Home / server / Questions / 95292
In Process
BlaM
Asked: 2009-12-18 04:27:47 +0800 CST

Apache 2: Is Referer from current Host

  • 772

I have an Apache 2 with mod_setenvif. My goal is to stop all hotlinking of images in my global apache.conf. Currently that's:

<FilesMatch ".(gif|jpg|jpeg|png)$">
    SetEnvIfNoCase Referer "^http://[^/]*blogger.com/" hotlink
    SetEnvIfNoCase Referer "^http://[^/]*myspace.com/" hotlink
    SetEnvIfNoCase Referer "^http://[^/]*ebay" hotlink
    ...
    deny from env=hotlink
</FilesMatch>

Works nicely so far, but I have to catch every hotlinker once and add it to my config. I would like to have a broader apprach by adding something like this:

    # Set variable "hotlink" if Referer contains "forum"
    SetEnvIfNoCase Referer "forum" hotlink

    # Unset variable if Referer is from the same Host as current request
    SetEnvIfNoCase Referer %{Host} !hotlink

The plan is to match http://evilhost.com/forum/, but not http://myhost.com/forum/.

The problem is that the latter unset does not work. Looks as if I can't use the header property "Host" as regexp pattern - at least not the way I tried to. Of course I could manually enter all possible hostnames in my config, but that's exactly what I want to avoid.

So my question is:

  • Is there a way to use a HTTP header as regexp pattern at all?
  • If not, do you know another way I could reach my goal to unset the variable "hotlink" if the referrer is from the same host?
apache-2.2

3 Answers

  1. (This started as a comment but got too long...)

    Are your images really being accessed by that many different local host names? Because on most of the sites I maintain any individual virtual host is typically associated with maybe two host names (usually something like example.com and www.example.com). Are you sure you're not trying to solve a problem that doesn't exist?

    You could possibly do what you want by using mod_rewrite instead of FilesMatch (because then you can use %{HTTP_HOST} in your match string, which means you no longer need to worry about entering all your local host names). A simple google search yields that many different local host names? Because on most of the sites I maintain any individual virtual host is typically associated with maybe two host names (usually something like example.com and www.example.com). Are you sure you're not trying to solve a problem that doesn't exist?

    You could possibly do what you want by using mod_rewrite instead of FilesMatch (because then you can use %{HTTP_HOST} in your match string, which means you no longer need to worry about entering all your local host names). A simple google search yields this site, which goes into more detail about using RewriteRule's to block hotlinking.

    • 1

  2. You can dynamically block hotlinking by doing something like:

    RewriteCond "%{HTTP_HOST}_%{HTTP_REFERER}" !\.?([^\.]+\.[^\.]+?)_https?://.*\1/.*$ [NC]
RewriteRule .(gif|jpg|jpeg|png)$ . [F,L]
    • 1

  3. Off the top of my head (e.g., I haven't really thought this through yet), why don't you just reverse your logic?

    <FilesMatch ".(gif|jpg|jpeg|png)$">
    SetEnvIfNoCase Referer "^http://[^/]evilhost.com/" localref

    Order deny,allow
    deny from all
    allow from env=localref
</FilesMatch>
    • 0