Multiple rewrite rules within .htaccess

Forum Moderators: phranque

Message Too Old, No Replies

Multiple rewrite rules within .htaccess

Hotlinking, forbidden referer, multiple rules.

Michel Samuel

9:46 pm on May 25, 2007 (gmt 0)

I've worked on this for sometime and tested it.
And I think I am close but it isn't quite flowing.

I'm blocking several refers to the site the site and then blocking the hotlinking of my images.
-----------

RewriteEngine on
RewriteCond %{REQUEST_URI}!/403\.shtml$
RewriteCond %{HTTP_REFERER} site one\.com [NC,OR]
RewriteCond %{HTTP_REFERER} site two\.com [NC,OR]
RewriteCond %{HTTP_REFERER} site three\.com [NC,OR]
RewriteCond %{HTTP_REFERER} site four\.com [NC,OR]
RewriteCond %{HTTP_REFERER} site five\.org [NC,OR]
RewriteCond %{http_referer}!^$ [NC,OR]
RewriteCond %{http_referer}!^http://(www.)?mysite.com [NC]
rewriterule .(gif¦jpe?g)$ - [NC,F]
RewriteRule .* - [F]

jdMorgan

10:06 pm on May 25, 2007 (gmt 0)

RewriteConds apply only to the single RewriteRule that follows them.

So, the second rule is unconditional and that code will forbid all access to the server. Also, the server will loop trying to serve the custom 403 error document.


RewriteEngine on
#
# Block all referrals from these domains (and all of their subdomains)
RewriteCond %{HTTP_REFERER} ^http://([^.]+\.)*site-one\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://([^.]+\.)*site-two\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://([^.]+\.)*site-three\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://([^.]+\.)*site-four\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://([^.]+\.)*site-five\.org [NC]
RewriteRule !403\.shtml$ - [F]
#
# Block image hotlinking
RewriteCond %{REQUEST_URI} !/403\.shtml$
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?my-site\.com [NC]
RewriteRule \.(gif¦jpe?g)$ - [NC,F]

Jim

Michel Samuel

11:37 pm on May 25, 2007 (gmt 0)

Now if I wanted to enable deeplinks on one directory I could just upload another .htaccess file.

In it I would input.
RewriteEngine off

But doing so does that not effectively stop the entire .htacess file?

-------
And one more question.

My origional input was wth the 403 request erreur at the top. (above site one ) But in your example it moved to the bottom. (below site five)
Is there a syntax or something I should watch for?

RewriteCond %{REQUEST_URI}!/403\.shtml$
RewriteCond %{HTTP_REFERER} site one\.com [NC,OR]

RewriteCond %{HTTP_REFERER} ^http://([^.]+\.)*site-five\.org [NC]
RewriteRule!403\.shtml$ - [F]

[edited by: Michel_Samuel at 11:47 pm (utc) on May 25, 2007]

jdMorgan

12:07 am on May 26, 2007 (gmt 0)

Yes, you can put your .htaccess file with RewriteEngine off into the subdirectory that you want un-protected.

Or you can use a RewriteCond in the main .htaccess file to disable the rule if the requests are made to the subdirectory you don't want protected.

---

The two different methods I used to disable the rule if 403.shtml is requested are equivalent. In the first rule, we do not care what kind of file is being requested. This leaves the pattern in the RewriteRule open to be used to exclude 403.shtml directly.

In the second rule, we use the pattern in the RewriteRule to test for image filetypes, so the exclusion must be done in a separate RewriteCond. Actually, since "403.shtml" will never match "\.(gif¦jpeg¦jpg)$", the RewriteCond is not needed, and you can remove it.

Jim

Michel Samuel

12:22 am on May 26, 2007 (gmt 0)

I thank you for the help but I'm not sure I got my questions answered. (remeber I'm not too intelligent and I probly made mistakes explaining myself)

i just wanted to know if uploading a file with rewrite off will stop the entire .htaccess file for that directory.

And second I was curious why the request for the 403 erreur moved from the top of the list to the bottom.

jdMorgan

1:57 am on May 26, 2007 (gmt 0)

Yes, it's a problem with translation, et je n'ais pas les mots...

This is correct and sufficient:


RewriteEngine on
#
# Block all referrals from these domains (and all of their subdomains)
RewriteCond %{HTTP_REFERER} ^http://([^.]+\.)*site-one\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://([^.]+\.)*site-two\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://([^.]+\.)*site-three\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://([^.]+\.)*site-four\.com [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://([^.]+\.)*site-five\.org [NC]
RewriteRule !403\.shtml$ - [F]
#
# Block image hotlinking
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?my-site\.com [NC]
RewriteRule \.(gif¦jpe?g)$ - [NC,F]

> why the request for the 403 erreur moved from the top of the list to the bottom.

I moved it to the bottom of the list because it *can* be moved from a RewriteCond into the RewriteRule, and this eliminates one RewriteCond. Note that "!" means NOT, so this entire rule does not apply if the request is for 403.shtml. If this rule did apply to 403.shtml, then a a request for any URL from a disallowed referrer would result in the server attempting to serve 430.shtml. But if 403.shtml was also disallowed by the rule, then the server would attempt to serve 403.shtml in response, which is disallowed, so it would again respond by trying to serve 403.shtml... etc. It is an endless loop.

So the server must never block any request for 403.shtml in any rule that uses [F] to generate a 403 response.

Jim

[edited by: jdMorgan at 1:57 am (utc) on May 26, 2007]

Michel Samuel

6:57 am on May 26, 2007 (gmt 0)

T*barnac!
It went from being a request to a rule.
I didn't even see that.

I have hate when I do not know why something is done.
And that made me perplexed.

Thank you I appreciate the aid.