Apache 2: Is Referer from current Host

Question

I have an Apache 2 with mod_setenvif. My goal is to stop all hotlinking of images in my global apache.conf. Currently that's:

<FilesMatch ".(gif|jpg|jpeg|png)$">
    SetEnvIfNoCase Referer "^http://[^/]*blogger.com/" hotlink
    SetEnvIfNoCase Referer "^http://[^/]*myspace.com/" hotlink
    SetEnvIfNoCase Referer "^http://[^/]*ebay" hotlink
    ...
    deny from env=hotlink
</FilesMatch>

Works nicely so far, but I have to catch every hotlinker once and add it to my config. I would like to have a broader apprach by adding something like this:

    # Set variable "hotlink" if Referer contains "forum"
    SetEnvIfNoCase Referer "forum" hotlink

    # Unset variable if Referer is from the same Host as current request
    SetEnvIfNoCase Referer %{Host} !hotlink

The plan is to match http://evilhost.com/forum/, but not http://myhost.com/forum/.

The problem is that the latter unset does not work. Looks as if I can't use the header property "Host" as regexp pattern - at least not the way I tried to. Of course I could manually enter all possible hostnames in my config, but that's exactly what I want to avoid.

So my question is:

Is there a way to use a HTTP header as regexp pattern at all?
If not, do you know another way I could reach my goal to unset the variable "hotlink" if the referrer is from the same host?

score 1 · Answer 1 · answered Jan 22 '10 at 23:02

1

You can dynamically block hotlinking by doing something like:

RewriteCond "%{HTTP_HOST}_%{HTTP_REFERER}" !\.?([^\.]+\.[^\.]+?)_https?://.*\1/.*$ [NC]
RewriteRule .(gif|jpg|jpeg|png)$ . [F,L]

answered Jan 22 '10 at 23:02

user32627

11
1

score 1 · Answer 2 · answered Dec 19 '09 at 18:22

(This started as a comment but got too long...)

Are your images really being accessed by that many different local host names? Because on most of the sites I maintain any individual virtual host is typically associated with maybe two host names (usually something like example.com and www.example.com). Are you sure you're not trying to solve a problem that doesn't exist?

You could possibly do what you want by using mod_rewrite instead of FilesMatch (because then you can use %{HTTP_HOST} in your match string, which means you no longer need to worry about entering all your local host names). A simple google search yields that many different local host names? Because on most of the sites I maintain any individual virtual host is typically associated with maybe two host names (usually something like example.com and www.example.com). Are you sure you're not trying to solve a problem that doesn't exist?

You could possibly do what you want by using mod_rewrite instead of FilesMatch (because then you can use %{HTTP_HOST} in your match string, which means you no longer need to worry about entering all your local host names). A simple google search yields this site, which goes into more detail about using RewriteRule's to block hotlinking.

score 0 · Answer 3 · answered Dec 17 '09 at 16:15

0

Off the top of my head (e.g., I haven't really thought this through yet), why don't you just reverse your logic?

<FilesMatch ".(gif|jpg|jpeg|png)$">
    SetEnvIfNoCase Referer "^http://[^/]evilhost.com/" localref

    Order deny,allow
    deny from all
    allow from env=localref
</FilesMatch>

answered Dec 17 '09 at 16:15

larsks

41,276
13
117
170

... because I don't know if I'm on localhost? As mentioned in my question: I don't want to add all possible local hostnames manually. I just want to allow all pages that have the current (image's) hostname in the referer. – BlaM Dec 19 '09 at 12:51

Apache 2: Is Referer from current Host

3 Answers3