from all
+ Allow from env=localreferer
+ </FilesMatch> +

+
+
+ +
top
+

Blocking of Robots

@@ -82,7 +165,7 @@ RewriteRule ^/secret/files/ - [F]
-
Discussion
+
Discussion:

@@ -94,7 +177,8 @@ RewriteRule ^/secret/files/ - [F] <Location /secret/files>
Order allow,deny
Allow from all
- Deny from env=goaway + Deny from env=goaway
+ </Location>

As noted above, this technique is trivial to circumvent, by simply diff --git a/docs/manual/rewrite/access.xml b/docs/manual/rewrite/access.xml index c45c51e05d2..170d7e751bd 100644 --- a/docs/manual/rewrite/access.xml +++ b/docs/manual/rewrite/access.xml @@ -43,6 +43,87 @@ configuration.

Module documentation mod_rewrite introduction +
+ + Forbidding Image "Hotlinking" + +
+
Description:
+ +
+

The following technique forbids the practice of other sites + including your images inline in their pages. This practice is + often referred to as "hotlinking", and results in + your bandwidth being used to serve content for someone else's + site.

+
+ +
Solution:
+ +
+

This technique relies on the value of the + HTTP_REFERER variable, which is optional. As + such, it's possible for some people to circumvent this + limitation. However, most users will experience the failed + request, which should, over time, result in the image being + removed from that other site.

+

There are several ways that you can handle this + situation.

+ +

In this first example, we simply deny the request, if it didn't + initiate from a page on our site. For the purpose of this example, + we assume that our site is www.example.com.

+ +
+RewriteCond %{HTTP_REFERER} !^$
+RewriteCond %{HTTP_REFERER} !www.example.com [NC]
+RewriteRule \.(gif|jpg|png)$    -   [F,NC]
+
 + +

In this second example, instead of failing the request, we display + an alternate image instead.

+ +
+RewriteCond %{HTTP_REFERER} !^$
+RewriteCond %{HTTP_REFERER} !www.example.com [NC]
+RewriteRule \.(gif|jpg|png)$    /images/go-away.png   [R,NC]
+
 + +

In the third example, we redirect the request to an image on some + third-party site.

+ +
+RewriteCond %{HTTP_REFERER} !^$
+RewriteCond %{HTTP_REFERER} !www.example.com [NC]
+RewriteRule \.(gif|jpg|png)$ http://other.site.com/image.gif   [R,NC]
+
 + +

Of these techniques, the last two tend to be the most effective + in getting people to stop hotlinking your images, because they will + simply not see the image that they expected to see.

+ +
+ +
Discussion:
+ +
+

If all you wish to do is deny access to the resource, rather + than redirecting that request elsewhere, this can be + accomplished without the use of mod_rewrite:

+ + + SetEnvIf Referer example\.com localreferer
+ <FilesMatch \.(jpg|png|gif)$>
+ Order deny,allow
+ Deny from all
+ Allow from env=localreferer
+ </FilesMatch> + +
+
+ +
+
Blocking of Robots @@ -87,7 +168,7 @@ RewriteRule ^/secret/files/ - [F]
-
Discussion
+
Discussion:

@@ -99,7 +180,8 @@ RewriteRule ^/secret/files/ - [F] <Location /secret/files>
Order allow,deny
Allow from all
- Deny from env=goaway + Deny from env=goaway
+ </Location>

As noted above, this technique is trivial to circumvent, by simply diff --git a/docs/manual/rewrite/rewrite_guide.html.en b/docs/manual/rewrite/rewrite_guide.html.en index f50aa5c085d..4ad260dc408 100644 --- a/docs/manual/rewrite/rewrite_guide.html.en +++ b/docs/manual/rewrite/rewrite_guide.html.en @@ -56,7 +56,6 @@

  • From Old to New (intern)
  • From Old to New (extern)
  • From Static to Dynamic
    • -
  • Forbidding Image "Hotlinking"
  • Proxy Deny
  • External Rewriting Engine
  • Web Cluster with Consistent URL Space
    • @@ -652,70 +651,6 @@ RewriteRule ^foo\.html$ foo.cgi [H=
    top
    -

    Forbidding Image "Hotlinking"

    - - - -
    -
    Description:
    - -
    -

    The following technique forbids the practice of other sites - including your images inline in their pages. This practice is - often referred to as "hotlinking", and results in - your bandwidth being used to serve content for someone else's - site.

    -
    - -
    Solution:
    - -
    -

    This technique relies on the value of the - HTTP_REFERER variable, which is optional. As - such, it's possible for some people to circumvent this - limitation. However, most users will experience the failed - request, which should, over time, result in the image being - removed from that other site.

    -

    There are several ways that you can handle this - situation.

    - -

    In this first example, we simply deny the request, if it didn't - initiate from a page on our site. For the purpose of this example, - we assume that our site is www.example.com.

    - -
    -RewriteCond %{HTTP_REFERER} !^$
-RewriteCond %{HTTP_REFERER} !www.example.com [NC]
-RewriteRule \.(gif|jpg|png)$    -   [F,NC]
-
    - -

    In this second example, instead of failing the request, we display - an alternate image instead.

    - -
    -RewriteCond %{HTTP_REFERER} !^$
-RewriteCond %{HTTP_REFERER} !www.example.com [NC]
-RewriteRule \.(gif|jpg|png)$    /images/go-away.png   [R,NC]
-
    - -

    In the third example, we redirect the request to an image on some - third-party site.

    - -
    -RewriteCond %{HTTP_REFERER} !^$
-RewriteCond %{HTTP_REFERER} !www.example.com [NC]
-RewriteRule \.(gif|jpg|png)$ http://other.site.com/image.gif   [R,NC]
-
    - -

    Of these techniques, the last two tend to be the most effective - in getting people to stop hotlinking your images, because they will - simply not see the image that they expected to see.

    - -
    -
    - -
    top
    -

    Proxy Deny

    diff --git a/docs/manual/rewrite/rewrite_guide.xml b/docs/manual/rewrite/rewrite_guide.xml index 46a40be33aa..5b628503121 100644 --- a/docs/manual/rewrite/rewrite_guide.xml +++ b/docs/manual/rewrite/rewrite_guide.xml @@ -627,70 +627,6 @@ RewriteRule ^foo\.html$ foo.cgi [H= -
    - - Forbidding Image "Hotlinking" - -
    -
    Description:
    - -
    -

    The following technique forbids the practice of other sites - including your images inline in their pages. This practice is - often referred to as "hotlinking", and results in - your bandwidth being used to serve content for someone else's - site.

    -
    - -
    Solution:
    - -
    -

    This technique relies on the value of the - HTTP_REFERER variable, which is optional. As - such, it's possible for some people to circumvent this - limitation. However, most users will experience the failed - request, which should, over time, result in the image being - removed from that other site.

    -

    There are several ways that you can handle this - situation.

    - -

    In this first example, we simply deny the request, if it didn't - initiate from a page on our site. For the purpose of this example, - we assume that our site is www.example.com.

    - -
    -RewriteCond %{HTTP_REFERER} !^$
-RewriteCond %{HTTP_REFERER} !www.example.com [NC]
-RewriteRule \.(gif|jpg|png)$    -   [F,NC]
-
     - -

    In this second example, instead of failing the request, we display - an alternate image instead.

    - -
    -RewriteCond %{HTTP_REFERER} !^$
-RewriteCond %{HTTP_REFERER} !www.example.com [NC]
-RewriteRule \.(gif|jpg|png)$    /images/go-away.png   [R,NC]
-
     - -

    In the third example, we redirect the request to an image on some - third-party site.

    - -
    -RewriteCond %{HTTP_REFERER} !^$
-RewriteCond %{HTTP_REFERER} !www.example.com [NC]
-RewriteRule \.(gif|jpg|png)$ http://other.site.com/image.gif   [R,NC]
-
     - -

    Of these techniques, the last two tend to be the most effective - in getting people to stop hotlinking your images, because they will - simply not see the image that they expected to see.

    - -
    -
    - -
    -
    Proxy Deny