PDA

View Full Version : Hotlinking with HTAccess but how to Log Hotlinker?



BartonGL
08-08-2011, 01:30 PM
Hi,

I already have a mechanism to disable Hot-linking in my .HTAccess file, but I wanted to know if anybody knew of a method to log the hot-linker details?
I appreciate that I could trawl through the sever log files, but time is limited.

Thanks for any help,

Mark.

djr33
08-08-2011, 05:11 PM
To confirm:
1. You want to stop hotlinking.
2. You want to log any (failed) attempts at hotlinking.

Is that correct?

I'm not sure if you can write a file using .htaccess, so I don't know how you'd be able to store the information. The easy solution seems to be using mod_rewrite to serve a .php file (or something similar) that logs the attempt.

If the request is valid, serve the image. (default)
If the request is hotlinking, serve a php page instead. (use htaccess like you are now, but using mod_rewrite rather than serving an error denying the file)

Now, on that PHP file you will log the information about the request. You can use a database, text files, or anything else you'd like.
You can get the referring URL, and that will tell you the domain. Or you can get the IP of the visitor and log that, although that information is relatively useless because they're are probably just an innocent visitor on whatever other site is using your files.


Finally, if you want it to behave identically as it does now, you can send an HTTP header that the file is denied or whatever you'd like.


Any serverside language can be used instead of PHP. ASP, CGI, JSP, etc.

BartonGL
08-08-2011, 06:28 PM
Hi, and thanks for the quick response...


To confirm:
1. You want to stop hotlinking.
2. You want to log any (failed) attempts at hotlinking.

Is that correct?
1. No, I still require that hot-linking is stopped.
2. Yes, log any hotlinks except from a WhiteList, e.g. facebook, yahoo etc...

I'm not sure if you can write a file using .htaccess, so I don't know how you'd be able to store the information. The easy solution seems to be using mod_rewrite to serve a .php file (or something similar) that logs the attempt.
I tried using PHP which wrote to a text file:


RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule \.(gif|png|jpeg|jpg)$ ../../watermark/watermark.php?hd=maiocv [QSA,NC]


The HTAccess code above was placed before the hot-linking code, but then the hot-linking stopped working, I suppose due to the RewriteRule?



If the request is valid, serve the image. (default)
If the request is hotlinking, serve a php page instead. (use htaccess like you are now, but using mod_rewrite rather than serving an error denying the file)

Now, on that PHP file you will log the information about the request. You can use a database, text files, or anything else you'd like.
You can get the referring URL, and that will tell you the domain. Or you can get the IP of the visitor and log that, although that information is relatively useless because they're are probably just an innocent visitor on whatever other site is using your files.

Finally, if you want it to behave identically as it does now, you can send an HTTP header that the file is denied or whatever you'd like.

Any serverside language can be used instead of PHP. ASP, CGI, JSP, etc.



## DISABLE HOTLINKING
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://([^.]+\.)?domain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !google. [NC]
RewriteCond %{HTTP_REFERER} !search?q=cache [NC]
RewriteCond %{HTTP_REFERER} !msn. [NC]
RewriteCond %{HTTP_REFERER} !yahoo. [NC]
RewriteCond %{HTTP_REFERER} !facebook. [NC]
RewriteRule .*\.(gif|png|jpeg|jpg)$ ./images/hotlinked.jpg [L]
## DISABLE HOTLINKING end

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule \.(gif|png|jpeg|jpg)$ ./loghotlinks.php [QSA,NC]


The HTAccess code above is defined in an images directory to protect the images of certain sensitive webpages.

Thanks again,

Mark.

djr33
08-08-2011, 07:03 PM
Hi Mark,

Is the top part of the code above your original, working code?

If so, you can remove the rest of what you added and simply change the URL for the image to be served. Rather than "hotlink.jpg" (an image) use "hotlink.php".

There are two things you can do with PHP:
1. You can serve an image indirectly using the PHP script. (You will need to supply file type headers and then use readfile() to send the data to the visitor.)
2. You can refuse the request (give an error such as "not found" using HTTP headers).
3. You can serve the PHP page's output (as html, text). This will break images on all webpages that hotlink, but that shouldn't bother you.

Probably the best will be to use option 1, but that can be a little confusing. If that's what you want to do, first get everything else working then we can help you with the PHP. (Do you have PHP available on your server?)

BartonGL
08-08-2011, 07:15 PM
Hello again,

Hi Mark,

Is the top part of the code above your original, working code?
Yes, for the past couple of years, :D

If so, you can remove the rest of what you added and simply change the URL for the image to be served. Rather than "hotlink.jpg" (an image) use "hotlink.php".
OK.

There are two things you can do with PHP:
1. You can serve an image indirectly using the PHP script. (You will need to supply file type headers and then use readfile() to send the data to the visitor.)
2. You can refuse the request (give an error such as "not found" using HTTP headers).
3. You can serve the PHP page's output (as html, text). This will break images on all webpages that hotlink, but that shouldn't bother you.

Probably the best will be to use option 1, but that can be a little confusing.
I agree that Option 1 is the way to go, as it's free publicity for the website with the URL Watermark :)

If that's what you want to do, first get everything else working then we can help you with the PHP.
(Do you have PHP available on your server?)
I am a 'seasoned' PHP developer and PHP installed on the web-server.

I am also currently using an on-the-fly watermarking PHP script, which stores an MD5 version of the image file with the merged watermark, so it readfiles the image and controls the header, but this doesn't happen currently if the image is hot-linked.


Hope that helps and thanks for your help,

Mark.

djr33
08-09-2011, 12:06 AM
Does that solve everything?

Change the rewrite URL and then that PHP script will be served instead of a hotlinked image. Then all you need to do is work out what you want the PHP script do serve (such as an image), and if you're experienced with PHP that should be possible.

Do you have more questions?

BartonGL
08-09-2011, 11:07 AM
Thanks for your help. I used the watermarking code as a working basis, and adapted it to log the hot-link but also serve up the warning image.

Brilliant stuff and thanks for your help,

Mark.