Deny referrals from all domains except one - .htaccess

Is it possible to accept traffic from only one domain, ideally using a .htaccess file?
I want my site to only be accessible via a link on another site I have.
I know how to block one referring domain, but not all domains
RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} otherdomain\.com [NC]
RewriteRule .* - [F]
this is my full rewrite code:
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !domain\.co.uk [NC]
RewriteRule .? - [F]
# The Friendly URLs part
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?q=$1 [L,QSA]
I think it is working, but none of the assets are getting loaded and I get a 500 error when I click on another link.

Make that something like:
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !yourdomain\.com [NC]
RewriteCond %{HTTP_REFERER} !alloweddomain\.com [NC]
RewriteRule .? - [F]
The first RewriteCond checks that the referrer is not empty. The second checks that it doesn't contain the string yourdomain.com, and the third that it doesn't contain the string alloweddomain.com. If all of these checks pass, the RewriteRule triggers and denies the request.
(Allowing empty referrers is generally a good idea, since browsers can generate them for various reasons, such as when:
the user has bookmarked the link,
the user entered the link manually into the address bar,
the user reloaded the page,
the browser is configured not to send cross-site referrer infromation, or
a proxy between your site and the browser strips away the referrer information.)

Related

htaccess serve page from another subdomain silently only when page is not found

My main pages are at "main.mysite.com".
Customer access site by "customer.mysite.com" which contains only a subset of the main pages.
When customer request page "customer.mysite.com/data.php", I want to check first if the file is in "customer.mysite.com" subdomain, if yes, then serve that page, if not, then serve the page at "main.mysite.com/data.php" subdomain.
I also want to keep the url at "customer.mysite.com/data.php" for the two cases.
My complete htaccess file is currently :
# This will enable the Rewrite capabilities
RewriteEngine On
RewriteBase /
# This rule will convert request urls like /category/page?id=1 to /?c=category&p=page&id=1
# Redirect to main page, which is Single Page Application and then manage to open the new tab
RewriteRule ^([A-Za-z]*)\/([A-Za-z]*)([?]?[A-Za-z0-9=&]*)$ /?c=$1&p=$2 [NC,R,QSA]
# This rule will redirect users from their original location, to the same location but using HTTPS.
# i.e. http://www.example.com/foo/ to https://www.example.com/foo/
# The leading slash is made optional so that this will work either in httpd.conf
# or .htaccess context
# First, this checks to make sure the connection is not already HTTPS
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [NC]
# This rule will serve pages from main.mysite.com when browsed with customer.mysite.com
# By removing the [R=301], it makes an internal redirect, keeping the original url in the browser
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ https://main.mysite.com/$1 [L,NC,QSA]
# Disable Directory Listing
Options -Indexes
<Files .htaccess>
order allow,deny
deny from all
</Files>
However, when I browse "customer.mysite.com/page.php", I am redirected to "main.mysite.com/page.php", which is not what I want.
First , to redirect /category/page?id=1 to /?c=category&p=page&id=1 :
RewriteCond %{QUERY_STRING} ^id=(.*)$
RewriteRule ^([A-Za-z]+)\/([A-Za-z]+)$ /?c=$1&p=$2 [NC,R=301,QSA]
change this : RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [NC]
to this RewriteRule ^(.*)$ https://%{HTTP_HOST}/$1 [L,R=301]
Because %{HTTP_HOST} it is request header including your target host
Moreover :
I f you handled error file like that , when there is no file in that target looping will happen so it is better to handle that like this :
replace this :
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ https://main.mysite.com/$1 [L,NC,QSA]
With this :
RewriteCond %{HTTP_HOST} !^(www\.)?main.mysite.com$ [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ https://main.mysite.com/$1 [L,NC,QSA]
#then you could handle the error that not found in main by this
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /path/to/error/page [L]
By adding the proxy flag [P] to the rule, the server makes an internal redirect, keeping the browser url unchanged. Normally, this would work by not specifying the R=301 flag, but it'S not enough when the rule is changing domain/subdomain.
What worked:
RewriteRule ^(.*)$ https://main.mysite.com/$1 [P,L,NC,QSA]
Note that the L flag is not required with P as it is added implicitely, as no other rules can be executed after that.

htaccess block domains from hotlinking images

I blocked some sites in the file but they keep comming on my server and asking for images that slow down my server how i can add a rule for them so they will see big red sign STOP HOTLINKING
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} ^http://(www\.)?somesite\.pl [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?somesite\.pl [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?somesite\.pl [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?sklep.somesite\.eu [NC]
RewriteRule \.(gif|jpe?g|js|css)$ - [F,NC,L]
Mate try the below ,
Following code will only allow the mentioned domain "alloweddomain.com" and block others from hot linking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?alloweddomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
The above code will allow "Blank Referrers"
What is Blank Referrers ?
Some visitors uses a personal firewall or antivirus program, that deletes the page referrer information sent by the web browser. Hotlink protection is based on this information. So if you choose not to allow blank referrers, you will block these users. You will also prevent people from directly accessing an image by typing in the URL in their browser.
Suppose if you don't want to allow "Blank Referrers" then use the following code mate
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?alloweddomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
Also if suppose you want to display a image like "STOP HOTLINKING" then use the below method
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?alloweddomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ mydomain.com/img/stop_hotlink.jpg [NC,R,L]
Above code will allow "Blank referrers" . To not allow, follow as mentioned in previous step again.
Note that :
In case of displaying image for "STOP HOTLINK" make sure the image is not hotlink protected or your server can go into an endless loop.
alloweddomain.com - The domain that you want to allow for hotlink
mydomain.com/img/stop_hotlink.jpg - URL for the "STOP HOTLINK" image
Update : [ Block Specific Domains ]
To stop hotlinking from specific outside domains only, such as blockurl1.com, blockurl2.com and blockurl3.com, but allow any other web site to hotlink images:
RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?blockurl1\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?blockurl2\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?blockurl3\.com/ [NC]
RewriteCond %{REQUEST_URI} !blocked\.gif$ [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ http://example.com/blocked.gif [L]
You can add as many different domains as needed. Each RewriteCond line should end with the [NC,OR] code. NC means to ignore upper and lower case. OR means "Or Next", as in, match this domain or the next line that follows. The last domain listed omits the OR code since you want to stop matching domains after the last RewriteCond line.
The last line contains the URL "http://example.com/blocked.gif" which contains the image that will be displayed when the condition occurs.
You can display a 403 Forbidden error code instead of an image. Replace the last line of the previous examples with this line:
RewriteRule .*\.(jpe?g|gif|bmp|png)$ - [F]
Hope this helped you mate!

Implementing "friendly" URLs using .htaccess

I tried some of the other answers I could find in here, but it didn't work out. It's really simple though.
I want
/page?id=PAGENAME
to be accessible AND redirected to
/PAGENAME
Can you help me?
EDIT:
It feels like my already messed-up .htaccess file needs to be included in here. I already have basic rewriting enabled, but this feature is needed for two other "special pages". In the requested solution above, I would therefore just replace "page" with the two pagenames (it's danish names, so I thought it was easier this way).
Currently I have this. If you have any improvements to it, it's appreciated - but I just want this to work with the requested solution aswell.
# Options -Multiviews -Indexes +FollowSymLinks
RewriteEngine On
RewriteBase /
# Always on https
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
# remove trailing slash
#RewriteRule ^(.*)\/(\?.*)?$ $1$2 [R=301,L]
#301 Redirect everything .php to non php
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /([^.]+\.)+php?\ HTTP
RewriteRule (.+)\.php?$ http://MYURL.dk/$1 [R=301,L]
#Hide the .php from url
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.php
#301 Redirect everything mistype after file extension -
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
#301 Redirect everything to current url -
RedirectMatch permanent /(.*).php/.* http://MYURL.dk/$1.php
RewriteCond %{REQUEST_FILENAME} -D
RewriteCond %{REQUEST_URI} !(.*)/$
RewriteRule ^(.*)$ $1/ [L]
#301 Redirect from non www to www
RewriteCond %{HTTP_HOST} ^www.MYURL.dk [NC]
RewriteRule (.*) http://MYURL.dk/$1 [R=301,L]
#301 redirect index.php to /
RewriteBase /
RewriteCond %{REQUEST_URI} index.php
RewriteRule .* http://MYURL.dk/ [R=301,L]
#Deny access to songs
RewriteCond $1 !(loadmedia)\.php
RewriteRule ^songs/(.*)$ - [L,F]
Generally the URL in address bar should be like
www.siteurl.com/pagename/ for seo purpose and then read this url from .htaccess using rule which gives this query string parameter values in your php file.
.htaccess rule can be like
RewriteRule ^(.*)/$ /page?id=$1 [QSA,L]
It looks like you are wanting to implement "friendly" (or "pretty") URLs, making the URLs more friendly for you users (search engines don't really mind what your URLs look like).
The first step is to change all your on-page links to use the new "friendly" URL. So, you links should all be of the form /pagename (not /page?id=PAGENAME).
Then, in .htaccess, you need to internally rewrite this "friendly" URL into the real URL that your server understands. This can be done using mod_rewrite. In the .htaccess file in your document root:
# Enable the rewrite engine
Options +FollowSymLinks
RewriteEngine On
# Rewrite the "friendly" URL back to the real URL
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{QUERY_STRING} !^id=
RewriteRule ^([\w-]*) /page?id=$1 [L]
If the file does not exist (!-f) and does not contain the id URL param then internally rewrite the request from /<pagename> to /page?id=<pagename>. This assumes your <pagename> consists only of the characters a-z, A-Z, 0-9, _ and -.
If this is a new site and the old URLs are not already indexed or referenced by external sites then you can stop here.
However, if you are changing an existing URL structure then you also need to externally redirect the real (ugly) URL to the "friendly" URL before the above internal rewrite. (This is actually what you are asking in your question.) In order to prevent a rewrite loop we can check against %{THE_REQUEST} (which does not change when the URL is rewritten).
# Redirect real URLs to "friendly" URLs
RewriteCond %{THE_REQUEST} \?id=([\w-]*)
RewriteRule ^page$ /%1? [R=302,L]
Change the 302 (temporary) to 301 (permanent) when you are sure this is working OK. Permanent redirects are cached by the browser so can make testing a problem.
So, in summary, with the above two parts shown together:
# Enable the rewrite engine
Options +FollowSymLinks
RewriteEngine On
# Redirect real URLs to "friendly" URLs
RewriteCond %{THE_REQUEST} \?id=([\w-]*)
RewriteRule ^page$ /%1? [R=302,L]
# Rewrite the "friendly" URL back to the real URL
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{QUERY_STRING} !^id=
RewriteRule ([\w-]*) /page?id=$1 [L]
The order of directives is important. External redirects should nearly always come before internal rewrites.
UPDATE#1:
I want /concept?id=NAME to go to /NAME and /studio?id=NAME to go to /NAME - there's 5-10 different "pages" from both concept and studio. [Corrected according to later comment]
Since id=NAME maps to /NAME you can achieve all 10-20 redirects with just a single rule:
RewriteCond %{QUERY_STRING} ^id=(NAME|foo|bar|baz|abc|def|ghi)
RewriteRule ^(concept|studio)$ /%1? [R,L]
This will redirect a URL such as /studio?id=foo to /foo.
As with all external redirects this should be one of the first rules in your .htaccess file.
Change R to R=301 when you have tested that it is working OK.
To make this more "dynamic", ie. match any "NAME" then change the CondPattern, for example:
RewriteCond %{QUERY_STRING} ^id=([\w-]*)
UPDATE#2:
If the path part of the URL (ie. concept or studio) is required then you can modify the RewriteRule substitution like so:
RewriteCond %{QUERY_STRING} ^id=([\w-]*)
RewriteRule ^(concept|studio)$ /$1/%1? [R,L]
Which will redirect /concept?id=foo to /concept/foo.
Or, to be completely "dynamic" (bearing in mind this will now capture anything):
RewriteCond %{QUERY_STRING} ^id=([\w-]*)
RewriteRule ^([\w-]+)$ /$1/%1? [R,L]

I'm using htaccess to redirect mobile users from desktop to website but i keep getting the $_GET variables inside

This question may look like its been asked already and i have seen them all, i've been looking and attempting a lot of answers AND answers that weren't approved. I have successfully made it so that if the user goes to desktop version it will go to the mobile site and even if they go to places such as.
www.domain.com/aboutus
it would take them to
m.domain.com/?page=aboutus
So here is where the problem lies, not that it doesn't work, but I've been trying to remove the $_GET variable from the redirection the "?page=" part.
my .htaccess looks something like...
<IfModule mod_rewrite.c>
RewriteEngine on
# if it is not a file or folder, rewrite to index.php?page=<value>
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?page=$1 [L,QSA]
</IfModule>
<IfModule mod_rewrite.c>
RewriteCond %{HTTP_USER_AGENT} "android|blackberry|googlebot-mobile|iemobile|ipad|iphone|ipod|opera mobile|palmos|webos" [NC]
RewriteRule ^index.php(.*)$ http://m.domain.com/ [QSA,L]
</IfModule>
I've tried adding the request filename with the redirection for mobile but to no avail. There are websites who have achieved it like 9gag by using the in built Google Chrome inspect element, google changes the user agent to devices that are selected (Mobile Phones) and I've used that to test how the redirection goes. so if i write 9gag.com/hot - it would take me to m.9gag.com/hot not m.9gag.com/?page=hot or wherever.
Thanks in advance, I've really been bothered by this.
You need to check the mobile redirect first, and you need to include the request URI.
<IfModule mod_rewrite.c>
RewriteEngine on
# Redirect mobile requests to the mobile site
# (but don't redirect when accessing certain directories)
RewriteCond %{REQUEST_URI} !^/images [NC]
RewriteCond %{HTTP_USER_AGENT} "android|blackberry|googlebot-mobile|iemobile|ipad|iphone|ipod|opera mobile|palmos|webos" [NC]
RewriteRule ^(.*)$ http://m.domain.com/$1 [R=302,L]
# If it is not a file or folder, rewrite to index.php?page=<value>
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?page=$1 [L,QSA]
</IfModule>
You can make the redirect permanent by changing 302 to 301.

Force redirect for certain files (based on referer) and trigger a 404 page otherwise

We distribute different versions of a software product through a single download link. The delivery is based on the referer in conjunction with a default value, which works fine. In addition the user should be redirected to a 404-page, in case the wrong filename was used.
At the moment the .htaccess-file looks like this:
# stop directory listing
Options -Indexes
# turn rewrite engine on
RewriteEngine On
# force 404 if file name is missing or wrong
RewriteCond %{REQUEST_URI} !^(download_mac\.zip|download_pc\.zip)$
RewriteRule (.*) 404/index.html [L]
# an example based on the referer
RewriteCond %{HTTP_REFERER} ^http://([^.]+\.)*domain-a\.com [OR]
RewriteCond %{HTTP_REFERER} ^http://([^.]+\.)*domain-b\.com
RewriteRule ^(download_mac\.zip|download_pc\.zip)$ domain_ab/$1 [L]
# last rule if no referer matches
RewriteRule ^(download_mac\.zip|download_pc\.zip)$ default/$1 [L]
So I have one issue and one additional question with this file:
The first rule, to force 404, is very greedy and gets the error page every time, no matter what URL is called. I also tried single statements like RewriteCond %{REQUEST_URI} !^download_mac\.zip$ without any effect. How can I fix this?
How can I get rid of the filenames in any other rule? I tried things like RewriteRule ^(.*)$ default/$1 [L] but it gives me a hard time and an 500 Internal Server Error.
You can avoid repeating your filenames by using an Env variable like this:
RewriteRule ^(download_mac\.zip|download_pc\.zip)$ - [E=ALLOWED:$1,NC]
RewriteCond %{ENV:ALLOWED} ^$
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ /404/index.html [L]
RewriteCond %{ENV:ALLOWED} !^$
RewriteCond %{HTTP_REFERER} ^http://([^.]+\.)*domain-a\.com [OR]
RewriteCond %{HTTP_REFERER} ^http://([^.]+\.)*domain-b\.com
RewriteRule ^ /domain_ab/%{ENV:ALLOWED} [L]
RewriteCond %{ENV:ALLOWED} !^$
RewriteRule ^ /default/%{ENV:ALLOWED} [L]
You can just move the rewrite rule to the end. The other rules handle the valid cases and if none of them matches the last rule applies
# an example based on the referer
RewriteCond %{HTTP_REFERER} ^http://([^.]+\.)*domain-[ab]\.com
RewriteRule ^download_(mac|pc)\.zip$ domain_ab/$0 [L]
# last rule if no referer matches
RewriteRule ^download_(mac|pc)\.zip$ default/$0 [L]
# force 404 if file name is missing or wrong
RewriteRule ^ 404/index.html [L]

Resources