Hotlink protection is not working, LiteSpeed flaw?


mrr
 Share

Recommended Posts

I have a bunch of minor problems with LiteSpeed and signed up for this host because it promised Apache. (See

http://www.hawkhost.com/Shared/compare and

http://www.hawkhost.com/Hosting/features#apachewebserver .)

I might list all the other LiteSpeed problems later, but I have a major issue now.

First, LiteSpeed busts standard anti-hotlinking configurations.

This:

### Stop people from direct-linking to images and other bandwidth-intensive content.

#

SetEnvIfNoCase Referer "bitomind.com" local_ref=1

SetEnvIf Referer "^$" local_ref=1


 Order Allow,Deny

 Allow from env=local_ref


Has always worked fine in Apache but blocks all images in LiteSpeed!

So, I commented out that code and next tried cPanel.

cPanel does not stop hotlinking on this server! It's also prepending ".*" to the blocked filetype list -- which does not seem right.

So, how do I really stop hotlinking on a Litespeed server?

Is cPanel busted or misconfigured?

Failing all that, can I actually get on a server running Apache, as advertised?

Link to comment
Share on other sites

The following code doesn't work either:

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?bitomind.com [NC]

RewriteCond %{REQUEST_URI}  !^http://bitomind.com/pics/bandwidth_thief.gif$ [NC]

RewriteRule .(jpg|jpeg|png|gif)$ /pics/bandwidth_thief.gif [NC,R,L]

Link to comment
Share on other sites

No I didn't make a ticket, thought I'd try the forum first. Will post a ticket in a minute.

Turns out that not only does hotlink protection not work but it is busted, on LiteSpeed only, by the standard -- required -- WordPress .htaccess, in the WordPress subdirectory. EG:

# BEGIN WordPress


RewriteEngine On

RewriteBase /memes/

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /memes/index.php [L]



# END WordPress

Commenting out that file allows the second standard .htaccess technique to work but busts WordPress! Restoring WordPress and placing the following code in an .htaccess, in the WordPress uploads directory, appears to stop hotlinking of uploaded wordPress pics.
RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?bitomind.com [NC]

RewriteCond %{REQUEST_URI}  !^(http://bitomind.com)?/pics/bandwidth_thief.gif$ [NC]

RewriteRule .(jpg|jpeg|png|gif)$ /pics/bandwidth_thief.gif [NC,L]

Still working on an acceptable solution, non of these hijinks are needed in Apache.

Link to comment
Share on other sites

I see that those two sales pages have now been changed to eliminate the "bait and switch". ;)

Note that the cPanel still reports: "Apache version 2.2.11 (Unix)".

Just to elaborate on this; we didn't advertise this as a selling point / to "bait and switch". We just recently migrated everything to LiteSpeed (see here). Beyond that we plan on launching a new site soon (see here) so updates on the main page have been slowed to a crawl.

This is not an excuse for our mistake, but I just want to clarify it was an honest one and not some sleazy sales tactic to entice users.

As for cPanel reporting Apache still I'll look into it; LiteSpeed handles most of Apache's features without a hitch so nothing changed on that end.

-Cody

Link to comment
Share on other sites

I tried to indicate, by that smiley, that that was a little tongue-in-cheek.

If I was really too worked up about the bait and switch, I would have been screaming about it or canceling my account.

I still have other issues with LiteSpeed, but they are all minor.

For the price, this is a very fast host -- so some LiteSpeed annoyances can be tolerated.

Link to comment
Share on other sites

I tried to indicate, by that smiley, that that was a little tongue-in-cheek.

If I was really too worked up about the bait and switch, I would have been screaming about it or canceling my account.

I still have other issues with LiteSpeed, but they are all minor.

For the price, this is a very fast host -- so some LiteSpeed annoyances can be tolerated.

I realized you were joking - though I wanted to clear it up for future clients / potential clients that it wasn't the case.

LiteSpeed has had it's issues since the migration, though the tradeoff's (in our eyes) has been well worth it.

Link to comment
Share on other sites

Experimented in greater depth with cPanel:

1) cPanel does appear to block images, except for those used in

WordPress. And not just the uploaded images; logos, theme graphics,

everything --in WordPress -- is unprotected when running LiteSpeed.

(2) cPanel does not forward to the "Redirect request to this URL"

image unless that image is on an unprotected host!

So that means we must: sacrifice a domain to host this image or

leach someone else's image -- both of which are unacceptable.

(3) The cPanel keeps prepending ".*". to the blocked extension list.

It appears to work ok if one remembers to always delete this extra junk

before updating, but it should be fixed.

Conclusion: cPanel "HotLink Protection", in conjunction with a LiteSpeed

server, is unacceptable. The three flaws should be documented or

fixed to save future users from having to rediscover all this the hard way.

I prefer an .htaccess solution, anyway, since it allows different sites

to be tailored and for much finer control of what is and isn't allowed

to be hotlinked.

Link to comment
Share on other sites

OK, here's the best solution I came up with, given the bugs in LiteSpeed:

Code like this:

# Block image hotlinking.  Note that must also be placed in the base WordPress .htaccess to protect WP files.

# The needed WP .htaccess interferes with image protection on LiteSpeed servers!  (Bug)

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?bitomind.com [NC]

RewriteCond %{REQUEST_URI}  !^/pics/bandwidth_thief.gif$ [NC]

RewriteRule .(jpg|jpeg|png|gif)$ /pics/bandwidth_thief.gif [NC,L]

Protects everything but files in any WordPress tree. But duplicate the code in the .htaccess that WordPress uses and the site is protected...
# BEGIN WordPress


    RewriteEngine On

    RewriteBase /memes/

    RewriteCond %{REQUEST_FILENAME} !-f

    RewriteCond %{REQUEST_FILENAME} !-d

    RewriteRule . /memes/index.php [L]


# END WordPress



# Must duplicate Image protection here because of LiteSpeed bug(s).

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?bitomind.com [NC]

RewriteCond %{REQUEST_URI}  !^/pics/bandwidth_thief.gif$ [NC]

RewriteRule .(jpg|jpeg|png|gif)$ /pics/bandwidth_thief.gif [NC,L]

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share