Hotlinking protection custom code – not working

The Server Address is critical and the code will not work if it is commented out. Your Server/Website IP address is static and will not change, unless you moved to another Server.

In this particular case/usage the caret ^ means the start of the condition/rule and the dollar sign $ means the end of the condition/rule.

If you wanted to use Regular Expressions code to match any number from 0 to 9 with 1 to 3 characters in the 4th octet of the IP address, but this is not necessary to do because your Server IP address is static and will not change.

SetEnvIf Server_Addr "^99\.88\.77\.[0-9]{1,3}$" whitelist

if both the .com and .co.uk websites are sharing image files then using Regular Expressions code .* match anything – works fine. If the sites are not sharing image files then you would not need to do this.

SetEnvIfNoCase Referer "^(http|https)://.*mydomain.*" whitelist

Hi. Many thanks for the explanation, think I understand better now. I have corrected and updated the custom code entry in my .htaccess file through BPS, but the hotlinking protection still does not seem to be working. Here’s what I have now:

# Prevent hotlinking of images (but allow search engines)
SetEnvIfNoCase Referer "^(http|https)://.*mywebsite.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*myotherwebsite1.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*myotherwebsite2.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*myotherwebsite3.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*google.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*yahoo.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*bing.*" whitelist
SetEnvIf Server_Addr "^123\.123\.123\.191$" whitelist

<FilesMatch "\.(gif|jpg|jpeg|png|bmp)$">
Order Allow,Deny
Allow from env=whitelist
</FilesMatch>

Interestingly, when I checked this morning before updating the htaccess code I found that some of the websites hotlinking to my images were showing broken links. But strangely not all of them and some were still hotlinking my pictures.

After updating the htaccess file to include the server address line the hotlinking protection seems to have completely stopped working again, and all of the websites are showing my images again.

Should hotlinking protection using the above htaccess code take effect immediately, or could there be a time lag? I have cleared my browser cache and also the website caches (W3TC and Cloudflare) several times.

Any further thoughts as to what I am doing wrong please? Many thanks,
James

Are you adding the Server IP address from the BPS System Info page? Does it say something along the lines of “Proxy or X-Forwarded-for”? What probably needs to happen is you will need to add additional IP addresses for CloudFlare, which are X-Forwarded-for, similar to what needs to be done when using the Brute Force Login Protection code in the link below.

Scroll down in that Forum Topic until you get to the CloudFlare, Proxy, CDN, VPN help section.

SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" whitelist
SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" whitelist
SetEnvIf X-FORWARDED-FOR "^xxx\.xxx\.xxx\.xxx$" whitelist

https://forum.ait-pro.com/forums/topic/protect-login-page-from-brute-force-login-attacks/

The other thing about CloudFlare is copies of your content are stored on CloudFlare Servers so I wonder if maybe you cannot use HotLink Protection? I do not use any Cloud services so I only know the basic concepts about what Cloud services do. Maybe check with the CloudFlare folks regarding something like this.

Many thanks,

I have been experimenting with the htaccess code for the past few hours this morning with Cloudflare turned off and have a working solution as follows:

# The main domain\.tld for the wesbite
SetEnvIfNoCase Referer "^https://(www\.)?mywebsite\.com(/|$)" whitelist
SetEnvIfNoCase Referer "^https://(www\.)?mywebsite\.co.uk(/|$)" whitelist

# Allow empty referrers
# SetEnvIf Referer "^$" whitelist

# List of any another domains that should be able to access the files
SetEnvIfNoCase Referer "^https://(www\.)?friendswebsite\.com(/|$)" whitelist
SetEnvIfNoCase Referer "^https://(www\.)?friendswebsite\.net(/|$)" whitelist
SetEnvIfNoCase Referer "^https://(www\.)?friendswebsite\.co.uk(/|$)" whitelist

# Allow search engines to access images
SetEnvIfNoCase Referer "^(http|https)://.*google.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*yahoo.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*bing.*" whitelist

# Specify image file types to protect from hotlinking
<FilesMatch "\.(gif|jpg|jpeg|png|bmp)$">
Order Allow,Deny
Allow from env=whitelist
</FilesMatch>

Any comments or corrections relating to the above code? I’ve left out the server address so far as I have started from a basic code and built up to try and narrow down the problem. Why exactly is this required if the website addresses are given? I’ll add this back in later, if needed:

# My server address
SetEnvIf Server_Addr "^123\.123\.123\.191$" whitelist

The website address is as per the BPS System Info tab and there is no mention of a proxy or X-forwarded, so I don’t think that is the issue.

This seems to be working fine, although how would you be able to test that Google etc can still get to your images? It is allowing access from ‘mywebsite’ and ‘friendswebsites’, but blocking fine for anywhere else.

Now your comment about CloudFlare just got me thinking… Maybe that is the problem so I’ll now try turning it back on and see what happens. Of course if the other websites are using images served by CloudFlare then bandwidth usage is not an issue, which just leaves the copyright concern.

I’ll let you know how I get on once CloudFlare is active again.

James ??

Empty Referers usually means Spammers and typically you would block empty referers and not whitelist them/Spammers.

# The main domain\.tld for the wesbite
SetEnvIfNoCase Referer "^https://(www\.)?mywebsite\.com(/|$)" whitelist
SetEnvIfNoCase Referer "^https://(www\.)?mywebsite\.co.uk(/|$)" whitelist

The $ sign is used incorrectly above. I think you are trying to allow for either a forward slash or no forward slash. .* means match anything so it would match a forward slash or no forward slash.

You need to whitelist your Server to allow the Server to do things with image files on both the frontend of the site and more importantly in the backend admin/Dashboard of the site.

Ok, so I’ve turned Cloudflare back on and the above code still seems to be working. CloudFlare does have its on image hotlinking protection function, but there is no option to allow friendly websites to hotlink (other than having a seperate folder where hotlinkable images are stored) so I have this turned off.

I have now added in the servers numerical address and tweaked the ‘mywebsite’ using .* rather than the $ as you suggested. I guess the .co.uk and .com addresses could be combined, but having them on seperate lines seems to be working so I think I’ll leave it at that. So I now have:

# The main domain\.tld for the wesbite
SetEnvIfNoCase Referer "^https://(www\.)?mywebsite\.com.*" whitelist
SetEnvIfNoCase Referer "^https://(www\.)?mywebsite\.co.uk.*" whitelist

# My server address
SetEnvIf Server_Addr "^123\.123\.123\.191$" whitelist

# Allow empty referrers
# SetEnvIf Referer "^$" whitelist

# List of any another domains that should be able to access the files
SetEnvIfNoCase Referer "^https://(www\.)?friendswebsite\.com.*" whitelist
SetEnvIfNoCase Referer "^https://(www\.)?friendswebsite\.net.*" whitelist
SetEnvIfNoCase Referer "^https://(www\.)?friendswebsite\.co.uk.*" whitelist

# Allow search engines to access images
SetEnvIfNoCase Referer "^(http|https)://.*google.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*yahoo.*" whitelist
SetEnvIfNoCase Referer "^(http|https)://.*bing.*" whitelist

# Specify image file types to protect from hotlinking
<FilesMatch "\.(gif|jpg|jpeg|png|bmp)$">
Order Allow,Deny
Allow from env=whitelist
</FilesMatch>

Final test now to double check that this hasn’t broken anything!

Ok, so I think I have finally cracked it! There is definitely a problem with the numerical server address line:

# My server address
SetEnvIf Server_Addr "^123\.123\.123\.191$" whitelist

I have the custom code exactly as pasted directly above in my htaccess, but it only works if the server address line is commented out. If this line is active then the hotlinking protection doesn’t work and my images show up on all of the unauthorised websites I’ve found. But if I comment this one line out then it all works just fine and the images are only shown on ‘mywebsite’ and ‘friendswebsite’.

I have turned this line on and off several times and the images appear or are blocked from the unauthorised websites accordingly, so this line is 100% definitely the problem! Images on authorised websites seem to appear fine either way.

Without this line the code seems to work perfectly, so what could be the issue do you think?

Then that means that the Server IP address is not correct because whatever your real Server IP address is, it is being blocked since it is not really being whitelisted.

By commenting out the incorrect Server IP address this would work on the frontend of your website and you do not even need to whitelist your Server IP address on the frontend of your website. The problem will occur on the backend of your website – you will not be able to see image files in the WordPress Media library and will see Red X’s instead of image files if you do not whitelist your correct Server IP address.

If your Server has a Proxy Server then maybe you are not seeing an additional IP address that needs to be whitelisted or maybe there are additional CloudFlare IP addresses that need to be whitelisted.

The example on this webpage seems to suggest that the speech marks around the server address are not required:

# My server address
SetEnvIf Server_Addr ^123\.123\.123\.191$

Does that make sense?

No wait, what’s this I’ve just read:

See the SetEnvIf directive, which defines environment variables based on attributes of the request, such as Remote_Addr (the IP address of the client making the request) or Server_Addr (the IP address of the server on which the request was received)..

So why are we using Server_Addr on this line, shouldn’t we be using Remote_Addr instead?

If Server_Addr is the address of the server on which the request was received, then we are whitelisting every request that is recieved by our server! Surely we only want to whitelist requests that are made by our server in this instance.

Is this the problem and should the line actually read:

# My server address
SetEnvIf Remote_Addr ^123\.123\.123\.191$

James

By commenting out the incorrect Server IP address this would work on the frontend of your website and you do not even need to whitelist your Server IP address on the frontend of your website. The problem will occur on the backend of your website – you will not be able to see image files in the WordPress Media library and will see Red X’s instead of image files if you do not whitelist your correct Server IP address.

None of this happens for me with the above line commented out. I have checked through the backend, media library, even add images in a post and all the images are displaying just fine, no red X’s anywhere! But wouldn’t all such backend requests still have the domain name as the referrer and be covered by the ‘mywebsite’ lines anyway?

You can choose not to use the double quotes and the rule will still work, but to be 100% code correct in a technical sense then you would use the double quotes.

Server_Addr = the IP address of the server under which the current script is executing.
Remote_Addr = the IP address from which the user is viewing the current page.

Server_Addr is correct and Remote_Addr is incorrect. You are whitelisting your Server so that your Server can perform tasks that it needs to perform.

I assume that there is some DNS issue on this site that is not obvious so use this online DNS checking tool and check the advanced tab after you have run the tool for your domain.
https://dnscheck.pingdom.com/

I’ve just ran the DNS test as you suggested, thanks for that tip. Probably easier to just show you the results than try to explain them:
https://dnscheck.pingdom.com/?domain=matchlessclueless.com&timestamp=1384248972&view=1

All 6 sections under the basic view tab say: “Everything is fine. All tests successful in this part, no errors or warnings.”

Under the ‘Delegation’ section in the advanced view there are a few lines that say: “DNS lookup error (SERVFAIL).”

Not exactly sure what this means, so you think this could be the problem perhaps? I ran the test both with and without CloudFlare active and this doesn’t make any difference. I’m guessing there is some problem with how the CloudFlare DNS records are setup, but not sure exactly what so I’ve raised a support ticket and will wait to hear what they say.

Hope to be getting the bottom of this shortly. Thanks for you help, much appreciated! ??