XF 1.1 Stop people hotlinking attachments?

Member 3639

Active member
Is there any way to stop people hotlinking attachments on posts?

I was given this before;

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://gamingonlinux.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://gamingonlinux.com$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.gamingonlinux.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.gamingonlinux.com$ [NC]
RewriteCond %{QUERY_STRING} attachments/.*$
RewriteRule ^.*$ http://www.gamingonlinux.com/nohotlinking.jpg? [NC,L]

Which doesn't seem to work :(
 
Try this:

Code:
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?gamingonlinux\.com [NC]
RewriteCond %{QUERY_STRING} (^|\?)attachments/
RewriteRule ^.*$ http://www.gamingonlinux.com/nohotlinking.jpg? [NC,L]
 
Turned out to be a simple problem. You added the new rules to the bottom of the .htaccess file which is too late in the execution. I had to move them up a bit:

Rich (BB code):
#	Mod_security can interfere with uploading of content such as attachments. If you
#	cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#	SecFilterEngine Off
#	SecFilterScanPOST Off
#</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

<IfModule mod_rewrite.c>
	RewriteEngine On

MOVED TO HERE

	#	If you are having problems with the rewrite rules, remove the "#" from the
	#	line that begins "RewriteBase" below. You will also have to change the path
	#	of the rewrite to reflect the path to your XenForo installation.
	#RewriteBase /xenforo

	RewriteCond %{REQUEST_FILENAME} -f [OR]
	RewriteCond %{REQUEST_FILENAME} -l [OR]
	RewriteCond %{REQUEST_FILENAME} -d
	RewriteRule ^.*$ - [NC,L]
	RewriteRule ^(data|js|styles|install) - [NC,L]
	RewriteRule ^.*$ index.php [NC,L]
</IfModule>

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?gamingonlinux\.com [NC]
RewriteCond %{QUERY_STRING} (^|\?)attachments/
RewriteRule ^.*$ http://www.gamingonlinux.com/nohotlinking.jpg? [NC,L]

It appears to work now.
 
Turned out to be a simple problem. You added the new rules to the bottom of the .htaccess file which is too late in the execution. I had to move them up a bit:

Rich (BB code):
#    Mod_security can interfere with uploading of content such as attachments. If you
#    cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#    SecFilterEngine Off
#    SecFilterScanPOST Off
#</IfModule>

ErrorDocument 401 default
ErrorDocument 403 default
ErrorDocument 404 default
ErrorDocument 500 default

<IfModule mod_rewrite.c>
    RewriteEngine On

MOVED TO HERE

    #    If you are having problems with the rewrite rules, remove the "#" from the
    #    line that begins "RewriteBase" below. You will also have to change the path
    #    of the rewrite to reflect the path to your XenForo installation.
    #RewriteBase /xenforo

    RewriteCond %{REQUEST_FILENAME} -f [OR]
    RewriteCond %{REQUEST_FILENAME} -l [OR]
    RewriteCond %{REQUEST_FILENAME} -d
    RewriteRule ^.*$ - [NC,L]
    RewriteRule ^(data|js|styles|install) - [NC,L]
    RewriteRule ^.*$ index.php [NC,L]
</IfModule>

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?gamingonlinux\.com [NC]
RewriteCond %{QUERY_STRING} (^|\?)attachments/
RewriteRule ^.*$ http://www.gamingonlinux.com/nohotlinking.jpg? [NC,L]

It appears to work now.
Would this also work through subdomains? I have Better Blogs that use the multiple domains feature.

So say if my blog url is http://ethos.8thos.com would those rewrites also include attachments in my blog or is that another addon we have to add.
 
Also how do you do that without the www.

The example given works with or without the www the question mark at the end of (www\.)? means it's optional.

You could make it work across all subdomains and protocols like:

Rich (BB code):
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^.*gamingonlinux\.com [NC]
RewriteCond %{QUERY_STRING} (^|\?)attachments/
RewriteRule ^.*$ http://www.gamingonlinux.com/nohotlinking.jpg? [NC,L]
 
  • Like
Reactions: DRE
The example given works with or without the www the question mark at the end of (www\.)? means it's optional.

You could make it work across all subdomains and protocols like:

Rich (BB code):
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^.*gamingonlinux\.com [NC]
RewriteCond %{QUERY_STRING} (^|\?)attachments/
RewriteRule ^.*$ http://www.gamingonlinux.com/nohotlinking.jpg? [NC,L]
I read that it's better to use a replacement image not hosted by the server.

So just replace that url with this? http://i39.tinypic.com/302pabd.jpg

Rich (BB code):
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^.*8thos\.com [NC]
RewriteCond %{QUERY_STRING} (^|\?)attachments/
RewriteRule ^.*$ http://i39.tinypic.com/302pabd.jpg? [NC,L]
 
I read that it's better to use a replacement image not hosted by the server.

So just replace that url with this? http://i39.tinypic.com/302pabd.jpg

Rich (BB code):
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^.*8thos\.com [NC]
RewriteCond %{QUERY_STRING} (^|\?)attachments/
RewriteRule ^.*$ http://i39.tinypic.com/302pabd.jpg? [NC,L]

Yeah, saves bandwidth. If that's a concern. I beleive you'd need the R paramters though, like
Code:
RewriteRule ^.*$ http://i39.tinypic.com/302pabd.jpg? [R,NC,L]

Another trick is to prevent hotlinking based on the image extension, but use a local ".jpe" image, like:
Code:
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/redirectimage.jpe [NC,L]

There's always a variety of ways of doing things. Here's a detailed overview:
http://perishablepress.com/creating-the-ultimate-htaccess-anti-hotlinking-strategy/
 
This isn't working for some reason. I can still see one of my attachments in another thread on another site.

For instance, my afro should not be showing, it should the image in that tinypic I posted.

Code:
http://data.8thos.com/data/attachment-files/2013/09/48450_image.jpg

48450_image.jpg
 
Top Bottom