Questions[hotlinking](server)

front-end web developer here. Sorry in advance.

My company wants to store new builds of our software on our web server, running Nginx, provided by WP Engine.

The file path for these builds would be company.com/downloads/file.zip. We want to restrict access to files in this folder unless they come from a specific referring URL that sits behind a login gate for our customers.

• If user clicks link to any file inside /downloads/ from allowed referrer, user gets file
• If user clicks link from any other source, return 404 or redirect to homepage
• If empty referrer or direct access attempt, return 404 or redirect to homepage

I've found a resource on preventing hotlinking for images (we'll be dealing with .zip files), which might work for me, but I need help with the syntax of this language. There's probably a bunch wrong with it.

location ~ /downloads/$ {
valid_referers none blocked ~.allowed_domain.com;
if ($invalid_referer) {
return 404;
}
}

WP Engine doesn't allow me to add Nginx code myself, so I'll have to send them the code I want them to implement. If anyone knows how to do this and can help me out, I'd really appreciate it!

First and foremost, please forgive me if this is in the wrong section. I always seem to pick the wrong site when it comes to computer questions.

In the air of recent, wildly viral internet events, my buddy and I have formulated an idea to run an experiment to see how the phenomenon works. However, I am unsure of how the back-end would work.

We would host a single image file (.jpg/.png/.gif) on our server. The image is not intended to be hosted on a single web page - it is assumed this image will be cross posted, shared, etc. The fact that the image file itself is hosted on our server will remain constant (we're not taking into account situations where the image is saved/archived and hosted elsewhere, and then viewed).

We would like to be able to view a log of hits that the image gets, along with the IPs of viewing PCs (to figure out the progressive geographical spread of the image).

First, is this possible? I have seen many images that say 'your IP is blah blah blah, using Safari...', and I have also seen many instances where an image will "know" when its being hosted on a site other than its home (to prevent hotlinking).

Second, how would this be accomplished? Can an analytics program track such specific hits on a simple image file?

I'm trying to write the "ultimate" anti hot linking .htaccess...

You can find many examples/tutorials/generators on the net but many of them are wrong or incomplete (or even both).

These are the features I'm looking for:

• Must block hot linking for a list of file extensions when HTTP_REFERER is an foreign site.
• Must allow hot linking for the current domain (duh) without harcoding it in the .htaccess.
  • For the current domain it must work under http and https.
  • For the current domain it must work with www and without www.
• Must be able to add exceptions domains to these rules (like our friend Google) and these domains must work under http and https and with www or without www.

This is what I've achieved so far:

<IfModule mod_rewrite.c>

Options +FollowSymlinks
RewriteEngine On

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com/.*$ [NC]
RewriteRule \.(gif|jpe?g|png|zipx?)$ - [NC,F]

</IfModule>

My questions:

1. How to avoid to hardcode mydomain.com in the .htaccess? (It would be great to be able to deploy this .htaccess to all my domains without having to modify it for each of them.)
2. In my RewriteRule, gif|jpe?g|png|zipx? is equivalent to gif|jpg|jpeg|png|zip|zipx right? (Sorry still new at regular expressions.)
3. Do you see anything bad in my .htaccess that I'm unaware of?

For #1 I know it's somewhat possible. The closest I found is this snippet that removes the www from the URL without hardcoding the domain. Is there a way to use this method to my question #1?

RewriteCond %{HTTP_HOST} ^www\.(.+)
RewriteCond %{HTTPS}s/%1 ^(on(s)|offs)/(.+)
RewriteRule ^ http%2://%3%{REQUEST_URI} [L,R=301]

Update:

I'm aware of solutions that will serve a watermarked image instead of the regular one. But I'm not looking for this kind of solution. I want a universal solution (serve 403 errors) that will work for all kind of binary files (zip, exe, iso, jpg, png, gif...).

The problems I'm facing is how to prevent hotlinking from within a website. What I want to do is to block www.website.com/user/xxx from hotlinking a CSS, but allow www.website.com/user/aaa to use the CSS using .htaccess.

-Both user xxx and user aaa is using www.mywebsite.com/css.css css file, I only want to allow user aaa to be able to use it and not user xxx

What I manage to come up with so far is is putting a .htaccess in www.mywebsite.com to only allow user aaa to hotlink the css.

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.website.com/user/aaa [NC]
RewriteRule \.(css|jpg|jpeg|png|gif)$ http://website.com/donotsteal [NC,R]

When I put this into the .htaccess it blocks both www.website.com/user/xxx and www.website.com/user/aaa from hotlinking the css

What I want to do is allow only this page www.website.com/user/aaa to use the css and block anything else from hotlinking it.

First of all, I consider myself more a programmer than a servers guy. I have a website where I receive about 3,000 visits per day, which I think is a lot less than the max capacity for a dedicated server.

However, I've noticed that the connection to the website is pretty slow, e.g., to load images, to connect to it via SSH, etc.

I configured .httaccess recently to avoid hotlinking to images in my server (i.e. .jpg, .gif and .png), and I was wondering if that could be slowing down my website.

This is the configuration that I have:

# BEGIN WordPress

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www.mysite.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.mysite.com$ [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf)$ http://www.google.com/ [R,NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

I found some code to do that in google, and I just copied to .htacces since I'm not an expert in apache. It works, but I don't know if that is the best way to do it.

How can I see if that is the reason why the server is slow? Are there any tools to monitor it? What would you do guys?

Thanks in advance!