File protection via Apache mod_rewrite
A while ago on a different forum I found an Apache server solution to bandwidth theft by using mod_rewrite. I've been having trouble with people live-linking my sound files, so I decided to give it a try. The .htaccess code:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/.*$ [NC]
RewriteRule .*\.wav$ stolen.php3
It looks pretty simple on the surface and 50% of the time it works like a charm. Any request coming for a .wav file on my domain is allowed to get the file, any coming from a non-valid referer is blocked and sent to a file named stolen.php3. That page would explain why bandwidth theft is wrong, would allow people to access the file they wanted, but through MY site and would also collect the HTTP_REFERER and REQUEST_URI info so that I could deal with the people doing the live-linking.
The problem comes in on whether a person chooses to just play the .wav via a left-click or save it via a right-click. On left clicks the above code does forward to stolen.php3 and collect the info I want, no problem there. However, on a right-click "save file as" or "save link as" from the originating site, it gets screwy. In IE5, it downloads the appropriate .wav file like the protection isn't even there. But in Netscape 4.x it downloads the stolen.php3 in place of the requested .wav. So if a surfer tried to get filenamex.wav he'd actually get a file named filenamex.wav, but in actuality it would be stolen.php3, so it wouldn't be a valid .wav and obviously wouldn't play.
Okay, a solution that works 50% of the time is far better than no solution at all. But I was wondering if there was a way that would effectively block both left-click and right-click file accesses. Do any of you Apache mod_rewrite gurus (the 5 people on earth that truly understand that module) have any ideas?
roBofh posted this at 13:35 — 19th February 2000.
They have: 122 posts
Joined: Jun 2000
I'm assuming here that in IE, when you right click and do a 'save as', IE doesn't actually report the referrer to the server since it's only saving the file. The first RewriteCond looks like it allows the no-referrer connections to go through. Perhaps if you try redirecting requests with no referrers to an index page, or even stolen.php3, right-clicking would no longer work. I'll have to fiddle around with apache/netscape/ie here and try it out.
Rob Radez
OSInvestor.com
Maverick posted this at 05:27 — 20th February 2000.
They have: 334 posts
Joined: Dec 1999
Yep, I thought of that, but it presents a problem. If IE isn't sending a valid HTTP_REFERER on right-click file saves, then re-directing anything without that field is asking for trouble. I don't want anybody that's on MY site using IE to get taken to that stolen page when they made a perfectly legit request. I was hoping there was some sort of other way to handle right-clicks. Maybe something with the REQUEST_METHOD or QUERY_STRING or something else that could pick up that the request was coming from a remote location. I just don't understand mod_rewrite well enough to even know if such a thing is possible, let alone how to do it.
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.