Hi there, this is my first pot here and I have a problem:
I’m trying to restrict access to an image directory from browsers that enter a direct url to a specific image, so I have an .htaccess file with the following content in the image folder:
deny from all
allow from fish.42web.io
which I was hoping it would prevented any host except my site from accessing image files within that directory. However, the ‘allow from my site’ directive isn’t working so my site can’t load the images within that directory.
Our hosting do hotlink protection by default, there’s simply no need for you to implement any rules.
And if you wish your images only be able to be embeded but not visited directly, then unfortunately there’s simply no way for you to do this on the same domain.
The deny and allow rules are used to allow access from specific IP addresses, which affects whether they can access your website at all. They are not suitable for what you’re trying to do.
You can block third party embeds (“hotlinking”) using .htaccess rules. Specifically, by checking the Referrer header. This guide has more information which seems like it should work.
That said, like @Frank419 already said, our hosting block hotlinking already, so you don’t need to set up anything for this.
In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.
Order Deny,Allow
Deny from all
Allow from apache.org
I thought it would be a work around for the fact that I can’t place any files outside of the public folder htdocs where I was hoping to put my sensitive files. I was using the image folder as a test to see if the above would work but alas it would seem not, hey ho!. Is there another way I can protect them without resorting to a protected directory requiring a password to access them?
Thanks again for your time, it is much appreciated.
# Disable Directory Listings in this Directory and Subdirectories
# This will hide the files from the public unless they know direct URLs
Options -Indexes
In my htaccess file in the root directory, so at least folks can’t get directory listings straight from the browser. Which I guess will have to do if there is nothing else available.
I have never seen those Allow or Deny directives be used with a hostname.
At the top of the article you linked to, it says this:
Access can be controlled based on the client hostname
Further down below, it says this:
This configuration will cause Apache to perform a double reverse DNS lookup on the client IP address
So with the configuration you used in your initial post, Apache would lookup the IP address of your website, which is 185.27.134.215, and only allow access to traffic coming from that IP address. It doesn’t really work, but that’s not important for now.
For the purposes of hotlink protection, you’ll want .htaccess code that checks the Referrer header, as it’s not really an “access control” thing in servers.
Yes, I’ve not had any joy with the Allow, Deny directives, they don’t seem to do what I wanted. However, for the hot link protection I did a little searching and found this:
# This one works -- feel free to copy it onto your own site.
# for an explanation see below links:
# http://tltech.com/info/referrer-htaccess/
# https://stackoverflow.com/questions/18797100/htaccess-check-referer-matches-host-without-hard-coding#25219088
RewriteEngine On
RewriteCond %{HTTP_HOST}@@%{HTTP_REFERER} !^([^@]*)@@https?://\1/.*
RewriteRule .*\.webp [NC,F]
which after some testing seems to work.
Thanks again for your help, its very much appreciated.