Block Hotlinking with Apache Web Server

Many web site owners have a hosting or co-location plan that limits the amount of bandwidth their web site can use each month. With the proliferation of user spaces on sites such as MySpace, Facebook, etc, people using those services, as well as other web site owners, copy the code for an image from your web site, and put it into a page on their site. This means that each time that person’s page loads for a reader, the image comes from your server, and uses your bandwidth to serve it. This practice is called hotlinking. The bandwidth you purchase can get chewed up in a hurry if too many people do this to you. Fortunately there is a solution.

This tutorial applies to Apache web server only.

There are two ways to block hotlinking. First by using the httpd.conf file, and second by using the .htaccess file.

Option 1:

Using the main httpd.conf file for Apache uses fewer resources, and will be applied to all web sites on the server, so we’ll start there. Using a bash shell type:

vi /etc/httpd/conf/httpd.conf

First be sure your httpd.conf contains the following line with no # sign in front of it. The line should look like the one below:

LoadModule setenvif_module modules/mod_setenvif.so

Rather than using your arrow key you can page down in vi, you can use ctrl + d to reach the end of the httpd.conf file. At the end of your config file you’ll need to add the following code.

<VirtualHost *:80>
SetEnvIfNoCase Referer "mydomain’.com" local_ref=1
<FilesMatch "’.(gif|jpg|jpeg|png|swf|mpg|avi|flv)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>
</VirtualHost>

The new VirtualHost container should look something like this:

<VirtualHost *:80>
ServerName www.mydomain.com
ServerAlias mydomain.com
DocumentRoot /var/www/mysitedirectory
ServerPath /mysitedirectory
SetEnvIfNoCase Referer "mydomain’.com" local_ref=1
<FilesMatch "’.(gif|jpg|jpeg|png|swf|mpg|avi|flv)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>
</VirtualHost>

You can add as many different file types to the list as you want. Just be sure each file is separated by a pipe |. To close and save the changes made by vi type:

:wq

and hit enter.

Option 2:

The less efficient, but possibly more useful option is to use the use the .htaccess file. For Wordpress users you can access the .htaccess file from your administrative control panel by going to manage –> files –> .htaccess (for rewrite rules ). For others type the following into a bash shell:

vi /var/www/mysitedirectory/.htaccess

Add the following code:

<IfModule mod_rewrite.c>
RewriteEngine On
# Hotlink Protection with Feedburner Access Start
RewriteCond %{REQUEST_FILENAME} ’.(gif|jpg|jpeg|png|swf|mpg|avi|flv|mp3)$ [NC]
# Next line allows a blank or empty referrer to see images
# this includes people simply pasting the url to the image and going to it
# this line is necessary for some with firewalls, ISP firewalls, even AOL
# norton and mcafee personal firewall remove REFERER header
RewriteCond %{HTTP_REFERER} !^$ [NC]
RewriteCond %{HTTP_REFERER} !mydomain’.com [NC]
# The line below is a way to allow all of feedburner.com
# RewriteCond %{HTTP_REFERER} !feedburner’. [NC]
# It is better to only specify your direct feed
RewriteCond %{HTTP_REFERER} !^http://feeds.feedburner.com/mywebsite$ [NC]
RewriteCond %{HTTP_REFERER} !google’. [NC]
## RewriteCond %{HTTP_REFERER} !bloglines’. [NC]
RewriteRule ^(.*)$ http://www.mydomain.com/ [R=301,L]
</IfModule> # If this line is already present, as in Wordpress, then do NOT add
# Hotlink Protection with Feedburner Access End

To close and save the changes made by vi type:

:wq

and hit enter.

Whenever you see a # in, or at the start of, a line, anything after the # will not be read by Apache. Using # is referred to as commenting out the line or text. You can use more than one # to comment out a line. Wordpress already has </IfModule> at the end of the .htaccess file, so adding and extra </IfModule> could cause a problem.

If you make an error, and you get a 500 error instead of seeing your site type the following into your bash shell:

vi /var/www/mysitedirectory/.htaccess

Now type

dd

To erase each line of code you added. Remember to type :wq to close and save your work. Always make a backup of the .htaccess file before you start.

An easier way to access these files on a dedicated server is using an administrative control panel, which I will discuss in a later article.

Be sure to save your .htaccess file after make changes. Some plugins for Wordpress, as an example, can overwrite your .htaccess file. After making changes with a plugin, etc., it’s good practice to check and make sure your .htaccess file has not changed.

Some people serve another image that says NO HOTLINKING, but that is still using bandwidth, so my configuration serves nothing. On the thief’s end, readers will see a read X in Internet Explorer, but no image.

One last note, you cannot use option 1 and 2 together. You have to choose and use only option 1, or only option 2. Apache may not give you an error in the log, but it could drag down Apache’s performance with an incorrect configuration.