• IIS7-driven website (we use www.helicon_test.com)
• Gallery2
• Helicon Ape

Now we are ready to start cooking our healing soup.Firstly, you need to prepare (download and install) the Gallery2 product. Make sure it’s fresh (working fine).

Next, we need to create a link to this gallery on our IIS7-driven site (we put it on the main page). That’s the component we’ll experiment with today.

Take a species mix called Helicon Ape from the shelf and be ready to use it in a moment (install Helicon Ape).Take a pinch of mod_hotlink species and add it to the pot (just uncomment one line).

Stir it all slowly. To reveal the whole bouquet of the dish (protect only necessary folder – in our case it’s /gallery2/), we add

HotlinkProtect /gallery2/

and

SetOutputFilter hotlink

to feel the most delicate notes of taste (to enable links replacing mechanism).

After that the aroma (link to Gallery2) will change for the better (a dynamically generated signature will be appended).

Now all links from our site pointing to Gallery2 folder are dynamically signed and the signature is unique for each client (individual approach to each person is a key to success!), i.e. there’s no way to get the content without this signature or fabricate it (the recipe is our top secret!).

Everyone who behaves badly and is not allowed to taste the dish or who tries to guess it’s components (everyone who attempts to access protected resource with incorrect signature) will get 403 Forbidden response or will be turned out – redirected to the specified URL (RedirectURL parameter).

That is, mod_hotlink makes sure the user obtined the link from our site only (authentic and inimitate one, made acoounting for his preferences). And we have nothing to do with the site – all links on pages are transformed automatically on the fly (as if prepared in a microwave oven)!

Ok, let me see… Mmmm… Today our mod_hotlink-based dish is particularly delicious.
Bon appetit!

We are happy to inform you that Helicon Ape 1.0.0.15 and newer may boast additional functionality and especially mod_hotlink module. And for you to feel its power we offer a brief overview reinforced by real practical examples.

mod_hotlink module is aimed at protecting your web server from people stealing your traffic by directly linking to the content on your server. This is especially important for those having image, video, documents archives and other downloadable content.

After enabling mod_hotlink your site will work as if nothing happened, all search engines and backward links will still be valid, all user’s favorites will remain working. But if someone tries to embed your stuff directly on their site, they will only see an error message or your site’s logo. You can save tons of traffic and thus money. You can even turn these hotlinks into real visitors by redirecting hotlink request to your site’s homepage.

Protection methods

mod_hotlink offers three protection methods each having it’s advantages and peculiarities:

LINK: This is the most comprehensive and powerful protection method. In this mode mod_hotlink edits each link to protected content on your site by adding special cryptographic signature. You specify expiration time for the signature on the expiry of which link becomes invalid (e.g. 30 minutes after it was requested). LINK method is not sensitive to HTTP Referer modifications, disabled cookies or JavaScripts in user’s browsers. mod_hotlink is capable of protecting any file types including streaming media and embedded content.

REFERER: Simply checks HTTP Referer header and rejects all requests to the protected content from unknown sites. You may use white and black lists based on Referer and User-Agent values to allow friendly sites requests and protect against some ugly hacks. This method does not require any configuration or modification to your site and is a convenient way to protect image archives.

REDIRECT: Checks Referer header value but performs a redirect to a temporary signed link instead of returning content. It may be difficult to understand the theory of this method, but the only thing you need to know is that it provides moderate protection level to preserve some embedded content that cannot be protected by REFERER method – content like PDF files, Flash and Media Player movies, audio and so on. Just as in the previous method you don’t have to change anything – just enable mod_hotlink and specify a protection folder.

Examples

Enough of theory and it’s time for examples we’ve promised before. Following are examples for each protection method with thorough explanation.

1. Referer protection method

The task is to protect all images from hotlinking; allow referers from your own site and empty referers.

The solution using mod_rewrite is:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^https?://(?:www\.)?yourdomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F]

The same solution using mod_hotlink looks like:

<FilesMatch \.(jpg|jpeg|png|gif)$>
  HotlinkProtect / [Referer]
  HotlinkAllow Referer ^$
  HotlinkAllow Referer ^https?://(?:www\.)?yourdomain.com
</Files>

How it works:

When a browser makes a request, it passes Referer header that shows the URL of the page with the requested resource.

Say you have a page default.html on your site www.yourdomain.com and there’s also a link <a href=”/img/picture.gif”>picture</a>. If you click on this link, the browser generates the following request:

GET /img/picture.gif HTTP/1.1
Host: www.yourdomain.com
Referer:  http://www.yourdomain.com/default.html

Note! If you directly put the address of the resource into the browser address bar (e.g. http://www.yourdomain.com/img/picture.gif), Referer header is not passed.

• Referer header value is verified for specified file types, i.e. jpg|jpeg|png|gif.
• HotlinkAllow Referer ^$ – allows access if Referer header is empty or missing.
• HotlinkAllow Referer ^http(s)?://(www\.)?yourdomain.com – allows access if Referer header starts with your domain name.
• All others will get “403 Forbidden” for this request.

2. Redirect protection method

Redirect method is usually used to protect .pdf and .swf files as Internet Explorer sets incorrect Referer header for such files when the user clicks “Save As…”

<FilesMatch \.(?:pdf|swf)$ >
  HotlinkSignature password
  HotlinkProtect / [Redirect]
  HotlinkAllow Referer ^$
  HotlinkAllow  Referer ^https?://(?:www\.)?yourdomain.com
</Files>

How it works:

• The user requests the page (e.g. default.html). This page has a tag <a href="/doc/test.pdf">pdf</a>.
• The browser requests http://www.yourdomain.com/doc/test.pdf and passes Referer http://www.yourdomain.com/default.html.
• mod_hotlink checks the rules (given above).
• HotlinkAllow Referer ^http(s)?://(www\.)?yourdomain.com – allows further procesing.
• Instead of granting direct access to test.pdf mod_hotlink performs redirect to a dynamically generated address http://www.yourdomain.com/doc/90f630427786fd84/test.pdf.
• Browser requests http://www.yourdomain.com/doc/90f630427786fd84/test.pdf.
• mod_hotlink verifies signature validity and then grants access to test.pdf.

All this stuff is necessary to bypass noncompliance of some browsers with the standards (especially this refers to Internet Explorer) as they sometimes don’t set Referer header for successive requests to the same resource.

3. Link protection method

Link protection is completely independent on Referer header. But it requires manual links correction on pages.

For this example we need the following files in the root of the site:

• default.html
• .htaccess
• test.pdf

default.html page should have the following tag:

<object  data='xxxxxxxxxxxxxxxx/test.pdf' type='application/pdf' > </object>

.htaccess must be configured as follows:

SetEnv mod_hotlink
HotlinkSignature password
<Files *.pdf>
  HotlinkProtect / [Link]
</Files>

When the user requests default.html mod_hotlink replaces Xs in the tag with specifically generated sequence:

<object data='90f630427786fd84/test.pdf' type='application/pdf'> </object>

How it works:

• The user requests the page (e.g. default.html).
• mod_hotlink replaces xxxxxxxxxxxxxxxx in the tag with dynamically generated signature.
• The browser finds the tag <object data='90f630427786fd84/test.pdf' type='application/pdf' > </object> and makes a subrequest http:// www.yourdomain.com/90f630427786fd84/test.pdf (no matter Referer is passed or not).
• mod_hotlink verifies signature validity and then grants access to test.pdf.

Well, that’s all for today. Hope you’ve got some understnding of mod_hotlink capabilities and see what you can apply them to. Looking forward to your comments after first steps with mod_hotlink. Don’t give leechers a single chance!

Best regards,

HeliconTech Team