# Cannot block referer in httpd.conf or .htaccess



## ghostcorps (Oct 15, 2010)

Hi Guys

 Firstly, I am clearly not too savvy with rewrite rules, and am learning lot with this project. Currently, we are trying to block hot-linking and direct links to .png and .flv files on our website, with little success.

 I am using the rules below in the httpd.conf, rather than using a .htaccess file. But, even with a .htaccess I can still download the files using the direct URL and can even embed the files on another website.


/usr/local/etc/apache/httpd.conf

```
<Directory />
    Options FollowSymLinks
    AllowOverride None
</Directory>

<Directory "/usr/local/www/data">

## This Configuration works 100%, though it may have unnecessary rules.
    Options Indexes FollowSymLinks MultiViews

    AllowOverride None

    Order allow,deny
    Allow from all

    DirectoryIndex index.php index.html index.htm
    ServerSignature Off
    AddType video/x-flv .flv
    AddType application/x-shockwave-flash .swf
    AddType image/x-icon .ico
    AddDefaultCharset UTF-8
    DefaultLanguage en-US
    SetEnv TZ Australia/Melbourne
    SetEnv SERVER_ADMIN ghostcorps at mail.com

# HEADERS and CACHING
##############################################
#### CACHING ####
##### YEAR
    <FilesMatch "\.(flv|gif|jpg|jpeg|png|ico)$">
        Header set Cache-Control "max-age=2592000"
    </FilesMatch>
##### WEEK
    <FilesMatch "\.(js|css|pdf|swf)$">
        Header set Cache-Control "max-age=604800"
    </FilesMatch>
##### 10 minutes
    <FilesMatch "\.(html|htm|txt)$">
        Header set Cache-Control "max-age=600"
    </FilesMatch>
#### DONT CACHE
    <FilesMatch "\.(pl|php|cgi|spl|scgi|fcgi)$">
        Header unset Cache-Control
    </FilesMatch>

## URL rewriting rules work 100%
     RewriteEngine On
     RewriteBase /
     RewriteRule ^index\.php$ - [L]
     RewriteCond %{REQUEST_FILENAME} !-f
     RewriteCond %{REQUEST_FILENAME} !-d
     RewriteRule . /index.php [L]

## Hotlink blocking rules work %0
     RewriteCond %{HTTP_REFERER} !^$
     RewriteCond %{HTTP_REFERER} !^http://(.+\.)?website\.com\.au/ [NC]
     RewriteRule .*\.(png|flv)$ website.com.au [R,NC]

</Directory>
```

 Having spoken to a few people and looked all over the net these rules 'should' work. Have I done something dumb/wrong?


Thanks


----------



## Alt (Oct 15, 2010)

I guess you should replace this
	
	



```
RewriteCond %{HTTP_REFERER} !^$
```
 with this
	
	



```
RewriteCond %{HTTP_REFERER} !^$  [OR]
```
Note this may lead to problems with search engines etc


Also, note that 
	
	



```
#### DONT CACHE
    <FilesMatch "\.(pl|php|cgi|spl|scgi|fcgi)$">
        Header unset Cache-Control
    </FilesMatch>
```
do not disables cache, just gives browser freedom to choice itself=)


----------



## ghostcorps (Oct 18, 2010)

Thanks alt

It looked like it worked, but now all pngs and flvs are blocked on the site itself!? 

What could I be doing wrong here? I know blocking referers isn't much protection but it will be just one method in a list of tricks (if we get it working)



Regards


----------



## ghostcorps (Oct 18, 2010)

I have a feeling that the webserver is sending a different referer header to what it should be, hence the site itself is being blocked as though it is hotlinking.

Is this possible?


----------



## ghostcorps (Oct 18, 2010)

I have decided to use the SetEnvIf variable instead.

No matter what I did with the rewrite rules I always managed to block the material on the site itself. The solution below does not work in Chrome, but I feel that would be the case with the rewrite rules anyway. Besides, it's better than nothing. 


```
SetEnvIfNoCase Referer "^https?://(www\.)?website\.com/" local_ref=1
<FilesMatch "\.(flv|gif|png|jpe?g)$">
   order allow,deny
   allow from env=local_ref
</FilesMatch>
```


Thanks for your help. I will check back here for the next week to see if there are any better suggestions


----------

