Apache2Triad Help, Support and Development Forum Index Search Profile Log in to check your private messages Log in Register Memberlist Attachments Statistics Crew/Ranks Archive
 Securing Your Server (Tricks Of The Trade)
Google
Post new topic Reply to topic
Author Message
linux-don
 
 


Joined: 12 Jan 2006
Posts: 30
Location: New York

PostPosted: Sat Aug 12, 2006 12:14 am Reply with quoteBack to top

Ok.. I've done as you instructed, however, do I need to change {SERVER_NAME} to my vhost's names? I still can't get it to work.

Here is my protect.conf file:
Code:
RewriteEngine On
RewriteCond %{HTTP_REFERER}!^http?://(www\.)?%{SERVER_NAME}/images/ [NC]

# Serve Alternate Image
RewriteRule [^/]+.(jpe?g|gif|png|mp3|swf)$ http://%{SERVER_NAME}/images/denied.jpe [R,L]

# Block Altogether
# RewriteRule [^/]+.(jpe?g|gif|png|mp3|swf)$ - [NC,F]


And then in my httpd.conf, I've added that conf file to each of my vhosts. But it still seems like it is still hotlinkable when I did a test with another server that I webmaster for. The original image is still served, rather than the alternate that I've specified.
View user's profileSend private messageYahoo MessengerMSN Messenger
Joshua Meadows (DemoRic)
support
support


Joined: 29 Dec 2004
Posts: 783
Location: S.E. Kansas

PostPosted: Sun Aug 13, 2006 2:03 am Reply with quoteBack to top

try adding
Code:
RewriteCond %{HTTP_REFERER}---%{HTTP_HOST} !^https?://([^/]+)/.*---\1$ [NC]
View user's profileSend private messageYahoo MessengerICQ Number
linux-don
 
 


Joined: 12 Jan 2006
Posts: 30
Location: New York

PostPosted: Sun Aug 13, 2006 4:37 am Reply with quoteBack to top

Ok.. not sure what I'm doing wrong here.. I'll paste snipplets of my httpd.conf file as well as what I have for my protect.conf file.

httpd.conf
Code:
NameVirtualHost *:80

<VirtualHost *:80>
    ServerName www.mysite1.org
    ServerAlias mysite1.org *.mysite1.org
    DocumentRoot "F:/apache2triad/htdocs"
    Include "F:/apache2triad/conf/protect.conf"
</VirtualHost>

<VirtualHost *:80>
    ServerName www.mysite2.org
    ServerAlias mysite2.org *.mysite2.org
    DocumentRoot "F:/apache2triad/htdocs/mysite2"
    Include "F:/apache2triad/conf/protect.conf"
</VirtualHost>

<VirtualHost *:80>
    ServerName www.mysite3.com
    ServerAlias mysite3.com
    DocumentRoot "F:/apache2triad/htdocs/mysite3"
    Include "F:/apache2triad/conf/protect.conf"
</VirtualHost>

<VirtualHost *:80>
    ServerName shop.mysite3.com
    ServerAlias shop.mysite3.com
    DocumentRoot "F:/apache2triad/htdocs/mysite3/shop"
    Include "F:/apache2triad/conf/protect.conf"
</VirtualHost>


protect.conf
Code:
RewriteEngine On
RewriteCond %{HTTP_REFERER}!^https?://(www\.)?%{SERVER_NAME}/images/ [NC,OR]
RewriteCond %{HTTP_REFERER}---%{HTTP_HOST} !^https?://([^/]+)/.*---\1$ [NC]

# Serve Alternate Image
RewriteRule [^/]+.(jpe?g|gif|png|mp3|swf)$ http://%{SERVER_NAME}/images/denied.jpe [R,L]

# Block Altogether
#RewriteRule [^/]+.(jpe?g|gif|png|mp3|swf)$ - [NC,F]


Have I missed something here?
View user's profileSend private messageYahoo MessengerMSN Messenger
Joshua Meadows (DemoRic)
support
support


Joined: 29 Dec 2004
Posts: 783
Location: S.E. Kansas

PostPosted: Sun Aug 13, 2006 10:16 pm Reply with quoteBack to top

Honestly I don't see anything wrong (except a typo denied.jpe instead of denied.jpg)
If your trying to prevent images by folder you could try.
Code:

# -------- Prevent Bandwidth Thieves by Folder -----------
   #http://httpd.apache.org/docs/2.0/env.html
   SetEnvIf REFERER !^https?://(www\.)?jaydium\.servehttp\.com/ linked_from_here
   SetEnvIf REFERER !^https?://(www\.)?%{SERVER_NAME} linked_from_here
   SetEnvIf REFERER !^$ linked_from_here

   <Directory C:/apache2triad/protectedimages>
       Order deny,allow
       Deny from all
       Allow from env=linked_from_here
   </Directory>
View user's profileSend private messageYahoo MessengerICQ Number
linux-don
 
 


Joined: 12 Jan 2006
Posts: 30
Location: New York

PostPosted: Mon Aug 14, 2006 11:36 am Reply with quoteBack to top

Actually.. the jpe isn't a typo.. it's a picture that I have.. in a jpe format.. I was using it when I tried to deny access to all .gif, .jpg, .jpeg, and .png files.. but I quickly found out that it also denied it to the server.. so I wasn't sure how to leave that block of code.. and just tweak it so that the server itself could access it.

Perhaps trying "allow from localhost"? or something to that effect?

I also noticed that in your code... you have 'https?' (I haven't set up the SSL portion yet).. Do I need to change that to 'http?'?
View user's profileSend private messageYahoo MessengerMSN Messenger
mastertr
 
 


Joined: 24 Jul 2006
Posts: 24

PostPosted: Tue Aug 15, 2006 2:27 pm Reply with quoteBack to top

## ---------- Change HTTP to HTTPS by Directory ------------
#RewriteCond %{HTTPS} !=on
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/phpsftpd.*$
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R,NC]

#RewriteCond %{REQUEST_URI} ^/phpmyadmin.*$
#RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R,NC]

RewriteCond %{REQUEST_URI} ^/awstats.*$
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R,NC]

RewriteCond %{REQUEST_URI} ^/apache2triadcp.*$
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R,NC]

#RewriteCond %{REQUEST_URI} ^/mail.*$
#RewriteRule ^/(.*) http://%{SERVER_NAME}/squirrelmail.*$ [L,R,NC]

RewriteCond %{REQUEST_URI} ^/uebimiau.*$
RewriteRule ^/(.*) https://%{SERVER_NAME}/$l [L,R,NC]
## ---------------------------------------------------------

## ---------- Change Requests By File Extension -------------
#make sure playlists are http since media players don't use https
RewriteCond %{REQUEST_URI} ^/.*$/!\.(m3u|pls|mp3)
RewriteRule !\.(m3u|pls|mp3)$ http://%{SERVER_NAME}/$1 [L,R,NC]

#Deny file requests by file extension
RewriteCond %{REQUEST_URI} ^/.*$/!\.(exe|dll|so|bak|lnk)
RewriteRule !\.(exe|dll|so|bak|lnk)$ http://%{SERVER_NAME}//error2/hata.html [L,R,NC]

they dont work.
i easily download blabla.exe file and there is no warnings to me.
View user's profileSend private message
Joshua Meadows (DemoRic)
support
support


Joined: 29 Dec 2004
Posts: 783
Location: S.E. Kansas

PostPosted: Tue Aug 15, 2006 11:56 pm Reply with quoteBack to top

Change HTTP to HTTPS by Directory, does work I just verified it on my installation. Make certain that you have apache w/ ssl configured and port 443 open.

However Change Requests By File Extension
doesn't seem to work any longer. When I had originally posted the information it did. I don't know if this is due to a change in mod_security. I'll do some searching to see if I can't pin it down, or come up with another rule.


Quote:
I also noticed that in your *Prevent by Folder* code... you have 'https?' (I haven't set up the SSL portion yet).. Do I need to change that to 'http?'?

No that rule covers both http and https
View user's profileSend private messageYahoo MessengerICQ Number
scrambler
 
 


Joined: 14 Aug 2006
Posts: 9
Location: Arizona

PostPosted: Sun Nov 05, 2006 4:37 pm Reply with quoteBack to top

linux-don wrote:
I'm wanting to set up a way to hender or stop image thieves that either try to save images to their PC by way of right clicking or using the IE toolbar or by linking it on another site.

Is there a way that if either of these methods are used that they would get an alternate image? If so, how would I set this up?

As an example: Let's say I linked an image from one site to another.. the alternate image could be one that says "Don't steal or link this image"... or something to that effect.

EDIT: I've tried more recommendations from other sites as well as this one... and still can't seem to get it to work.

Server Profile
Windows XP Pro
A2T Extreme v1.5.4

I've tried several variations of the recommendations within the server config file, which turned no results. I've also used .htaccess page to try and see if that worked.. and it sorta did.. but sorta not. If I placed it in the htdocs directory.. it would prevent hotlinking, but generated an error 500 when trying to access any of my sites (I have 4 vhosts including the default one). If I placed it in the apache2triad folder.. I could access my sites.. but it didn't stop the hotlinking.

Am I missing something or have I misconfigured something? Any assistance would be greatly appreciated.


What about the fact that whenever a page loads period, the images and all content are automatically saved to the visitors pc. No need for right clicking or anything. They just find the images downloaded to their computer and then they can host them on many file sharing sites.
View user's profileSend private message
linux-don
 
 


Joined: 12 Jan 2006
Posts: 30
Location: New York

PostPosted: Tue Jun 19, 2007 3:18 pm Reply with quoteBack to top

Ok... I've looked at this thread over and over and still can not get this to work like I want it. Basically, I need it to redirect http://www.mydomain.com/mystore/ to https://www.mydomain.com/mystore and no matter how I set it... it's not redirecting.

I have tried setting redirects in the httpd.conf file, using the HTTP to HTTPS by directory code, even tried using it in a .htaccess file (just generates a 500 error (Internal Server Error)), but nothing seems to work. Any help would be appreciated.

httpd.conf
Code:
Redirect /mystore     https://www.mydomain.com/mystore/
Redirect /mystore/    https://www.mydomain.com/mystore/


That didn't work, so I tried:

httpd.conf
Code:
# Change HTTP to HTTPS by Directory #
#####################################
#RewriteCond %{HTTPS} !=on
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/shop.*$
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [L,R,NC]


That didn't work, so I tried it in an .htaccess file... and that's when it generated an Error 500.
View user's profileSend private messageYahoo MessengerMSN Messenger
Display posts from previous:      
Post new topic Reply to topic


 Jump to:   



View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum
Powered by phpBB © 2001, 2002 phpBB Group :: FI Theme
All times are GMT