embeed : Forbid URL : Prevent Fraud. Reject domain list

Paris, October 24 2007,

Dear Madams and Sirs,

Ever had the chance to forbid a website to download HTTP files from
your Website ?

Have a pc-linux-gnu on i686 - Apache version is Apache/2.0.50
(Fedora).

As an example : they insert in their web-pages : <iframe src="our-
website.com/file.php"> OR <img src="our-website.com/file.gif"

These websites are 100% undesired.

We searched out and asked questions BUT
.. if we found out how to forbid ONE USER to download a content
.. if we found out how to forbid USERS to access a file or a
directory.

We could not AT ALL find out how to forbid one website (eg :
click-as-a-monkey.com) to display our content.

> We found out 3 solutions that do not work :

1) Embeed the httpd.conf file inserting Directives and Rules
http://httpd.apache.org/docs/1.3/misc/rewriteguide.html
http://httpd.apache.org/docs/2.2/mis...de.html#access
http://www.doonet.info/apache_rewriting.php

Point is, we cannot change the httpd.conf file.

2) Change the PHP.INI
We did not find any operational solution to insert a list of anti-
leech and to monitor the referers.

3) Change the .htaccess of our website.
This solution seemed to be very soft and smart, but implementation
does not work.

3.A. Two Websites

/home/virtual/site5/fst/var/www/html/
/home/virtual/site1/fst/var/www/html/

3.B. We implemented on site5 the following script :

vi .htaccess

<Limit GET POST>
order allow,deny
allow from all
deny from ad........com
</Limit>
<Limit PUT DELETE>
order deny,allow
allow from all
deny from all
</Limit>
AuthName "No"
AuthType Basic
Require valid-user
AuthUserFile /home/virtual/site2/fst/var/www/html/.htpasswd

3.C. Objective is to fordid the user connected from site1 to DW any
content from site5

3.D. After several trials : That does not work AT ALL

http://tinyurl.com/2kaqym

We please thank you for any operational solution from your knowledge
and experiences,

******************************************




The Referrer Field Solution to
Forbid URL : Prevent Fraud. Reject domain list


1) We know that domain name of the websites that we want to forbid to
DW our files.

example : http://www.dmain.com

2) The files downloaded are numerous :
a.php
a.gif
b.png
.....

3) We implemented in PHP
$http_ref= $HTTP_REFERER;
$exclude1 = "clic-gagnant.net/";
$exclude2 = "http://www.aqua-surfeur.com";
if (strncmp($http_ref, $exclude1, strlen($exclude1)) == 0 ||
strncmp($http_ref, $exclude2, strlen($exclude2)) == 0 ||
{ echo '<sc'.'ript>self.location.replace("http://");</sc'.'ript>';
exit(); }

But this is not what we want because this is only working for script-
readen files but not for GIF.


The 3B) solution seemed to be better BUT does not work :

..htaccess
<Limit GET POST>
order allow,deny
allow from all
deny from ad........com
</Limit>

Might you have a better solution, we would strongly appreciate :
sending you all our thanks.

My Regards

Bob

(E-Mail Removed) wrote:
> Paris, October 24 2007,
>
> Dear Madams and Sirs,
>
> Ever had the chance to forbid a website to download HTTP files from
> your Website ?
>
> Have a pc-linux-gnu on i686 - Apache version is Apache/2.0.50
> (Fedora).
>
> As an example : they insert in their web-pages : <iframe src="our-
> website.com/file.php"> OR <img src="our-website.com/file.gif"
>
> These websites are 100% undesired.
>
> We searched out and asked questions BUT
> . if we found out how to forbid ONE USER to download a content
> . if we found out how to forbid USERS to access a file or a
> directory.
>
> We could not AT ALL find out how to forbid one website (eg :
> click-as-a-monkey.com) to display our content.
>
>> We found out 3 solutions that do not work :
>
> 1) Embeed the httpd.conf file inserting Directives and Rules
> http://httpd.apache.org/docs/1.3/misc/rewriteguide.html
> http://httpd.apache.org/docs/2.2/mis...de.html#access
> http://www.doonet.info/apache_rewriting.php
>
> Point is, we cannot change the httpd.conf file.
>
> 2) Change the PHP.INI
> We did not find any operational solution to insert a list of anti-
> leech and to monitor the referers.
>
> 3) Change the .htaccess of our website.
> This solution seemed to be very soft and smart, but implementation
> does not work.
>
> 3.A. Two Websites
>
> /home/virtual/site5/fst/var/www/html/
> /home/virtual/site1/fst/var/www/html/
>
> 3.B. We implemented on site5 the following script :
>
> vi .htaccess
>
> <Limit GET POST>
> order allow,deny
> allow from all
> deny from ad........com
> </Limit>
> <Limit PUT DELETE>
> order deny,allow
> allow from all
> deny from all
> </Limit>
> AuthName "No"
> AuthType Basic
> Require valid-user
> AuthUserFile /home/virtual/site2/fst/var/www/html/.htpasswd
>
> 3.C. Objective is to fordid the user connected from site1 to DW any
> content from site5
>
> 3.D. After several trials : That does not work AT ALL
>
> http://tinyurl.com/2kaqym
>
> We please thank you for any operational solution from your knowledge
> and experiences,
>
> ******************************************
>
>
>
>
> The Referrer Field Solution to
> Forbid URL : Prevent Fraud. Reject domain list
>
>
> 1) We know that domain name of the websites that we want to forbid to
> DW our files.
>
> example : http://www.dmain.com
>
> 2) The files downloaded are numerous :
> a.php
> a.gif
> b.png
> ....
>
> 3) We implemented in PHP
> $http_ref= $HTTP_REFERER;
> $exclude1 = "clic-gagnant.net/";
> $exclude2 = "http://www.aqua-surfeur.com";
> if (strncmp($http_ref, $exclude1, strlen($exclude1)) == 0 ||
> strncmp($http_ref, $exclude2, strlen($exclude2)) == 0 ||
> { echo '<sc'.'ript>self.location.replace("http://");</sc'.'ript>';
> exit(); }
>
> But this is not what we want because this is only working for script-
> readen files but not for GIF.
>
>
> The 3B) solution seemed to be better BUT does not work :
>
> .htaccess
> <Limit GET POST>
> order allow,deny
> allow from all
> deny from ad........com
> </Limit>
>
> Might you have a better solution, we would strongly appreciate :
> sending you all our thanks.
>
> My Regards
>
> Bob
>

As you've previously been pointed towards :
http://apache-server.com/tutorials/ATimage-theft.html

Create .htaccess with the following contents :

SetEnvIfNoCase Referer "^http://www.\yourhostname\.com/" local_ref=1
<FilesMatch "\.(gif|jpg)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>

Which only allows downloading of .gif/.jpg if referer is
www.yourhostname.com

--
Andy Ruddock
------------
andy_DOT_ruddock_AT_gmail_DOT_com (GPG Key ID 0x74F41E8F)

(E-Mail Removed) wrote:
> Paris, October 24 2007,
>
> Dear Madams and Sirs,
>
> Ever had the chance to forbid a website to download HTTP files from
> your Website ?
>
> Have a pc-linux-gnu on i686 - Apache version is Apache/2.0.50
> (Fedora).
>
> As an example : they insert in their web-pages : <iframe src="our-
> website.com/file.php"> OR <img src="our-website.com/file.gif"
>
> These websites are 100% undesired.
>
> We searched out and asked questions BUT
> . if we found out how to forbid ONE USER to download a content
> . if we found out how to forbid USERS to access a file or a
> directory.
>
> We could not AT ALL find out how to forbid one website (eg :
> click-as-a-monkey.com) to display our content.
>
>> We found out 3 solutions that do not work :
>
> 1) Embeed the httpd.conf file inserting Directives and Rules
> http://httpd.apache.org/docs/1.3/misc/rewriteguide.html
> http://httpd.apache.org/docs/2.2/mis...de.html#access
> http://www.doonet.info/apache_rewriting.php
>
> Point is, we cannot change the httpd.conf file.
>
> 2) Change the PHP.INI
> We did not find any operational solution to insert a list of anti-
> leech and to monitor the referers.
>
> 3) Change the .htaccess of our website.
> This solution seemed to be very soft and smart, but implementation
> does not work.
>
> 3.A. Two Websites
>
> /home/virtual/site5/fst/var/www/html/
> /home/virtual/site1/fst/var/www/html/
>
> 3.B. We implemented on site5 the following script :
>
> vi .htaccess
>
> <Limit GET POST>
> order allow,deny
> allow from all
> deny from ad........com
> </Limit>
> <Limit PUT DELETE>
> order deny,allow
> allow from all
> deny from all
> </Limit>
> AuthName "No"
> AuthType Basic
> Require valid-user
> AuthUserFile /home/virtual/site2/fst/var/www/html/.htpasswd
>
> 3.C. Objective is to fordid the user connected from site1 to DW any
> content from site5
>
> 3.D. After several trials : That does not work AT ALL
>
> http://tinyurl.com/2kaqym
>
> We please thank you for any operational solution from your knowledge
> and experiences,
>
> ******************************************
>
>
>
>
> The Referrer Field Solution to
> Forbid URL : Prevent Fraud. Reject domain list
>
>
> 1) We know that domain name of the websites that we want to forbid to
> DW our files.
>
> example : http://www.dmain.com
>
> 2) The files downloaded are numerous :
> a.php
> a.gif
> b.png
> ....
>
> 3) We implemented in PHP
> $http_ref= $HTTP_REFERER;
> $exclude1 = "clic-gagnant.net/";
> $exclude2 = "http://www.aqua-surfeur.com";
> if (strncmp($http_ref, $exclude1, strlen($exclude1)) == 0 ||
> strncmp($http_ref, $exclude2, strlen($exclude2)) == 0 ||
> { echo '<sc'.'ript>self.location.replace("http://");</sc'.'ript>';
> exit(); }
>
> But this is not what we want because this is only working for script-
> readen files but not for GIF.
>
>
> The 3B) solution seemed to be better BUT does not work :
>
> .htaccess
> <Limit GET POST>
> order allow,deny
> allow from all
> deny from ad........com
> </Limit>
>
> Might you have a better solution, we would strongly appreciate :
> sending you all our thanks.
>
> My Regards
>
> Bob
>

As you've previously been pointed towards :
http://apache-server.com/tutorials/ATimage-theft.html

Create .htaccess with the following contents :

SetEnvIfNoCase Referer "^http://www.\yourhostname\.com/" local_ref=1
<FilesMatch "\.(gif|jpg)">
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>

Which only allows downloading of .gif/.jpg if referer is
www.yourhostname.com

--
Andy Ruddock
------------
andy_DOT_ruddock_AT_gmail_DOT_com (GPG Key ID 0x74F41E8F)