• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.1 Stop people hotlinking attachments?

#1
Is there any way to stop people hotlinking attachments on posts?

I was given this before;

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://gamingonlinux.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://gamingonlinux.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.gamingonlinux.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.gamingonlinux.com$ [NC]
RewriteCond %{QUERY_STRING} attachments/.*$
RewriteRule ^.*$ http://www.gamingonlinux.com/nohotlinking.jpg? [NC,L]
Which doesn't seem to work :(
 

Jake Bunce

XenForo moderator
Staff member
#2
Try this:

Code:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?gamingonlinux\.com [NC]
RewriteCond %{QUERY_STRING} (^|\?)attachments/
RewriteRule ^.*$ http://www.gamingonlinux.com/nohotlinking.jpg? [NC,L]
 

Jake Bunce

XenForo moderator
Staff member
#9
So I can put everything in context, and test and debug everything myself. Might be conflicting rules, lack of server support, other htaccess files overriding your rules, etc.
 

Jake Bunce

XenForo moderator
Staff member
#11
Turned out to be a simple problem. You added the new rules to the bottom of the .htaccess file which is too late in the execution. I had to move them up a bit:

Code:
#	Mod_security can interfere with uploading of content such as attachments. If you
#	cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#	SecFilterEngine Off
#	SecFilterScanPOST Off
#</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

<IfModule mod_rewrite.c>
	RewriteEngine On

MOVED TO HERE

	#	If you are having problems with the rewrite rules, remove the "#" from the
	#	line that begins "RewriteBase" below. You will also have to change the path
	#	of the rewrite to reflect the path to your XenForo installation.
	#RewriteBase /xenforo

	RewriteCond %{REQUEST_FILENAME} -f [OR]
	RewriteCond %{REQUEST_FILENAME} -l [OR]
	RewriteCond %{REQUEST_FILENAME} -d
	RewriteRule ^.*$ - [NC,L]
	RewriteRule ^(data|js|styles|install) - [NC,L]
	RewriteRule ^.*$ index.php [NC,L]
</IfModule>

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?gamingonlinux\.com [NC]
RewriteCond %{QUERY_STRING} (^|\?)attachments/
RewriteRule ^.*$ http://www.gamingonlinux.com/nohotlinking.jpg? [NC,L]
It appears to work now.
 

DRE

Well-known member
#13
Turned out to be a simple problem. You added the new rules to the bottom of the .htaccess file which is too late in the execution. I had to move them up a bit:

Code:
#    Mod_security can interfere with uploading of content such as attachments. If you
#    cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#    SecFilterEngine Off
#    SecFilterScanPOST Off
#</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

<IfModule mod_rewrite.c>
    RewriteEngine On

MOVED TO HERE

    #    If you are having problems with the rewrite rules, remove the "#" from the
    #    line that begins "RewriteBase" below. You will also have to change the path
    #    of the rewrite to reflect the path to your XenForo installation.
    #RewriteBase /xenforo

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -l [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^.*$ - [NC,L]
    RewriteRule ^(data|js|styles|install) - [NC,L]
    RewriteRule ^.*$ index.php [NC,L]
</IfModule>

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?gamingonlinux\.com [NC]
RewriteCond %{QUERY_STRING} (^|\?)attachments/
RewriteRule ^.*$ http://www.gamingonlinux.com/nohotlinking.jpg? [NC,L]
It appears to work now.
Would this also work through subdomains? I have Better Blogs that use the multiple domains feature.

So say if my blog url is http://ethos.8thos.com would those rewrites also include attachments in my blog or is that another addon we have to add.
 

Mick West

Well-known member
#15
Also how do you do that without the www.
The example given works with or without the www the question mark at the end of (www\.)? means it's optional.

You could make it work across all subdomains and protocols like:

Code:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^.*gamingonlinux\.com [NC]
RewriteCond %{QUERY_STRING} (^|\?)attachments/
RewriteRule ^.*$ http://www.gamingonlinux.com/nohotlinking.jpg? [NC,L]
 

DRE

Well-known member
#17
The example given works with or without the www the question mark at the end of (www\.)? means it's optional.

You could make it work across all subdomains and protocols like:

Code:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^.*gamingonlinux\.com [NC]
RewriteCond %{QUERY_STRING} (^|\?)attachments/
RewriteRule ^.*$ http://www.gamingonlinux.com/nohotlinking.jpg? [NC,L]
I read that it's better to use a replacement image not hosted by the server.

So just replace that url with this? http://i39.tinypic.com/302pabd.jpg

Code:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^.*8thos\.com [NC]
RewriteCond %{QUERY_STRING} (^|\?)attachments/
RewriteRule ^.*$ http://i39.tinypic.com/302pabd.jpg? [NC,L]
 

Mick West

Well-known member
#18
I read that it's better to use a replacement image not hosted by the server.

So just replace that url with this? http://i39.tinypic.com/302pabd.jpg

Code:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^.*8thos\.com [NC]
RewriteCond %{QUERY_STRING} (^|\?)attachments/
RewriteRule ^.*$ http://i39.tinypic.com/302pabd.jpg? [NC,L]
Yeah, saves bandwidth. If that's a concern. I beleive you'd need the R paramters though, like
Code:
RewriteRule ^.*$ http://i39.tinypic.com/302pabd.jpg? [R,NC,L]
Another trick is to prevent hotlinking based on the image extension, but use a local ".jpe" image, like:
Code:
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/redirectimage.jpe [NC,L]
There's always a variety of ways of doing things. Here's a detailed overview:
http://perishablepress.com/creating-the-ultimate-htaccess-anti-hotlinking-strategy/
 

DRE

Well-known member
#20
This isn't working for some reason. I can still see one of my attachments in another thread on another site.

For instance, my afro should not be showing, it should the image in that tinypic I posted.

Code:
http://data.8thos.com/data/attachment-files/2013/09/48450_image.jpg