Htaccess and hotlinking issues


#1

when i try to password protect a directory via htaccess, then prevent hot linking. I still get prompted for password even when the domain is added to the allow list. Is there something im missing?

I’ve even tried to use the built in htaccess in dreamhosts cpanel, but i get the same problem.

Im sure im overlooking something simple…


#2

Maybe i should of posted my htaccess file.

ErrorDocument 401 /401.jpg
ErrorDocument 403 /403.jpg
ErrorDocument 404 /404.jpg
AuthUserFile /home/yan/pass
AuthName "Members Area"
AuthType Basic
require valid-user

order deny,allow
deny from all
allow from .etvw.org

this is placed in the /pics dir. my purpose is to prevent random users being able to view everything inside that dir, but be able to add domains to the allow list so other sites wont be prompted for a password.

as of right now, even my own page is being prompted for a password. i’ve tried to use the cpanel htaccess, but it does the same thing.


#3

See http://wiki.dreamhost.com/index.php/Preventing_image_“hotlinking”

I’m not sure what you mean by “but be able to add domains to the allow list so other sites wont be prompted for a password.”

Web sites aren’t asked for a password: HTTP (web) clients are, such as browsers. What is that you really want?

  1. A vsitor to bad-site.exampe.com that links to your images is asked to enter a password, but not visitors to good-site.example.com?
  2. A visitor using from a particular part of the Internet is not asked for a password?

Your code looks like you’re trying to do #2 but your question sounds as if you want #1. What you’re missing is that Allow/Deny don’t have anything to do with the password-protection mechanism. You can’t selectively skip password-protection easily.

:cool: Perl / MySQL / HTML CSS


#4

Im sorry if my questions came out confusing.

Let me try to break it down for you some more.

I would like to password protect the pics/ dir. If i do that, other domains (such as web forums) will not be able to show pictures that are located inside the pics/ dir.

If i add those domains to the allow list in my htaccess file, they should be able to show the picture without getting prompted for a user name and password.

So far my research has come up with the following. I have to add a “Satisfy any” line to my htaccess files, which means that it will serve the picture to either someone that has a user account password OR if its a domain on the allow list.

Here is where ive gone so far.

ErrorDocument 401 /401.jpg
ErrorDocument 403 /403.jpg
ErrorDocument 404 /404.jpg
Satisfy any
AuthUserFile /home/yan/pass
AuthName "Members Area"
AuthType Basic
require valid-user

order deny,allow
deny from all
allow from .etvw.org


Now, the big problem with password protecting the pics/ dir is that even when i post a picture from that dir on my OWN WEBSITE (http://www.etvw.org) and the domain is added tto the allow list, it still asks for a user/password.

EDIT

Ok, i narrowed it down to my allow/deny codes not working. This simple code wont allow my own domain to show pictures from the pics/ dir.

order allow,deny
allow from .etvw.org
deny from all


#5

You’re still on the wrong track. It appears that you don’t understand what it means to specifiy a domain when using Deny/Allow directives.

Let’s say I am using AOL for my ISP. When I connected, they assigned my computer an IP address and an associated hostname. This hostname might be adsl-somewhere.aol.com for example. This is where the Deny/Allow directives come into play - if you “deny from aol.com” my computer cannot access your website.

Well that is obviously not what you are trying to do. A visitor to your site is asking to download an image file as part of a web page on someone else’s site. You want to know where the web page is, not the visitor! What you want to look for is an HTTP header called “Referer”.

Now you need to research how to deny/allow on the value of an HTTP header instead of the hostname of the visitor =)

:cool: Perl / MySQL / HTML CSS