Hotlinking protection custom code – not working

Hi. It’s not quite resolved yet as I’ve not had chance to experiment further with your above suggestions, but here’s a quick progress update:

I have left the Server_Addr commented out for the past week or so and have not observed any problems in the front end or backend, and hotlinking protection is working as required (i.e. allowing hotlinking from the whitelisted sites but blocking from anywhere else). This makes me think that the server_addr line is not required for my particular configuration.

Having given some thought to this over the past few days, it is important to point out that the problem I have with the server_addr line is that it seems to open up the hotlinking protection whitelist to every website. Hence nothing gets blocked with this line in place as every request is whitelisted. With the line commented out, only the specified sites are whitelisted as expected.

So why would this line lead to every request being whitelisted and all hotlinks being allowed? I’m not sure, but this was why I mentioned the difference between server_addr and remote_addr. If server_addr is as you explained above “the IP address of the server under which the current script is executing”, then is the script the htaccess file and hence is this no always running on my server, irrespective of where the request came from? Could this explain why this line seems to whitelist everything?

I haven’t played around with adding the various other server addresses to my whitelist yet because, as stated above, it is not a problem with allowing legitimate requests through. The problem is that the server_addr line seems to whitelist everything, hence I don’t think adding more of these lines will help. It’s not like some of my legitimate requests are getting accidentally blocked.

Maybe I need to completely remove my actual server_addr and only have the CloudFlare or X-forwarded addresses instead? But as I say, there doesn’t seem to be anything legitimate that is getting blocked without these lines of code, so its not exactly clear what exactly I am trying to allow through!

Cheers for all your help and suggestions, and any further ideas will eb gratefully received.

James 🙂

Good to hear it’s not just me then! 🙂

Thanks for your efforts with this, hope you have more success coming to a solution than I have!

James

Ok, that makes sense, I’ll give it a whirl. So here’s what I now have in my custom code:

# The main domain\.tld for the website
SetEnvIfNoCase Referer "^http://(www\.)?mywebsite\.com.*" whitelist
SetEnvIfNoCase Referer "^http://(www\.)?mywebsite\.co.uk.*" whitelist

# Allow empty referrers
# SetEnvIf Referer "^$" whitelist

# List of any another domains that should be able to access the files
SetEnvIfNoCase Referer "^http://(www\.)?friendswesbite\.com.*"  whitelist
SetEnvIfNoCase Referer "^http://(www\.)?friendswesbite\.net.*"  whitelist
SetEnvIfNoCase Referer "^http://(www\.)?friendswesbite\.co.uk.*"  whitelist

# Allow search engines to access images
SetEnvIfNoCase Referer "^(http|https)://.*google.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*yahoo.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*bing.*" whitelist

# Specify image file types to protect from hotlinking
<FilesMatch "\.(gif|jpg|jpeg|png|bmp)$">
Order Allow,Deny
Allow from env=whitelist
Allow from XXX.XXX.XXX.XXX
</FilesMatch>

Yep, that’s why that line is commented out (isn’t it?). It’s useful sometimes to allow direct access to images; I thought I might need to use it in the future for testing etc, so have left it in commented out so that it’s easy to re-add later if and when I need to. Save me having to find the right syntax again!

Right, done some testing and everything seems to be working correctly using the above code! Hotlinking is allowed from ‘mywebsite’ and ‘friendswebsites’ but blocked from elsewhere.

For testing whether hotlinking protection is working on a website, I’ve found the following tool very useful (but remember to ckear your browser cache before testing!):
http://coldlink.com/htm/tool.htm

Thanks for all your help getting to the bottom of this one 🙂