htaccess: hotlinking of images

colak · 2017-01-16 07:38:11

Hi all

I’m trying to implement a couple of htaccess directives to prevent hotlinking of images.

The problem is that I would like

to allow search engines and image search
to allow viewing images included to our newsletter (postmaster)

At the moment I have

RewriteCond %{HTTP_USER_AGENT} ADSARobot|ah-ha|almaden|aktuelles|Anarchie|amzn_assoc|ASPSeek|ASSORT|ATHENS|Atomz|attach|attache|autoemailspider|BackWeb|Bandit|BatchFTP|bdfetch|big.brother|BlackWidow|bmclient|Boston\ Project|BravoBrian\ SpiderEngine\ MarcoPolo|Bot\ mailto:craftbot@yahoo.com|Buddy|Bullseye|bumblebee|capture|CherryPicker|ChinaClaw|CICC|clipping|Collector|Copier|Crescent|Crescent\ Internet\ ToolPak|Custo|cyberalert|DA$|Deweb|diagem|Digger|Digimarc|DIIbot|DISCo|DISCo\ Pump|DISCoFinder|Download\ Demon|Download\ Wonder|Downloader|Drip|DSurf15a|DTS.Agent|EasyDL|eCatch|ecollector|efp@gmx\.net|EirGrabber|EmailCollector|EmailSiphon|EmailWolf|Express\ WebPictures|ExtractorPro|EyeNetIE|FavOrg|fastlwspider|Favorites\ Sweeper|Fetch|FEZhead|FileHound|FlashGet\ WebWasher|FlickBot|fluffy|FrontPage|GalaxyBot|Generic|Getleft|GetRight|GetSmart|GetWeb!|GetWebPage|gigabaz|Girafabot|Go\!Zilla|Go!Zilla|Go-Ahead-Got-It|GornKer|gotit|Grabber|GrabNet|Grafula|Green\ Research|grub-client|Harvest|hhjhj@yahoo|hloader|HMView|HomePageSearch|http\ generic|HTTrack|httpdown|httrack|ia_archiver|IBM_Planetwide|Image\ Stripper|Image\ Sucker|imagefetch|IncyWincy|Indy*Library|Indy\ Library|informant|Ingelin|InterGET|Internet\ Ninja|InternetLinkagent|Internet\ Ninja|InternetSeer\.com|Iria|Irvine|JBH*agent|JetCar|JOC|JOC\ Web\ Spider|JustView|KWebGet|Lachesis|larbin|LeechFTP|LexiBot|lftp|libwww|likse|Link|Link*Sleuth|LINKS\ ARoMATIZED|LinkWalker|LWP|lwp-trivial|Mag-Net|Magnet|Mac\ Finder|Mag-Net|Mass\ Downloader|MCspider|Memo|Microsoft.URL|MIDown\ tool|Mirror|Missigua\ Locator|Mister\ PiX|MMMtoCrawl\/UrlDispatcherLLL|^Mozilla$|Mozilla.*Indy|Mozilla.*NEWT|Mozilla*MSIECrawler|MS\ FrontPage*|MSFrontPage|MSIECrawler|MSProxy|multithreaddb|nationaldirectory|Navroad|NearSite|NetAnts|NetCarta|NetMechanic|netprospector|NetResearchServer|NetSpider|Net\ Vampire|NetZIP|NetZip\ Downloader|NetZippy|NEWT|NICErsPRO|Ninja|NPBot|Octopus|Offline\ Explorer|Offline\ Navigator|OpaL|Openfind|OpenTextSiteCrawler|OrangeBot|PageGrabber|Papa\ Foto|PackRat|pavuk|pcBrowser|PersonaPilot|Ping|PingALink|Pockey|Proxy|psbot|PSurf|puf|Pump|PushSite|QRVA|RealDownload|Reaper|Recorder|ReGet|replacer|RepoMonkey|Robozilla|Rover|RPT-HTTPClient|Rsync|Scooter|SearchExpress|searchhippo|searchterms\.it|Second\ Street\ Research|Seeker|Shai|Siphon|sitecheck|sitecheck.internetseer.com|SiteSnagger|SlySearch|SmartDownload|snagger|Snake|SpaceBison|Spegla|SpiderBot|sproose|SqWorm|Stripper|Sucker|SuperBot|SuperHTTP|Surfbot|SurfWalker|Szukacz|tAkeOut|tarspider|Teleport\ Pro|Templeton|TrueRobot|TV33_Mercator|UIowaCrawler|UtilMind|URLSpiderPro|URL_Spider_Pro|Vacuum|vagabondo|vayala|visibilitygap|VoidEYE|vspider|Web\ Downloader|w3mir|Web\ Data\ Extractor|Web\ Image\ Collector|Web\ Sucker|Wweb|WebAuto|WebBandit|web\.by\.mail|Webclipping|webcollage|webcollector|WebCopier|webcraft@bea|webdevil|webdownloader|Webdup|WebEMailExtrac|WebFetch|WebGo\ IS|WebHook|Webinator|WebLeacher|WEBMASTERS|WebMiner|WebMirror|webmole|WebReaper|WebSauger|Website|Website\ eXtractor|Website\ Quester|WebSnake|Webster|WebStripper|websucker|webvac|webwalk|webweasel|WebWhacker|WebZIP|Wget|Whacker|whizbang|WhosTalking|Widow|WISEbot|WWWOFFLE|x-Tractor|^Xaldon\ WebSpider|WUMPUS|Xenu|XGET|Zeus.*Webster|Zeus [NC]
RewriteRule ^.* - [F,L]

This unfortunately blocks images in our newsletter. Can someone spot which block I should cancel?

I also have

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?neme\.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?news\.neme\.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?cyprus\.neme\.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?forum\.neme\.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?hblack\.net/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?google\.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http?://([^.]+\.)?google\.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http?://([^.]+\.)?altavista\.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?altavista\.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http?://([^.]+\.)?msn\.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?msn\.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http?://([^.]+\.)?a9\.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?a9\.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?bing\.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http?://([^.]+\.)?bing\.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?ixquick\.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http?://([^.]+\.)?ixquick\.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?yandex\.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http?://([^.]+\.)?yandex\.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?yahoo\.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http?://([^.]+\.)?yahoo\.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?excite\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http?://([^.]+\.)?excite\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?goo\.ne\.jp/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?wolframalpha\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http?://([^.]+\.)?wolframalpha\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?picsearch\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http?://([^.]+\.)?picsearch\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?duckduckgo\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http?://([^.]+\.)?duckduckgo\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?tineye\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http?://([^.]+\.)?tineye\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?archive\.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http?://([^.]+\.)?archive\.org/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?baidu\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http?://([^.]+\.)?baidu\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?ask\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http?://([^.]+\.)?ask\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?faganfinder\.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http?://([^.]+\.)?faganfinder\.com/.*$ [NC]
RewriteRule .*\.(gif|jpg|png|svg)$ https://lh3.googleusercontent.com/-KDvIl3r2wdM/AAAAAAAAAAI/AAAAAAAAAAA/fZTmVSnqmxA/s120-c/photo.jpg [R,NC,L]
</ifModule>

which is also a problem… I guess.

Any advice?

philwareham · 2017-01-16 09:21:18

Another option, if you have access to the site’s DNS, you could use Cloudflare. There is a setting to prevent hot linking. Plus you get the benefits of their CDN.

Downside is a third party pipes your DNS, so you have to weigh up the pros and cons. FYI I use Cloudflare on the Textpattern docs site (although hot linking isn’t turned on).

colak · 2017-01-16 11:56:49

No Cloudflare for me:(

maniqui · 2017-01-16 13:14:30

Hi colak.
Take a look at this thread:
www.sitepoint.com/community/t/hotlink-code-prevent-images-from-display-in-email/23931/8

A solution suggested there is to serve newsletter images from a different folder where the .htaccess hotlinking rules are disabled.
This might be a bit more difficult if you plan to use the images managed by Textpattern.
In that case, I can think of two possible solutions :

in the newsletter articles, you use some “fake” URL for the images, that gets rewritten (by htaccess) to the correct one. For example: /images/newsletter/123.jpg gets rewritten (but not redirected) to /images/123.jpg. Then, you also add a RewriteCond for disabling hotlinking rules on REQUEST_URI that includes /newsletter/.
alternatively (and probably easier), you could use smd_thumbnail to create a “newsletter” thumbnail profile, which will store the automatically generated thumbnails in the /newsletter/ folder. Then, you use those images in your newsletter articles. Finally, you exclude that /newsletter/ folder from the hotlinking rules (or disable them via an .htaccess file stored on that folder).

colak · 2017-01-16 13:37:23

Hmmm… Thanks Julian, that could be a solution

What are your opinions about base64 encodings and embedding of images?

This would actually be sending the images in the email body as opposed to ‘hotlinking’ them from the site.

>Edit: not supported by most clients.

but using the cid method may do it. Only if I knew how to hack postmaster for that!

maniqui · 2017-01-16 18:56:25

Both the base64 encoding method (poorly supported) and the cid method seems a bit harder and overkilling. Not to mention that both will make the email size to grow to a few megabytes, which might bring other issues to the users (email recipients in this case).

I’d go with the solution of storing those images on a different, failsafe folder that would be not affected by anti-hotlinking rules. smd_thumbnail would make it a breeze to manage those images from within Textpattern without disrupting the current workflow nor the need to start hacking postmaster.

Textpattern CMS

Textpattern CMS support forum

#1 2017-01-16 07:38:11

htaccess: hotlinking of images

#2 2017-01-16 09:21:18

Re: htaccess: hotlinking of images

#3 2017-01-16 11:56:49

Re: htaccess: hotlinking of images

#4 2017-01-16 13:14:30

Re: htaccess: hotlinking of images

#5 2017-01-16 13:37:23

Re: htaccess: hotlinking of images

#6 2017-01-16 18:56:25

Re: htaccess: hotlinking of images

Board footer