httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From stuff <st...@colony.net>
Subject [users@httpd] hijacking images, mod_rewrite, etc... (longish)
Date Fri, 06 Dec 2002 21:42:29 GMT
RH Linux 7.2
Apache 1.3.2x

Hello,

Last month I posted about people hijacking images from my server and  
got a lot of nice replies.

I was away so only now have gotten to try to implement the suggestions.  
Unfortunately they don't seem to be working for me, or I am not doing  
something correctly. How I tested this was to create a file on another  
server and call the images explicitly from my main server. All the  
images loaded fine with one exception. That was if I called the image  
using another domain mapped on top of the main domain but not included  
in any of the exclusions.

I tried creating an .htaccess file in the to be protected directory  
styled as:

	RewriteEngine on
	RewriteCond %{HTTP_REFERER} !^$
	RewriteCond %{HTTP_REFERER} !^http://bear.net/.*$ [NC]
	RewriteCond %{HTTP_REFERER} !^http://www.bear.net/.*$ [NC]
	RewriteCond %{HTTP_REFERER} !^http://chat.bear.net/.*$ [NC]
	RewriteRule .*\.(gif|GIF|jpg|JPG|jpeg|JPEG|zip|ZIP|png|PNG|swf|SWF)$ -  
[F]

where the domains listed are 'valid' domains to serve the images.


I also tried, seperately adding the following to my server config file  
within a directory container pointing specifically to the directory I  
wanted protected.

SetEnvIfNoCase Referer "^bear\.net/" local_ref=1
SetEnvIfNoCase Referer "^bearchat\.net/" local_ref=1
SetEnvIfNoCase Referer "^http://bearlicious\.net/" local_ref=1
	<FilesMatch "\.(gif|jpg)">
		Order Allow,Deny
		Allow from env=local_ref
	</FilesMatch>


and I have also tried placing a <directory> directive in the virtual  
server config file and placing the following in an .htaccess file in  
the directory containing:

in config file:
	<Directory /var/www/www.bear.net/chat/emoticons/>
	SetEnvIfNoCase Referer "^http://bear\.net/" local_ref=1
	SetEnvIfNoCase Referer "^http://bear\.net/" local_ref=1
	SetEnvIfNoCase Referer "^http://www\.bear\.net/" local_ref=1
	SetEnvIfNoCase Referer "^http://bearchat\.net/" local_ref=1
	SetEnvIfNoCase Referer "^http://www\.bearchat\.net/" local_ref=1
	SetEnvIfNoCase Referer "^http://bearlicious\.net/" local_ref=1
	SetEnvIfNoCase Referer "^http://www\.bearlicious\.net/" local_ref=1
	</Directory>

and...
	<Directory  
/var/www/www.bear.net/DigiChat/DigiClasses/Resources/BearChat/ 
emoticons/>
	SetEnvIfNoCase Referer "^http://bear\.net/" local_ref=1
	SetEnvIfNoCase Referer "^http://bear\.net/" local_ref=1
	SetEnvIfNoCase Referer "^http://www\.bear\.net/" local_ref=1
	SetEnvIfNoCase Referer "^http://bearchat\.net/" local_ref=1
	SetEnvIfNoCase Referer "^http://www\.bearchat\.net/" local_ref=1
	SetEnvIfNoCase Referer "^http://bearlicious\.net/" local_ref=1
	SetEnvIfNoCase Referer "^http://www\.bearlicious\.net/" local_ref=1
	</Directory>

in .htaccess:
	<FilesMatch "\.(gif|jpg)">
		Orde	r Allow,Deny
		Allow from env=local_ref
	</FilesMatch>

As I understand how the above works, first I am limiting the check to a  
specific directory, then the SetEnvIfNoCase is setting an evironment  
variable of "local_ref" to a valule of 1 *if* the referer matches (case  
insensitive) one of the listed domains.

then, in the .htaccess file, the <filesmatch> only comes into play if  
the file extension is either .gif or .jpg.If so, then it processes the  
allow's which in this case should be the allowed domain name? (is it  
just a logical yes/no?) and per the "Order" of Allow, Deny, anything  
that is not specifically allowed is denied.

So it should work.

The reason for 2 <directory> containers is that the 'real' path is in  
the second one, and the first one is a symlink using '/emoticons' to  
the full path.

The only thing that I could see happening is that with the setup using  
the <directory> and the .htaccess on pages where the images are called  
using the symlink the images will not load on any domain on that  
machine - including the domains listed with the 'SetEnvIfNoCase', but  
images do load when using the longer, 'real' path.

Also, even when the images would not load when viewing a real page on  
the actual server, they would load when called from  a test page  
created on another server of mine.

and the last test (current configuration) is removed the changes from  
the virtual domain config and only have an .htaccess file with the  
following:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://208.146.240.248/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://bear.net/.*$     [NC]
RewriteCond %{HTTP_REFERER} !^http://www.bear.net/.*$  [NC]
RewriteCond %{HTTP_REFERER} !^http://chat.bear.net/.*$  [NC]
RewriteRule .*\.(gif|GIF|jpe?g|JPE?G|png)$  
http://www.fuzzie.net/images/bn_button.gif [R]

This one is 'supposed' to display another image from my other server.  
And I have flat rate on bandwidth there so I don't mind especially if  
this ends up advertising my site on other peoples sites where they are  
trying to steal my bandwidth. Do I need to add an [OR] to the above?

Another option I believe I could use for the RewriteRule is:
	RewriteRule .*\.(gif|GIF|jpe?g|JPE?G|png)$  [F]

which should return an error to the calling page.



I'm stumped here. Test page is located at -  
http://www.colony.net/test.html

Thanks for suggestions, comments, pointers to what I have done wrong. I  
am thinking there is something missing in my httpd.conf file. It does  
show mod_rewrite as being loaded, but how do I test to ensure that is  
it actually enabled?

Regards,

Dale


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message