Previous chapter
Running PHP scripts using mod_fcgid
Index
 
Next chapter (none)

Preventing hot-linking content thieves

Anyone who owns or hosts an image-heavy website will know what a pain unauthorised users of content can be. These so called "hot-linkers" take some content they like, usually images, and use them on their own sites. Most people would probably let it go if it was just an individual using one of their pretty pictures but usually these people are professional "ad-farmers" who will use dozens of images from a single site to make money for themselves.

To add insult to injury these nefarious losers usually don't even bother to host a copy of the image on their own servers, often because they incorrectly believe this protects them from copyright infringement claims, instead linking directly to the image on your server so that they can leech your bandwidth as well as your content!

Luckily, there is something which can be done to prevent these pathetic miscreants from getting away with it.

Users of the Hacking Networked Solutions overlay for Gentoo Linux may install the configuration fragments and "thief" graphic using the command below. If you are not using our overlay, and you do not wish to do so, you will have to create the files mentioned below by hand.

lisa emerge www-apache/hotlink-deflector

Replacing hot-linked images using mod_rewrite

The example configuration fragment shown below uses the Apache2 Rewrite Engine, often referred to as mod_rewrite, to replace "hot-linked" images with a graphic explaining that the owner of the site in question is a "sad, talentless, dishonest thief who has to resort to stealing other people's content & bandwidth to make a living!"

/etc/apache2/blocks/deflector_rewrite.conf
# Ensure the Rewrite Engine is enabled.
RewriteEngine On

# Create a RewriteMap named deflector.
RewriteMap deflector txt:/etc/apache2/deflector/banned_hosts.txt

# If this is a request for a deflector image, or not an image request then
# we can save some processing by quitting now.
RewriteCond %{REQUEST_URI} !^/_deflector/.*$
RewriteCond %{REQUEST_URI} ^.*(gif|jpg|png|svg)$

# If we have not been passed a referer (sic) or the referer was us then
# we can save some processing by quitting now.
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://%{SERVER_NAME}/.*$ [NC]

# We want to perform the lookup by host-name only so we use this regex to
# capture it into a back-reference.
RewriteCond %{HTTP_REFERER} ^https?://([^/:]+)

# Look up the host-name in the deflector RewriteMap, returning NOT-FOUND if
# there is no such entry.  If we get NOT-FOUND then they are not on the list.
RewriteCond ${deflector:%1|NOT-FOUND} !=NOT-FOUND

# If we got this far then redirect any image requests to our thief graphic.
RewriteRule \.(gif|jpg|png)$ http://%{SERVER_NAME}/_deflector/thief.png [R,L]
RewriteRule \.(svg)$ http://%{SERVER_NAME}/_deflector/thief.svg [R,L]

Aliasing the shared _deflector directory

The above configuration fragment redirects image requests from "banned" referrers to the http://%{SERVER_NAME}/_deflector/thief.png graphic. As this file may be shared among many sites we have decided to serve it from /usr/share/apache2/deflector/ instead of any particular web server directory. The configuration fragment below creates an appropriate Alias and allows access to the shared directory.

/etc/apache2/blocks/deflector_alias.conf
# Create an alias to our _deflector directory.
Alias   /_deflector      /usr/share/apache2/deflector/

# Allow access to the aliased directory.
<Directory "/usr/share/apache2/deflector">
    Options None

    Order allow,deny
    Allow from all
</Directory>

Configuring the list of banned hosts

To complete the configuration for the "hot-link deflector" we need to create a list of the hosts which will be banned from "hot-linking" our images. As you can see below this file consists of a single host-name per line. The minus symbol in the second column is required purely to provide the RewriteMap with a return value and can be replaced with any string.

/etc/apache2/deflector/banned_hosts.txt
# Any hosts appearing in this file will be redirected to a "thief" graphic when
# they "hot-link" an image.

besthomedecorators.com                  -
hawaiidermatology.com                   -
equity.opstechnology.com                -

Reconfiguring a virtual server

Finally we need to configure our virtual servers to include the configuration fragments we installed, or created in previous sections if you are not using the www-apache/hotlink-deflector package.

/etc/apache2/vhosts.d/default_vhost.include
ServerAdmin spamcatcher@hacking.co.uk

DocumentRoot "/var/www/hacking/website"

<Directory "/var/www/hacking/website">
	Options None

	AllowOverride All

	Order allow,deny
	Allow from all
</Directory>

Include /etc/apache2/blocks/deflector_rewrite.conf
Include /etc/apache2/blocks/deflector_alias.conf
Information:
In the above example we have included both the deflector_rewrite.conf and the deflector_alias.conf configuration fragments. If you are configuring a virtual host which is behind a reverse proxy then the deflector_rewrite.conf fragment should be added to the reverse proxy configuration and the deflector_alias.conf fragment should be added to the virtual host configuration.
 

Once the virtual host is configured the Apache server will need to be instructed to reload any configuration files, as shown below.

lisa /etc/init.d/apache2 reload

Your images should now be protected from "hot-linking" by any of the hosts you have included in the banned list. Depending on your browser cache settings you may need to hit F5 or Refresh on the menu before the changes are visible.