.htaccess Hotlink Disabling Not Working Correctly - .htaccess

I have the following snippet:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://%{SERVER_NAME}/
RewriteRule \.(js|css|png|jpg) - [R=404,L]
Simple and should work right? It seems to 404 the listed filetypes if I have referrers enabled on browser. Disabling referrers it then allows the files to be served. I have checked the value of %{SERVER_NAME} and it is www.mydomain.com I've tested this in multiple browsers and under HTTP and HTTPS, all have the same result. I used the below rewrite to check %{SERVER_NAME}'s value:
RewriteRule servername value_is_%{SERVER_NAME} [R=301,L]
The URL I get redirected to is then https://www.mydomain.com/value_is_www.mydomain.com
That being said the snippet should allow a referrer with that value or an empty one. But why is it being triggered? It's been driving me nuts for the past 2 hours, but it's 5am so I could be just crazy =o\ Thank you in advance, and I'm off to bed!

Problem is, you cannot use variables in conditional patterns (well, at least not until Apache 2.4) as the patterns are being precompiled during server startup.
For your particular problem, though, there's a simple workaround that you may use to mimic the condition:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{SERVER_NAME}%{HTTP_REFERER} !^(.*)https?://\1/
RewriteRule \.(js|css|png|jpg) - [R=404,L]
Yep, that's all. You cannot use variables but sure can use back-references.
Oh ... and btw. Apache 2.4 does ship with expressions that may be used instead of the conditional patterns:
RewriteCond expr "! %{HTTP_REFERER} -strmatch '*://%{HTTP_HOST}/*'"

Related

Hotlink protection excluding a particular URL

We have tried adding the below hotlink protection inorder to save the bandwidth.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^https://(www\.)?domain [NC]
RewriteCond %{HTTP_REFERER} !^https://(www\.)?domain.*$ [NC]
RewriteRule \.(gif|GIF|jpg|JPG|PNG|png|jpeg|JPEG|mp4|MP4|mkv|MKV|webm|WEBM|ico|ICO)$ - [F]
This is working perfectly. Now, we want to exclude hotlink protection for the URL admin/thumbs (domain.tld/admin/thumbs/image.jpg) should be excluded from the hotlink protection.
We tried adding the below code however its not working. We searched on stackoverflow and multiple forums however none were helped us.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^https://(www\.)?domain [NC]
RewriteCond %{HTTP_REFERER} !^https://(www\.)?domain.*$ [NC]
RewriteCond %{REQUEST_URI} !/admin/thumbs$
RewriteRule \.(gif|GIF|jpg|JPG|PNG|png|jpeg|JPEG|mp4|MP4|mkv|MKV|webm|WEBM|ico|ICO)$ - [F]
Any help would be appreciated.
RewriteCond %{REQUEST_URI} !/admin/thumbs$
This creates an exception for any URL that ends with /admin/thumbs, whereas it would seem you want to create an exception for any file in the /admin/thumbs subirectory, ie. any URL that starts /admin/thumbs.
The suggestion !^admin/thumbs/? in comments is incorrect, since the REQUEST_URI server variable always starts with a slash so the condition will always be successful and the request is potentially blocked.
You should use the CondPattern !^/admin/thumbs($|/) instead to exclude requests for /admin/thumbs, /admin/thumbs/ and /admin/thumbs/<anything>, but not /admin/thumbsomething. For example:
RewriteCond %{REQUEST_URI} !^/admin/thumbs($|/)
Your existing rule can be further simplified/refined since the existing conditions that check the HTTP_REFERER are "the same", but also match too much. And the mixed case RewriteRule pattern can be flattened by using the NC (nocase) flag instead.
For example, the complete rule would become:
# Hotlink protection for images, except those in "/admin/thumbs/..."
RewriteCond %{HTTP_REFERER} !^https://(www\.)?example\.com($|/) [NC]
RewriteCond %{REQUEST_URI} !^/admin/thumbs($|/)
RewriteRule \.(gif|jpg|png|jpeg|mp4|mkv|webm|ico)$ - [NC,F]
Note that this also blocks an empty Referer header. This includes direct requests (anyone typing the URL directly into the browser's address bar) and any user that has suppressed the Referer in their browser (which some users do for increased privacy).
Alternative solution with additional .htaccess file
Alternatively, you could create an additional .htaccess in the /admin/thumbs/ subdirectory and simply disable the rewrite engine. For example:
RewriteEngine Off
This overrides and prevents the hotlink-protection directives in the parent config from being processed when anything within this subdirectory is requested.

htaccess codes did not work

This is EXACTLY the same case as: (htaccess) How to prevent a file from DIRECT URL ACCESS?
But, no one of codes provided by answers work for me. I tried 1 by 1, then tried to combine, but still not works. Here is my code:
# prevent direct image url access
# ----------
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)://(www\.)?example\.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)://(www\.)?example\.com.*$ [NC]
# this not works
RewriteRule \.(png|gif|jpe?g)$ - [F]
# and this
RewriteRule \.(png|gif|jpe?g)$ - [F,NC]
# and this
RewriteRule \.(png|gif|jpe?g)$ https://example.com/wp-login.php [NC,R,L]
# even by combining them
# ----------
# /prevent direct image url access
The case simulation:
index.php has <img src="test.png" alt=""> and should be normally accessible. The requirement is: http://example.com/test.png shouldn't be accessible.
I use WordPress in wp-engine, and i think WordPres's default rewrite doesn't cause the problem since the code from answers are placed above WordPress rewrite.
UPDATE
I use PHP Version 5.5.9-1ubuntu4.14 on Apache 2 on wp engine
Your rules basically work for me, except for one thing:
The (s) is not doing what you think it does.
RewriteCond %{HTTP_REFERER} !^http(s)://(www\.)?example\.com [NC]
With parentheses you define a group, which doesn't make any sense at this point. If you remove the (s), it works for http.
If you want to use https too you have to write it like this:
RewriteCond %{HTTP_REFERER} !^https?://(www\.)?example\.com [NC]
The ? will make the preceding character (or group, if in parentheses) optional.

.htaccess - The variable %{HTTP_USER_AGENT} is not supported

I am currently working on an AngularJS project, and for SEO I decided to use an automatic crawler.
The only thing is that they ask to add those few lines to the .htaccess, resulting in a 500 Internal Server Error on my server...
<ifmodule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} .*googlebot.* [OR][NC]
RewriteCond %{HTTP_USER_AGENT} .*bingbot.* [NC]
RewriteRule .* http://crawlr.wombit.se/Crawler/htmlsnapshot?url=$1 [P]
</ifmodule>
I tested those lines against my website and the answer is:
This variable is not supported: %{HTTP_USER_AGENT}
I already checked a bunch of topics to see if I could find a solution, but I didn't find anything working for my case...
PS: I also tried to remove all the other rules, but I am sure that those 2 rewriteCond are throwing the error.
Update - server configuration
Apache version 2.2.26
PHP version 5.4.26
MySQL version 5.1.73-cll
Not sure why you're getting that error, %{HTTP_USER_AGENT} is a valid apache 2.* mod_rewrite variable. The problem that I see is that your flags are messed up.
[OR][NC]
needs to be
[OR,NC]
Also, you're backreferencing using $1, but you've not created a grouping in your pattern, so $1 will simply be blank, so you probably want to replace $1 with %{REQUEST_URI} or create a grouping in your pattern by changing it to (.*).

Multiple Conditions in .htaccess

I'm trying to redirect images on my server to a url, if the user client is NOT A BOT.
So far I have:
RewriteCond %{HTTP_USER_AGENT} "Windows" [NC]
RewriteCond %{REQUEST_URI} jpg
RewriteRule ^(.*)$ http://www.myurl.com/$1 [R=301,L]
But something is wrong. Is it possible to combine these 2 conditions?
Your idea is admirable, but the logic is flawed based on real world bot behavior.
I deal with security on sites all the time & User Agent strings are faked all the time. If have an option to install it, I would recommend using a tool like Mod Security. It’s basically an Apache module firewall that uses configurable rulesets to deny bad patterns of access behavior. But honestly, if you are having issues with .htaccess stuff like this Mod Security might be too intense to understand.
A better tact is to just prevent hot-linking via mod_rewrite tricks like this.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.mydomain.com/angryman.gif [R,L]
Then again, reading your question I am not 100% sure what you want to achieve? Maybe mod_rewrite stuff like this can give you hints on how to approach the issue? Good luck!

how to achieve subdomain url rewrite using modrewrite

I want to redirect website user to www.mywebsite/users.php?user=xyz when the user types http://xyz.mywebsite.com into the address bar where http://xyz.mywebsite.com is virtual and doesnt exist.
I am a beginner and doesnt know much about url rewriting. Tried to search google and stack overflow but didnt got the solution.
I started with this
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^([^.]+).mobilehealthnig.com$
RewriteRule (.*) http://www.mywebsite.com/users.php?subdomain=%1
</IfModule>
also tried this but none of these are working for me
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www.mywebsite.com
RewriteCond %{HTTP_HOST} ([^.]+).mywebsite.com
RewriteRule ^(.*)$ /users.php?subdoamin=%1
Ok, based on your additional input I suggest this setup:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} ^(.+)\.mywebsite\.com$
RewriteRule (.*) http://www.mywebsite.com/users.php?subdomain=%1 [L]
</IfModule>
If that does not work (I take that from your comment), you have to check where the actual problem is:
does rewriting work at all?
does this rule do anything atall? what?
is that rule ignored? why?
What absolutely makes most sense in such cases is to turn on rewrite logging to see and understand what is actually happening inside the rewrite engine. Please take a look at the two commands RewriteLog and RewriteLogLevel inside the manual mentioned. Enable a log level of maybe 7 and look what is logged when you make a single request. It should give you an idea of where to look for the cause of the problem.

Resources