How do I stop Hotlinking when using the MediaFirewall? Currently the packets are passed to media/ , interrogated by .htaccess, passed to the mediafirewall.php, which then picks up the image from the store directory above the root directory. All very well, but it still lets hotlinking of images that are not explicitly denied by permissions in mediafirewall. And of course, because of the htaccess handling from the media/ directory, all .htaccess files in the image store above root are ignored. Is it even possible without a rewrite of mediafirewall?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hotlinking is the process of bypassing a website in order to get directly to it's images and other resource files, by directly addressing that file's URL in the browser for instance. eg https://a.fsdn.com/sf/images/develop/logo.png will bring up the Sourceforge logo.
The practice of blocking Hotlinking is usually done in the .htaccess file. Blocking hotlinking stops others from consuming your bandwidth and/or getting access to images of people they should not have - as is the case with a PGV site, where you have images of the living who need their privacy protected. For more info: http://altlab.com/htaccess_tutorial.html
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You have to have PGV's Privacy configured to make details of living people visible only to logged-in users.
When the Media Firewall is active and the images, including thumbnails, are all in the protected media directory, you can't view images of living people by simply entering the images' URLs.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Onyx
MFW was intended to stop 'hotlinking' as you describe it. Can you visit my site and explain how someone who 'hotlink' to any of my 4000+ media objects, even those for public viewing. I would suggest you try my GGF, John Powell, as his image is featured on Welcome page and is easiest to access.
In addition to displaying the Watermark to non-registered (casual) users, I can't see how to gain access to the image directory so as to display just the image - but then I don't waste a lot of time trying to hack these sort of things.
-Stephen
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Fisharebest is quite correct, I don't want any hotlinking even with watermark, and the system does stop display of images attached to the living. But I need to stop all hotlinking, even for those who have passed on to the other side.
I am trying to pre-empt a problem…you know how family politics goes sometimes…
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
macalter: Yes you would think this to be an option…but it's not, due to the way the MFW works…any .htaccess files inside the media folder are ignored due to the routing done by the MFW. I've tried, so has my host. I've tried in my local Xampp installation too, just to verify that it was not a platform issue.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
…and replace the file extensions with whatever ones you use. I just copied that block from another site of mine, which also wanted to block hotlinking of all static files……
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
This Forbids Hotlinking and allows Authenticated viewing. Unfortunately, it stops anonymous viewing through our PGV website, but that is an acceptable compromise.
Incidentally, why must that file be limited to 11 lines?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
onyxnz - what are you trying to do here? You've taken all the conditions and put them together, then taken all the actions and put them together?
1) let MFW create a .htaccess file in the media directory
2) add my block of code to the beginning of it.
The reason for the comments about not editing these 11 lines is that if you change them, PGV will be unable to find them, if try to disable the MFW. Add stuff before/after, but do not change them.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Please excuse my ignorance of the voodoo of .htaccess. I have just altered my .htaccess to put those lines before hand, as you prescribe. And it functions identically to the .htaccess I had just posted.
Hotlink -> NO = good
Login view-> YES = good
Anon view->NO= acceptable
Thanks anyhow!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If you are getting different behaviour between anonymous and logged-in users, then it is almost certainly due to privacy settings in PGV. This is nothing to do with .htaccess
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Our privacy settings:
Show dead people -> show to public
Show living names ->show only to authenticated users
Show sources ->show only to authenticated users
Enable Clippings Cart ->show only to admin users
Show Research Assistant ->show only to authenticated users
Show Multi-Site Search ->show only to admin users
Limit Privacy by age of event -> No
Use GEDCOM (RESN) Privacy restriction ->Yes
I guess that those are the only relevant settings?
I also tried adding a dead individual's privacy settings to be specifically public, with no resulting change in ability to see images.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
How do I stop Hotlinking when using the MediaFirewall? Currently the packets are passed to media/ , interrogated by .htaccess, passed to the mediafirewall.php, which then picks up the image from the store directory above the root directory. All very well, but it still lets hotlinking of images that are not explicitly denied by permissions in mediafirewall. And of course, because of the htaccess handling from the media/ directory, all .htaccess files in the image store above root are ignored. Is it even possible without a rewrite of mediafirewall?
Please explain "hotlinking". This is not a term I'm familiar with.
Hotlinking is the process of bypassing a website in order to get directly to it's images and other resource files, by directly addressing that file's URL in the browser for instance. eg https://a.fsdn.com/sf/images/develop/logo.png will bring up the Sourceforge logo.
The practice of blocking Hotlinking is usually done in the .htaccess file. Blocking hotlinking stops others from consuming your bandwidth and/or getting access to images of people they should not have - as is the case with a PGV site, where you have images of the living who need their privacy protected. For more info: http://altlab.com/htaccess_tutorial.html
You have to have PGV's Privacy configured to make details of living people visible only to logged-in users.
When the Media Firewall is active and the images, including thumbnails, are all in the protected media directory, you can't view images of living people by simply entering the images' URLs.
Onyx
MFW was intended to stop 'hotlinking' as you describe it. Can you visit my site and explain how someone who 'hotlink' to any of my 4000+ media objects, even those for public viewing. I would suggest you try my GGF, John Powell, as his image is featured on Welcome page and is easiest to access.
In addition to displaying the Watermark to non-registered (casual) users, I can't see how to gain access to the image directory so as to display just the image - but then I don't waste a lot of time trying to hack these sort of things.
-Stephen
By "hotlinking", onyxnz means that he can use
<img src=" http://www.myarnolds.com/media/JohnPOWELL-I3279-ca1917.jpg">
on his own site to include your photo on it.
This way you pay for the hosting and bandwidth while
he gets a free ride.
(OK, it has the watermark, but the point remains.)
The usual way to prevent this would be for the media firewall to
check the HTTP_REFERER, and only allow the image if the
referer is the same domain.
I've not found this to be a problem in PGV.
onyxnz - do you have a problem with people doing this to
your site, or are you just trying to pre-empt a problem?
Fisharebest is quite correct, I don't want any hotlinking even with watermark, and the system does stop display of images attached to the living. But I need to stop all hotlinking, even for those who have passed on to the other side.
I am trying to pre-empt a problem…you know how family politics goes sometimes…
onyxnz: When I create a directory at my web host, I can opt to prevent hotlinking on that directory. Maybe that's an option to also look at?
macalter: Yes you would think this to be an option…but it's not, due to the way the MFW works…any .htaccess files inside the media folder are ignored due to the routing done by the MFW. I've tried, so has my host. I've tried in my local Xampp installation too, just to verify that it was not a platform issue.
<<I've tried, so has my host.>>
What did you try? I've just tried it, and it works for me. I just added the following block to the start of the.htaccess file.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://127.0.0.1/.*$
RewriteRule \.(gif|jpg|js|css)$ -
</IfModule>
PS - the forum has a habit of mangling anything that looks like code, what appears above may bear no relation to what I typed….
OK - that looked good (!)
Just replace the 127.0.0.1 with a regex to match your domain, e.g. (www\.)?mydomain\.com
…and replace the file extensions with whatever ones you use. I just copied that block from another site of mine, which also wanted to block hotlinking of all static files……
fisharebest: Thanks for offering solutions, but no go yet :(
is my MFW htaccess now,
and the media dir htaccess:
Are the changes that you have made to .htaccess the file for the MFW, or the subfolders of the protected media directory?
OK!
This is an acceptable compromise: the MFW .htaccess:
This Forbids Hotlinking and allows Authenticated viewing. Unfortunately, it stops anonymous viewing through our PGV website, but that is an acceptable compromise.
Incidentally, why must that file be limited to 11 lines?
onyxnz - what are you trying to do here? You've taken all the conditions and put them together, then taken all the actions and put them together?
1) let MFW create a .htaccess file in the media directory
2) add my block of code to the beginning of it.
The reason for the comments about not editing these 11 lines is that if you change them, PGV will be unable to find them, if try to disable the MFW. Add stuff before/after, but do not change them.
Please excuse my ignorance of the voodoo of .htaccess. I have just altered my .htaccess to put those lines before hand, as you prescribe. And it functions identically to the .htaccess I had just posted.
Hotlink -> NO = good
Login view-> YES = good
Anon view->NO= acceptable
Thanks anyhow!
If you are getting different behaviour between anonymous and logged-in users, then it is almost certainly due to privacy settings in PGV. This is nothing to do with .htaccess
Our privacy settings:
Show dead people -> show to public
Show living names ->show only to authenticated users
Show sources ->show only to authenticated users
Enable Clippings Cart ->show only to admin users
Show Research Assistant ->show only to authenticated users
Show Multi-Site Search ->show only to admin users
Limit Privacy by age of event -> No
Use GEDCOM (RESN) Privacy restriction ->Yes
I guess that those are the only relevant settings?
I also tried adding a dead individual's privacy settings to be specifically public, with no resulting change in ability to see images.