Hotlink Protection with Apache mod_rewrite and .htaccess
So you have people linking to files on your site and it’s eating up all your bandwidth. You want it to stop but you’re not sure how. If you’re using Apache for your web server, you can use .htaccess to block the file requests from remote servers and put an end to your bandwidth theft.
I’m writing this article because I’m a victim of people placing links to my images on their site’s without my permission, slowly eating away at the bandwidth I’m paying for, not them. If you’re reading this, it’s likely that the same thing is happening to you and you’re sick of it. With that said, let’s get started.
I make the assumption that you’re using Apache and have root access to your server because you’ll need to see if you have mod_rewrite enabled. If you happen to be in a hosted environment, log in to your control panel and check the documentation for managing .htaccess files. Some control panels like CPanel already have built-in modules that are designed to handle hotlink protection. If you have a dedicated server, log in through SSH or locally if you have that ability.
1. Check to see if the mod_rewrite module is enabled in the Apache httpd.conf file.
nano /etc/httpd/conf/httpd.conf
Look for the “Dynamic Shared Object (DSO) Support” section and make sure you have the following line.
LoadModule rewrite_module modules/mod_rewrite.so
If it is commented out with a # before LoadModule, delete the # and save the change. Restart Apache with
service httpd restart
or
/etc/init.d/httpd restart
for the change to take effect. If mod_rewrite is completely missing from your Apache config, then you may want to take a look at this article on how to configure Apache.
2. Create a .htaccess in your web site’s html root directory or a subdirectory where you want to disable hotlinking. For this example, I only want to disable hotlinking to all image types (gif, jpeg, png, and bmp bitmaps) and have Apache return a HTTP 403 Forbidden error to the leech site. You can block any file type you want, such as pdf’s, mp3’s, etc. You could also serve up an error image to the leech saying something to the effect of “This image was hotlinked from www.yourdomain.com.”
touch .htaccess nano .htaccess
3. Add this code to your .htaccess file, make the appropriate changes like changing yourdomain.com to your actual domain name, and finally save the .htaccess file.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?yourdomain\.com [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ - [NC,F]
</IfModule>
The matching is done with regular expressions, so you’ll need to know that before you can do complex cases. In short, what this code does is first look for empty referrers, matches your domain by any or no specified subdomains (case insensitive [NC]), rewrite the URL if any jpeg, jpg, gif, bmp, or png is requested (case insensitive [NC]) with a 403 Forbidden ([F]).
By issuing a 403 Forbidden, no image content will be sent back to the leech server, therefore your bandwidth will not be bled dry by hotlinking. As I mentioned earlier, you can send back an error image in place of the actual requested image, however you’ll need to change the RewriteRule line to something like this.
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/sorry.jpe [L]
Take note at the returned image file name. We send back a jpeg variant (JPE) because we’re set on blocking the other image types. If you send back a file type that you’re blocking, you’ll likely get a 500 Internal Server Error like I did when I first set up hotlink protection. It makes sense, why send back what you’re blocking in the first place. I opted for the 403 Forbidden approach for my sites instead.
Sources:
http://altlab.com/htaccess_tutorial.html
http://www.dagondesign.com/articles/hotlink-protection-with-htaccess/