Hotlinking and .htaccess files - a better way, but how?

jayp

Joined: 2005-10-24
Posts: 49

Posted: Mon, 2006-05-08 19:54

Hello all. I have questions on hotlinking protection and .htaccess files used in gallery. I know what I want to do, but am unable to get it to work in gallery.

I want to implement hotlinking protection into Gallery's .htacess file in the method done by A List Apart in their excellent article on the subject.

The .htaccess code for their solution looks like the following.

Quote:

#prevent hotlinking
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} .*jpg$|.*jpeg$|.*gif$|.*png$|.*bmp$ [NC]
RewriteCond %{HTTP_REFERER} !ocellated\.com [NC]
RewriteCond %{HTTP_REFERER} !google\. [NC]
RewriteCond %{HTTP_REFERER} !search\?q=cache [NC]
RewriteRule (.*) /showpic.php?pic=$1

What is does is display the image if it's called from your site. If it's not called from your site, it redirects to the .php page shopic.php including the path to the image. That page displays the image, but within an html page. (This page can look however you want. I simply put a credit to my sight below the picture, but you could wrap the picture in a full blown site design). The code also allows for excepts if Google is accessing the site.

The magic is that if someone trys to hotlink your image, the image won't show up because the browser is expecting an image to be returned but instead of text/html file is returned. Thus hotlinking is avoided.

Well, I wanted this to work with Gallery. But I simply cannot get it to. Here's what I'm using now in Gallery's .htaccess file for hotlinking protection.

Quote:

<IfModule mod_rewrite.c>
RewriteEngine On

RewriteBase /gallery/

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d [OR]
RewriteCond %{REQUEST_FILENAME} gallery\_remote2\.php
RewriteCond %{REQUEST_FILENAME} !main\.php
RewriteRule . - [L]

RewriteCond %{QUERY_STRING} view=core.DownloadItem
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !ocellated\.com/ [NC]
RewriteCond %{HTTP_REFERER} !google\. [NC]
RewriteCond %{HTTP_REFERER} !search\?q=cache [NC]
RewriteRule . /gallery/main.php? [F,L]

RewriteCond %{THE_REQUEST} \ /gallery/admin/(\?.|\ .)
RewriteCond %{REQUEST_FILENAME} !main\.php
RewriteRule . /gallery/main.php?g2_view=core.SiteAdmin [QSA,L]

RewriteCond %{THE_REQUEST} \ /gallery/v/(\?.|\ .)
RewriteCond %{REQUEST_FILENAME} !main\.php
RewriteRule . /gallery/main.php?g2_view=core.ShowItem [QSA,L]

RewriteCond %{THE_REQUEST} \ /gallery/d/([0-9]+)-([0-9]+)/([^\/]+)(\?.|\ .)
RewriteCond %{REQUEST_FILENAME} !main\.php
RewriteRule . /gallery/main.php?g2_view=core.DownloadItem&g2_itemId=%1&g2_serialNumber=%2 [QSA,L]

RewriteCond %{THE_REQUEST} \ /gallery/v/([^?]+)(\?.|\ .)
RewriteCond %{REQUEST_FILENAME} !main\.php
RewriteRule . /gallery/main.php?g2_view=core.ShowItem&g2_path=%1 [QSA,L]

</IfModule>

One things that appears to be causing great difficulty is Gallery's rewriting the url to serve individual images. This line:

Quote:

RewriteCond %{THE_REQUEST} \ /gallery/d/([0-9]+)-([0-9]+)/([^\/]+)(\?.|\ .)

I'm not sure if there's a way to reconcile that with the above approach.

The other thing that I particularly dislike about Gallery's solution to hotlinking... I would like to allow people to link to the image itself. I don't have a problem with someone providing a text link. It's stealing the image by embedding it that I don't want.

The soluton from ALA is really a slick one. If anyone knows how to integrate this into Gallery's .htacces, I would be very appreciate. I tried lots of things. None of them worked.

Furthermore, I think it would be great if Gallery could incorporate it into it's core package so that this is the way images are protected when a user chooses to block hotlinking.

Thanks.

Login or register to post comments

mindless

Joined: 2004-01-04
Posts: 8598

Posted: Tue, 2006-05-09 02:52

i didn't read thru this in detail.. how does it differ from hotlink protection that G2 URL rewrite module already offers?

Login or register to post comments

jayp

Joined: 2005-10-24
Posts: 49

Posted: Tue, 2006-05-09 04:34

Here's a link to a non gallery image, using the hotlinking solution from AListApart. Because the referrer comes from gallery.menalto.com, the image is served inside of a page with a line identifying where the image comes from. (This works as a hotlinking solution because while the browser expects an image, it's served a text/html page instead and thus doesn't show your image hotlinked in someone else's page.)

Here's a link to a gallery image, using it's hotlinking solution. Because the referrer is from these forums and not from my site, no image is served and a 404 error is thrown instead. (This is what Gallery writes into .htaccess file when a user asks to protect against hotlinking. I modified it slightly, see the code above in my original post).

I'd really like it if the second link (the picture within gallery) was displayed like the first link. Hotlinking is prevented, but linking directly to a picture is allowed.

Login or register to post comments

Lapinoo

Joined: 2004-05-08
Posts: 363

Posted: Tue, 2006-05-09 16:46

Interesting...

My main problem was people embedding my pictures in their site... I don't know if anybody provided a link to one of my pictures. Anyway, in this case, they can also use the URL of my Gallery's page. It will also be displayed, but in a nice way.

Login or register to post comments

mindless

Joined: 2004-01-04
Posts: 8598

Posted: Tue, 2006-05-09 22:20

Nice, thanks for the clear example. Would you like to work on a patch to the URL rewrite module to offer this type of hotlink protection?

Login or register to post comments

jayp

Joined: 2005-10-24
Posts: 49

Posted: Thu, 2006-05-11 17:05

Mindless,

I would love to be able to help. But that's the problem. I'm just good enough to be truly dangerous. I'm not a real coder. I like to tinker with things and would be unable to work on a patch. (And despite having a personal interest, being a full time grad student prevents me from getting much better).

Also, I wrote because I can't get my solution to work with Gallery's .htaccess file. If the image is called with a virtual path, I haven't been able to get my solution and Gallery's rewrite rules to play nice together.

So for example, if an image is called like so, domain.com/gallery/d/123-1/name.jpg, Gallery's .htaccess file has to rewrite this url to serve a real file. And I can't implement that with AListAparts solution above.

If however that same file is called with a real path, like domain.com/g2/data/albums/name.jpg (whatever the real path is) then the solution above works.

So in order for it work, someone needs to reconile AListApart's solution and Gallery's virtual paths directly to images. And I wish I could do it, but I spent three or four hours trying with no success.

Login or register to post comments

mindless

Joined: 2004-01-04
Posts: 8598

Posted: Thu, 2006-05-11 22:44

New rule now in svn.. give it a try!

Login or register to post comments

jayp

Joined: 2005-10-24
Posts: 49

Posted: Mon, 2006-05-15 04:15

Mindless, I'm embarrassed to ask... Can you point in the right direction on trying svn. I know it's the code repository used to manage Gallery, but I've got no experience using it. Also, would it be possible to simply post your solution here, so that everyone could see how you got the two rewrite rules to work with each other?

Sorry, but everybody's a n00b sometime.

Login or register to post comments

mindless

Joined: 2004-01-04
Posts: 8598

Posted: Mon, 2006-05-15 14:43

Here are the changes I made:
http://svn.sourceforge.net/viewcvs.cgi/gallery?rev=13643&view=rev

For SVN info, just click "downloads" above and look for Subversion.

Login or register to post comments

jayp Joined: 2005-10-24 Posts: 49	Posted: Mon, 2006-05-08 19:54
	Hello all. I have questions on hotlinking protection and .htaccess files used in gallery. I know what I want to do, but am unable to get it to work in gallery. I want to implement hotlinking protection into Gallery's .htacess file in the method done by A List Apart in their excellent article on the subject. The .htaccess code for their solution looks like the following. Quote: #prevent hotlinking RewriteEngine On RewriteCond %{REQUEST_FILENAME} .jpg$\|.jpeg$\|.gif$\|.png$\|.bmp$ [NC] RewriteCond %{HTTP_REFERER} !ocellated\.com [NC] RewriteCond %{HTTP_REFERER} !google\. [NC] RewriteCond %{HTTP_REFERER} !search\?q=cache [NC] RewriteRule (.) /showpic.php?pic=$1 What is does is display the image if it's called from your site. If it's not called from your site, it redirects to the .php page shopic.php including the path to the image. That page displays the image, but within an html page. (This page can look however you want. I simply put a credit to my sight below the picture, but you could wrap the picture in a full blown site design). The code also allows for excepts if Google is accessing the site. The magic is that if someone trys to hotlink your image, the image won't show up because the browser is expecting an image to be returned but instead of text/html file is returned. Thus hotlinking is avoided. Well, I wanted this to work with Gallery. But I simply cannot get it to. Here's what I'm using now in Gallery's .htaccess file for hotlinking protection. Quote: <IfModule mod_rewrite.c> RewriteEngine On RewriteBase /gallery/ RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -d [OR] RewriteCond %{REQUEST_FILENAME} gallery\_remote2\.php RewriteCond %{REQUEST_FILENAME} !main\.php RewriteRule . - [L] RewriteCond %{QUERY_STRING} view=core.DownloadItem RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !ocellated\.com/ [NC] RewriteCond %{HTTP_REFERER} !google\. [NC] RewriteCond %{HTTP_REFERER} !search\?q=cache [NC] RewriteRule . /gallery/main.php? [F,L] RewriteCond %{THE_REQUEST} \ /gallery/admin/(\?.\|\ .) RewriteCond %{REQUEST_FILENAME} !main\.php RewriteRule . /gallery/main.php?g2_view=core.SiteAdmin [QSA,L] RewriteCond %{THE_REQUEST} \ /gallery/v/(\?.\|\ .) RewriteCond %{REQUEST_FILENAME} !main\.php RewriteRule . /gallery/main.php?g2_view=core.ShowItem [QSA,L] RewriteCond %{THE_REQUEST} \ /gallery/d/([0-9]+)-([0-9]+)/([^\/]+)(\?.\|\ .) RewriteCond %{REQUEST_FILENAME} !main\.php RewriteRule . /gallery/main.php?g2_view=core.DownloadItem&g2_itemId=%1&g2_serialNumber=%2 [QSA,L] RewriteCond %{THE_REQUEST} \ /gallery/v/([^?]+)(\?.\|\ .) RewriteCond %{REQUEST_FILENAME} !main\.php RewriteRule . /gallery/main.php?g2_view=core.ShowItem&g2_path=%1 [QSA,L] </IfModule> One things that appears to be causing great difficulty is Gallery's rewriting the url to serve individual images. This line: Quote: RewriteCond %{THE_REQUEST} \ /gallery/d/([0-9]+)-([0-9]+)/([^\/]+)(\?.\|\ .) I'm not sure if there's a way to reconcile that with the above approach. The other thing that I particularly dislike about Gallery's solution to hotlinking... I would like to allow people to link to the image itself. I don't have a problem with someone providing a text link. It's stealing the image by embedding it that I don't want. The soluton from ALA is really a slick one. If anyone knows how to integrate this into Gallery's .htacces, I would be very appreciate. I tried lots of things. None of them worked. Furthermore, I think it would be great if Gallery could incorporate it into it's core package so that this is the way images are protected when a user chooses to block hotlinking. Thanks.
	Login or register to post comments XUser login Username: * Password: * Create new account Request new password
mindless Joined: 2004-01-04 Posts: 8598	Posted: Tue, 2006-05-09 02:52
	i didn't read thru this in detail.. how does it differ from hotlink protection that G2 URL rewrite module already offers?
	Login or register to post comments
jayp Joined: 2005-10-24 Posts: 49	Posted: Tue, 2006-05-09 04:34
	Here's a link to a non gallery image, using the hotlinking solution from AListApart. Because the referrer comes from gallery.menalto.com, the image is served inside of a page with a line identifying where the image comes from. (This works as a hotlinking solution because while the browser expects an image, it's served a text/html page instead and thus doesn't show your image hotlinked in someone else's page.) Here's a link to a gallery image, using it's hotlinking solution. Because the referrer is from these forums and not from my site, no image is served and a 404 error is thrown instead. (This is what Gallery writes into .htaccess file when a user asks to protect against hotlinking. I modified it slightly, see the code above in my original post). I'd really like it if the second link (the picture within gallery) was displayed like the first link. Hotlinking is prevented, but linking directly to a picture is allowed.
	Login or register to post comments
Lapinoo Joined: 2004-05-08 Posts: 363	Posted: Tue, 2006-05-09 16:46
	Interesting... My main problem was people embedding my pictures in their site... I don't know if anybody provided a link to one of my pictures. Anyway, in this case, they can also use the URL of my Gallery's page. It will also be displayed, but in a nice way.
	Login or register to post comments
mindless Joined: 2004-01-04 Posts: 8598	Posted: Tue, 2006-05-09 22:20
	Nice, thanks for the clear example. Would you like to work on a patch to the URL rewrite module to offer this type of hotlink protection?
	Login or register to post comments
jayp Joined: 2005-10-24 Posts: 49	Posted: Thu, 2006-05-11 17:05
	Mindless, I would love to be able to help. But that's the problem. I'm just good enough to be truly dangerous. I'm not a real coder. I like to tinker with things and would be unable to work on a patch. (And despite having a personal interest, being a full time grad student prevents me from getting much better). Also, I wrote because I can't get my solution to work with Gallery's .htaccess file. If the image is called with a virtual path, I haven't been able to get my solution and Gallery's rewrite rules to play nice together. So for example, if an image is called like so, domain.com/gallery/d/123-1/name.jpg, Gallery's .htaccess file has to rewrite this url to serve a real file. And I can't implement that with AListAparts solution above. If however that same file is called with a real path, like domain.com/g2/data/albums/name.jpg (whatever the real path is) then the solution above works. So in order for it work, someone needs to reconile AListApart's solution and Gallery's virtual paths directly to images. And I wish I could do it, but I spent three or four hours trying with no success.
	Login or register to post comments
mindless Joined: 2004-01-04 Posts: 8598	Posted: Thu, 2006-05-11 22:44
	New rule now in svn.. give it a try!
	Login or register to post comments
jayp Joined: 2005-10-24 Posts: 49	Posted: Mon, 2006-05-15 04:15
	Mindless, I'm embarrassed to ask... Can you point in the right direction on trying svn. I know it's the code repository used to manage Gallery, but I've got no experience using it. Also, would it be possible to simply post your solution here, so that everyone could see how you got the two rewrite rules to work with each other? Sorry, but everybody's a n00b sometime.
	Login or register to post comments
mindless Joined: 2004-01-04 Posts: 8598	Posted: Mon, 2006-05-15 14:43
	Here are the changes I made: http://svn.sourceforge.net/viewcvs.cgi/gallery?rev=13643&view=rev For SVN info, just click "downloads" above and look for Subversion.
	Login or register to post comments

Hotlinking and .htaccess files - a better way, but how?

XUser login