3

We need to prevent direct access of files on our site from someone just entering a URL in their browser. I got this to work by using an htaccess file and it is fine in IE & Safari, but for some reason Firefox doesn't cooperate. I think it has something to do with the way Firefox reports referrers.

Here is my code in the .htaccess file.

RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_REFERER} !^http://(my\.)?bigtimbermedia\.com/.*$ [NC]
RewriteRule \.(swf|gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx)$ http://my.bigtimbermedia.com/ [R,L]

If you want to see an example of this, try accessing this first... http://my.bigtimbermedia.com/books/bpGreyWolvesflip/index.html

It blocks it properly in all browsers.

Now if you go to this URL and click on the link, it works in IE and Safari, but Firefox chokes and seems like it is in a loop.

Any ideas how I can get this to work in Firefox? Thanks!

  • Are we missing the second link ? – Dominik Feb 11 '10 at 02:59
  • 1
    rather than .htaccess have you considered putting this in httpd.conf instead? From the apache docs: "However, in general, use of .htaccess files should be avoided when possible. Any configuration that you would consider putting in a .htaccess file, can just as effectively be made in a section in your main server configuration file." – Jim B Feb 11 '10 at 03:20
  • The 2nd link is http://my.bigtimbermedia.com/sample.php I couldn't post more than one link since I am a serverfault.com newb. –  Feb 11 '10 at 03:36
  • Thanks Jim. Unfortunately this site is hosted on Rackspace Sites and doesn't allow me to edit httpd.conf. –  Feb 11 '10 at 03:46
  • 1
    Remember that referer checking can be bypassed in seconds (assuming someone knows that your RewriteCond is looking for "mbigtimbermedia.com". – user1686 Feb 11 '10 at 14:09
  • grawity...I think everybody knows now :P – Scoregraphic Aug 24 '10 at 06:09

2 Answers2

1

Could you just use 

RewriteCond %{HTTP_REFERER} !^%{HTTP_HOST}$ [NC]

So that you're matching whatever the machine thinks the host is?

Devin Ceartas
  • 1,478
  • 9
  • 12
  • elegant solution. makes changing site names even easier...although it doesn't answer OP's question – Julian Aug 09 '10 at 18:14
0

RewriteCond %{HTTP_REFERER} !^http://(my.)?bigtimbermedia.com/.*$ [NC]

Without having tested it - your rewrite rule looks a bit funny - I would run this through paros or fiddler and see what the differnece between the requests that firefox is sending and IE or Opera or whatever are sending, as well as what hte redirect your system is sending back actually is.

gabbelduck
  • 329
  • 1
  • 3