Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Deny referrers from directly linking to 'file_download'
Hello all,
I have been using TXP for ages now, and it’s always done me great. Recently, I have run into a problem where i had created and released a pocketPC theme, and an arabic site has decided it would be good to “hotlink” to that file. The link is “http://www.protogenlabs.com/file_download/6”, and this is the link found on their page. I wanted to have any HTTP_REFERER other than my own site (or blank) to be denied access to download anything using the TXP “file_download” url format.
I am running TXP on IIS and have Clean URLs turned on. I tried a couple of rules in my httpd.ini file, however it seems that TXP will still allow the user to download the file. I would also link directly to the file in the file system, but then my download counts are not tracked.
Is there any way to accomplish what I’m trying to do?
Thanks in advance for any help that you can offer!
Offline
Re: Deny referrers from directly linking to 'file_download'
georgeM wrote:
I wanted to have any HTTP_REFERER other than my own site (or blank) to be denied access to download anything
In my experience, referer can’t really be trusted (it’s mostly blank from what I see in my logs, probably thanks to personal firewalls) so you might end up putting effort into a solution without much benefit. But maybe this might help?
Obeewan’s suggestion helps keep (well-behaved) bots away, but as far as I know the only semi-reliable defence against hotlinking is .htaccess or whatever the equivalent is in IIS. I’ve never used a Windoze box as a server so I don’t know if there is an equivalent.
Is this a good excuse to switch to Linux hosting?? :-P
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Online
Re: Deny referrers from directly linking to 'file_download'
Hi Bloke,
Thanks for the swift reply. The link to the leech protector DLL only runs on ASP, and I am currently running PHP on my TXP webdir (of course). I don’t really want to turn away bots, as I’ve never had a problem with them downloading files, but rather just denying access to anything in “file_download/????” if it comes from another site. I know that the user could technically just copy the link and paste it in a fresh browser window, effectively getting around the referrer protection, but I’d do anything as these bastards are linking directly to the file, whereas most other sites that are reporting on my theme link to my actual blog post with some respect.
Hopefully I’m explaining this correctly, but if anyone needs me to post more details, I would be glad to. I should also post my main specs:
- TXP 4.0.4 runnign on IIS 6
- PHP 5
- ISAPI_Rewrite IIS Plug-in
Thanks in advance again for the help!
Offline
Re: Deny referrers from directly linking to 'file_download'
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Online
Re: Deny referrers from directly linking to 'file_download'
ah, LeechBlocker would work, but it only allows for blocking images, and is not configurable to allow for .zip files (or any other extension for that matter)…It is open-source, so I’ll have to do some digging to see if I can find a configurable version.
Thanks for the help though Bloke!
Offline
Re: Deny referrers from directly linking to 'file_download'
georgeM wrote:
ah, LeechBlocker would work, but it only allows for blocking images, and is not configurable
Double nuts. Mind you, if you’re handy with a C++ compiler (or know someone with one) you can edit the code pretty easily in LeechBlocker.cpp to add or amend the extensions that suit. Search for “jpg” in that file and you’ll see how he does it. He’s limited the max number of extensions to 16 but you can probably get round that as well if you really need to.
Unfortunately, my C++ days are loooong gone (in fact they never really started because I hated the language) and I don’t have a compiler available here or I’d do it for you.
Sorry I can’t be of any more help at the mo. Anyone else?
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Txp Builders – finely-crafted code, design and Txp
Online
#7 2007-11-24 05:12:41
- Mary
- Sock Enthusiast
- Registered: 2004-06-27
- Posts: 6,236
Re: Deny referrers from directly linking to 'file_download'
Here’s how it’d work for .htaccess on Apache. You should be able to adjust it for ISAPI_Rewrite.
Look for the following lines:
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^(.+) - [PT,L]
Insert the following before (important!) them:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?protogenlabs.com.*$ [NC]
RewriteRule (files|file_download)/.*$ http://www.protogenlabs.com/ [R,L]
Offline
Re: Deny referrers from directly linking to 'file_download'
oh Mary, thank you SO much for this. I can’t believe it’s been 5 years since I checked this thread, but it came up in a search as I obviously needed to revisit this issue. I’ve got it working great now!
BTW, I’m actually running TXP on IIS7, and this is the URL Rewrite rule that it converted to:
<rule name="Prevent Hotlinking" stopProcessing="true"> <match url="(files|file_download)/.*$" ignoreCase="false" /> <conditions logicalGrouping="MatchAll"> <add input="{HTTP_REFERER}" pattern="^$" ignoreCase="false" negate="true" /> <add input="{HTTP_REFERER}" pattern="^http://(www\.)?YOURDOMAIN.com.*$" negate="true" /> </conditions> <action type="Redirect" url="http://www.YOURDOMAIN.com/" redirectType="Found" /> </rule>
Many cheers and thanks again!
Offline
Re: Deny referrers from directly linking to 'file_download'
Unfortunately, referer spoofing is still as easy as 5 years ago.
Offline
Re: Deny referrers from directly linking to 'file_download'
No doubt that you’re correct about that etc, however my client had found his MP3s linked to on free sites such as “MP3free4all”, and once I put the URL Rewrite rule in place, their links no longer functioned as intended.
This is one of those things where if someone really wants to bypass the hotlink protection, they most likely can. Regardless, it’s a decent fix that should at least save him on some bandwidth costs :)
Offline