- Code: Select all
SetEnvIf Request_URI "\.gif$" object_is_image=gif
SetEnvIf Request_URI "\.jpg$" object_is_image=jpg
SetEnvIf Request_URI "\.xbm$" object_is_image=xbm
SetEnvIf Referer www\.mydomain\.com intra_site_referral
SetEnvIf object_is_image xbm XBIT_PROCESSING=1
SetEnvIf ^TS* ^[a-z].* HAVE_TS
The first three will set the environment variable object_is_image if the request was for an image file, and the fourth sets intra_site_referral if the referring page was somewhere on the http://www.mydomain.com Web site.
The last example will set environment variable HAVE_TS if the request contains any headers that begin with "TS" whose values begins with any character in the set [a-z].
Do not log requests for images in the access log
- Code: Select all
SetEnvIf Request_URI \.gif image-request
SetEnvIf Request_URI \.jpg image-request
SetEnvIf Request_URI \.png image-request
CustomLog logs/access_log common env=!image-request
Prevent Image Theft/hotlinking
- Code: Select all
SetEnvIf Referer "^http://www.example.com/" local_referal
# Allow browsers that do not send Referer info
SetEnvIf Referer "^$" local_referal
Order Deny,Allow
Deny from all
Allow from env=local_referal
Missing Host: Header Fields
- Code: Select all
SetEnvIf Host "^$" no_host=1
Order Allow,Deny
Allow from all
Deny from env=no_host
RewriteCond "%{HTTP_HOST}" "^$"
RewriteRule ".*" - [F,L]
All modern browsers automatically include this field, so only custom-written or very old clients are likely to encounter this issue.
This will send a 403 Forbidden status to any requests without the host header
Prevent requesting partial downloads
- Code: Select all
SetEnvIf "Range" "." partial_req
Order Allow,Deny
Allow from all
Deny from env=partial_req
RewriteCond "%{HTTP:RANGE}" "."
RewriteRule ".*" - [F,L]
This sets the partial_req variable if the request header includes a Range field. The Deny directive causes the request to be answered with a 403 Forbidden status if set.
Example:
- Code: Select all
SetEnvIf Referer ^82\.$ banned
SetEnvIf Referer ^199\.$ bannned
<Files *>
Order Deny,Allow
Deny from env=banned
</Files>
If you use a custom 403 page, then you'll need to allow these guys to get it, Example:
- Code: Select all
SetEnvIf Referer ^82\.$ banned
SetEnvIf Referer ^199\.$ banned
SetEnvIf Request_URI ^forbidden\.html$ allowed
<Files *>
Order Deny,Allow
Deny from env=banned
Allow from env=allowed
</Files>
These are the operators:
SetEnvIf Referer - the IP address of the client making the request
SetEnvIf Remote_Host - the hostname of client making the request
SetEnvIf Remote_Addr - the website having the link
SetEnvIf Remote_User - the authenticated username (if available)
SetEnvIf Request_Method - the name of the method being used (GET, POST, et cetera)
SetEnvIf Request_URI - the portion of the URL following the scheme and host portion
http://httpd.apache.org/docs/1.3/mod/mod_setenvif.html
