.htaccess allow hotlinking of images with parameter (?something) - .htaccess

I have code in my .htaccess file to prevent hot-linking of images on my site.
What I need is to make it allow hot-linking of images it they have some parameter at the end of URL, for example:
This image should be blocked:
https://my-site.com/my-images/some-image-file-name.jpg
BUT, ALLOW hot-linking if that same image have parameter at the end, for example:
https://my-site.com/my-images/some-image-file-name.jpg?allow_hot_linking
WHY I NEED SOMETHING LIKE THIS?
For example, if image is sent inside html email, it will not be displayed, but if I could make some .htaccess rule which would allow hot-linking of images with parameter I will simply put that parameter at the end of img source tag of image while making html email and it will appear when email is opened.
This is my .htaccess code
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?my-site.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?nnn.nnn.nn.nnn [NC]
##Allow search engines
RewriteCond %{HTTP_USER_AGENT} !Googlebot-Image [NC]
.
.
.
##Allow blank referrers
RewriteCond %{HTTP_REFERER} !^$
## Redirect to hotlink image
RewriteRule ^my-images/(.*).(jpeg|jpg|bmp)$ https://my-site.com/no-hotlinking.html [NC,R,L]
## End - prevent image hotlinking

Love this solution, exactly what I was looking for to allow links from emails but not from blank referrers.
RewriteCond %{QUERY_STRING} !^ahl$ [NC]
Works a dream.

Related

htaccess rewrite url, add dir and remove query

I have two versions of images on my server, one with and one without a watermark. On my one website I want to have to non-watermarked version. On the websites that hotlink my images I want to have the ones with the watermark.
I want to rewrite the url to serve the watermarked images on those website. The url structure on my website is this:
www.example.com/wp-content/uploads/image-name.jpg?t=1512472796
and I want to change it to:
www.example.com/wp-content/uploads/wm/image-name.jpg
I am kind of stuck here, no idea to do the part that adds the wm dir to the url and removes the query:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?example.com [NC]
RewriteCond %{QUERY_STRING} ^t=([0-9]*)$
Any help is highly appreciated.

Hotlink protection excluding a particular URL

We have tried adding the below hotlink protection inorder to save the bandwidth.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^https://(www\.)?domain [NC]
RewriteCond %{HTTP_REFERER} !^https://(www\.)?domain.*$ [NC]
RewriteRule \.(gif|GIF|jpg|JPG|PNG|png|jpeg|JPEG|mp4|MP4|mkv|MKV|webm|WEBM|ico|ICO)$ - [F]
This is working perfectly. Now, we want to exclude hotlink protection for the URL admin/thumbs (domain.tld/admin/thumbs/image.jpg) should be excluded from the hotlink protection.
We tried adding the below code however its not working. We searched on stackoverflow and multiple forums however none were helped us.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^https://(www\.)?domain [NC]
RewriteCond %{HTTP_REFERER} !^https://(www\.)?domain.*$ [NC]
RewriteCond %{REQUEST_URI} !/admin/thumbs$
RewriteRule \.(gif|GIF|jpg|JPG|PNG|png|jpeg|JPEG|mp4|MP4|mkv|MKV|webm|WEBM|ico|ICO)$ - [F]
Any help would be appreciated.
RewriteCond %{REQUEST_URI} !/admin/thumbs$
This creates an exception for any URL that ends with /admin/thumbs, whereas it would seem you want to create an exception for any file in the /admin/thumbs subirectory, ie. any URL that starts /admin/thumbs.
The suggestion !^admin/thumbs/? in comments is incorrect, since the REQUEST_URI server variable always starts with a slash so the condition will always be successful and the request is potentially blocked.
You should use the CondPattern !^/admin/thumbs($|/) instead to exclude requests for /admin/thumbs, /admin/thumbs/ and /admin/thumbs/<anything>, but not /admin/thumbsomething. For example:
RewriteCond %{REQUEST_URI} !^/admin/thumbs($|/)
Your existing rule can be further simplified/refined since the existing conditions that check the HTTP_REFERER are "the same", but also match too much. And the mixed case RewriteRule pattern can be flattened by using the NC (nocase) flag instead.
For example, the complete rule would become:
# Hotlink protection for images, except those in "/admin/thumbs/..."
RewriteCond %{HTTP_REFERER} !^https://(www\.)?example\.com($|/) [NC]
RewriteCond %{REQUEST_URI} !^/admin/thumbs($|/)
RewriteRule \.(gif|jpg|png|jpeg|mp4|mkv|webm|ico)$ - [NC,F]
Note that this also blocks an empty Referer header. This includes direct requests (anyone typing the URL directly into the browser's address bar) and any user that has suppressed the Referer in their browser (which some users do for increased privacy).
Alternative solution with additional .htaccess file
Alternatively, you could create an additional .htaccess in the /admin/thumbs/ subdirectory and simply disable the rewrite engine. For example:
RewriteEngine Off
This overrides and prevents the hotlink-protection directives in the parent config from being processed when anything within this subdirectory is requested.

.htaccess redirect in drupal that excludes node edit page

Currently I have the following htaccess redirect rule that detects any path that looks like
mysite.com/node/xxx and redirects it to a .php script that, in turn, finds the URL of the page and redirects the user to it (e.g. mysite.com/page/page.html)
RewriteCond %{QUERY_STRING} ^(page=(31|1))?$ [NC]
RewriteRule ^node/?$ /? [L,NC,R=301]
RewriteRule ^(../)?node/([0-9]+)$ noderedirect.php?nid=$2 [L]
What I want, however, is that also when user accesses
mysite.com/node
or
mysite.com/node?page=xxx
they get redirected to the main page
BUT
when they access
mysite.com/node/xxx/edit
the rule doesn't get activated.
I tried several options (stopping at the one above) and so far I have this, but it still enables users to access mysite.com/node?page=xxx (all the other conditions are working fine.
Can somebody help?
I just want it to go to that page, and not to do anything. but when it's /node/xxx or /node or /node?page=xxx i want it to redirect to noderedirect.php
If you want it to always go to the noderedirect, then try:
RewriteCond %{THE_REQUEST} \ /+node\?page=([0-9]+)
RewriteRule ^ /node/%1? [L,R=301]
RewriteRule ^node/?$ /noderedirect.php [L]
RewriteRUle ^node/([0-9]+)/? /noderedirect.php?nid=$1 [L]

allow image access only from specific html page

I've got different users for my website, owning different images which are all stored in the same folder. The images are stored in an incremental fashion, 1.jpg, 2.jpg etc.
User can view these pictures on a specific php page. Now I want to restrict the access to these images only through this php page so that they can't simply enumerate all the filenames to see the images of other users.
I thought of doing this with an .htaccess file which is stored besides the images in /shop/img/userimg/ and would look something like this:
RewriteEngine On
RewriteCond %{REQUEST_URI} !^/shop/shop.php [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ - [F]
My site is a subsite (as you can see: /shop/) and the php page to view these images would be shop.php.
Now, is this possible at all? What am I doing wrong?
Note that the referer header is not to be trusted. Some proxies and firewall remove the header entirely, so you have to account for it not being present (that's what the 2nd line is for)
RewriteCond %{HTTP_REFERER} !/shop/shop\.php$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteRule \.(jpe?g|gif|bmp|png)$ - [F,L]
Try adding the following to your htaccess file.
RewriteEngine On
RewriteBase /
#if the referer (page request came from) does not contain shop.php
RewriteCond %{HTTP_REFERER} !/shop/shop\.php [NC]
#and it is a request for images, then send a 403 forbidden
RewriteRule \.(jpe?g|gif|bmp|png)$ - [F,L]

Prevent hot-linking of generated thumbnails?

I have a .htaccess file that contains directives to prevent the hot-linking of static assets (images, CSS and JavaScript files). The relavant code looks like this:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?ipwuk.com/.*$ [NC]
RewriteRule \.(gif|jpg|js|css|png)$ - [F,L]
This is great and does the job; however, I have a PHP script that automatically generates thumbnails (and doesn't contain the file extension in the URL). A sample thumbnail URL looks like this:
http://example.com/inc/image.php/4e7efde2ee8ac.jpg/610/343/fill
Or:
http://example.com/inc/image.php/[seed].[extension]/[width]/[height]/[thumb type]
How can I prevent images generated by the above script from being hot-linked (which I suspect my client is doing and as a result is eating bandwidth to the tune of over 150MB a day)?
This code denies all requests for image.php that are NOT direct or from specified website.
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?ipwuk\.com/.*$ [NC]
RewriteCond %{REQUEST_URI} ^/image.php(.*)$ [NC]
RewriteRule ^(.*)$ - [F,L]
Could you not actually prevent - EDIT: discourage - it in the script that generates the thumbnail itself?
In pseudo-PHP:
if (parse_url($_SERVER['HTTP_REFERER']) != "yourSite"){
//generate thumbnail that says "don't hotlink, scum!"
}
else {
//do your normal thumbnail generation routine
}

Resources