Newbie htaccess Tutorial

Newbie htaccess Tutorial

"What is that .htaccess thing?"
.htaccess is a ascii text file used to over-ride your Apache web-servers configuration and has many weird, wonky and wonderful uses! This tutorial focues on preventing thiefs from hotlinking your images and those "chat-room" folks who like to pretend they are your favourite model by posting the url to one of your images.
note: when creating your .htaccess file, it must be saved with no file type extension! If your text editor won't allow you to save a file without an extension, most FTP clients will let you remove it after you've uploaded it to your server.

"Where do you put that thing?"
Wherever it's needed! You can have a single .htaccess file protecting your entire domain, protecting a single directory(eg. images/), or, have many .htaccess files. each protecting a different directory. Sometimes simple is better, using a single .htaccess file to protect your image directory will help you avoid problems managing/changing multiple files across your domains. I normally use a single .htaccess file in my document root directory and sometimes put niche-specific .htaccess files in some sub-directories.

"Show me that thing!"


AuthUserFile /dev/null
AuthGroupFile /dev/null

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.newbie.com/.*$ [NC]
ReWriteRule .*\.jpg$ http://www.hotlinker-hell.com [R,L]


"What do those things do?"
AuthUserFile /dev/null
AuthGroupFile /dev/null
No passwords are required for individual users or groups of users

RewriteEngine On
Have to turn it on, before it will work....... :)

RewriteCond %{HTTP_REFERER} !^http://www.newbie.com/.*$ [NC]
If the referring url "HTTP_REFERER" does not start with your domain "http://www.newbie.com/", then this conditional statement is true and the next "RewriteRule" encountered will be executed. Since Unix is case sensitive, the [NC] flag makes the statement case insensitive. The ".*$" at the end will match any string, allowing access from any location on your domain

ReWriteRule .*\.jpg$ http://www.hotlinker-hell.com [R,L]
If the preceding Rewrite condition was true, and the request was for any url .* ending with .jpg we'll send them to the hotlinker-hell url. This is accomplished with the [R,L] flag. R forces a redirect of the url, while L says this is the last rule, don't bother checking any more.

Since Unix is case sensitive, you should modify the RewriteRule to handle upper-case extenstions if you use them and you might want to include protection for gif files.
ReWriteRule .*\.(jpg|JPG|gif|GIF)$ http://www.hotlinker-hell.com [R,L]
Would protect images ending in ".jpg", or, "JPG", or "gif", or "GIF"
If you use mixed-case in your image file names, the following rule could be used to protect strings ending in "JPG","JPg","JpG",Jpg"......,or, "GIF","GIf","GiF","Gif"......
RewriteRule .*[Jj][Pp][Gg]$|.*[Gg][Ii][Ff]$ http://www.hotlinker-hell.com [R,L]


"Show me a bigger thing!"
Its a good idea to include error document handlers in your .htaccess files and additional Rewrite conditions to handle most variations of your domains.


AuthUserFile /dev/null
AuthGroupFile /dev/null

RewriteEngine On
ErrorDocument 400 http://www.newbie.com/special.htm
ErrorDocument 403 http://www.newbie.com/special.htm
ErrorDocument 404 http://www.newbie.com/special.htm
ErrorDocument 500 http://www.newbie.com/special.htm
ErrorDocument 501 http://www.newbie.com/special.htm
ErrorDocument 503 http://www.newbie.com/special.htm

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www.newbie.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.newbie.com:80/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://newbie.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://newbie.com:80/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://123.456.78.90/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://123.456.78.90:80/.*$ [NC]
ReWriteRule .*\.(jpg|gif)$ http://www.hotlinker-hell.com/ [R,L]


note: there is an implied AND between each of the RewriteCond statements above.

"Some handy variations of ReWritecond..."


RewriteCond %{HTTP_USER_AGENT} ^WebReaper.*$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC Web Spider.*$
RewriteRule /* - [F]

If you notice strange browsers(HTTP_USER_AGENT) in your server logs, they could be site grabbers, or offline-browsers. The two ReWriteCond's above would check if the browser is looks like "WebReaper", OR "Joc Web Spider" and send back a 403 [Forbidden] response. When testing Webreaper and JOC, this code causes the applications to stop before they download any html, or images. The applications preserves the original url they requested and they would have to click it visit your site. You could redirect these applications to another url; however, when testing JOC it wouldn't allow itself to be redirected. It appeared to try re-requesting the origianl url, perhaps it uses an internal failure count. It did obey the 403 response! There are many of these offline-browsers available, check your logs occasionally for them. As an alternative to expliciting coding each one, and using the fact that they shouldn't pass anything in the HTTP_REFERER variable, the following should protect your images from them:
note: this could have an effect on friendly search engine spiders!


RewriteCond %{HTTP_REFERER} ^$
ReWriteRule .*\.(jpg|gif)$ - [F]



"Some other handy things...."


RewriteCond %{HTTP_REFERER} ^http://www.nastydomains.com/.*$ [NC]
ReWriteRule .* http://www.nasty-domain-hell.com/ [R,L]

The above rule could be used to send anyone coming from a particularily nasty domain, with a request for anything(.* = a string(eg. url) of any length) to your special place.


RewriteCond %{HTTP_REFERER} !^http://www.newbie.com/.*$ [NC]
RewriteRule .*page1\.html$ http://www.newbie.com/index.html [R,L]

If someone was deep-linking into your a specific page on your domain "page1.html" the above rule could be used to redirect them to your index page.

You can create ReWriteCond statements that use almost any of your server's environmental variables including: cookies, DNS, IP's. Check the Apache document links on the left, if you need something special. :)

"I want them to hotlink me...."
If a search engine caches your page, the surfer clicking on your link won't see any of your images, or banners. This is a scenario where you might want the the search engine to be able to hotlink at least your banners so the surfer would only see it.

billy