.
Save bandwidth by stopping image-hijacking - both .htaccess and httpd.conf methods
There came a time when I looked deeply into my logs and found out that nearly half my bandwidth was being spent on showing my images at other people's web sites - mainly forums and chat areas. Sometimes, the images were even being used in a denigrating fashion - as in showing Reliants on a Mercedes web site so the locals could laugh at the dumb Americans (presumably for making a reliable, cheap car that was relatively fast, comfortable, efficient, and not bad at cornering - but that's another story). Rarely did they ever actually tell what site they were coming from, and putting the web site name into the images wouldn't bring much traffic.
There are several approaches to stopping this. I tried the obvious one first - I substituted the most popular images with ads for my site, renaming the originals. That's fairly time intensive, though, and not very rewarding. Then I spent a couple of hours with Google, and came up with the following two, related methods. I wish I had the names of the writers to give credit, but this was some time ago, and I only have the methods now. If you know who wrote these, please let me know so I can credit them.
First, there's the .htaccess method. This is for people on shared-hosting systems who cannot change their Apache configuration file. Most hosts do allow .htaccess files, though.
I generally segregate images into their own folders to make life easier (using the Apache configuration file method, at least) but this method works even if the images are interspersed with html:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www.mysite.com/.*$ [NC]
RewriteRule .*\.(gif|GIF|jpg|JPG)$ http://www.mysite.com/bad.gif [R]
Let's look at this more closely. The first line tells Apache to use the rewrite engine, a module that not all web hosts support (most do). The second and third say that if no referer is not given, or if the user is not referred by your site, to do what's in the fourth line - to substitute the file bad.gif (in the root folder, that is, the highest folder in the site) for any GIF or JPG file. In short, if a person did not type in a photo's address directly into their browser or reach it from your site, Apache will automatically put in a specific image of your choosing. In my case, bad.gif is a little ad for my site; it's a two-color (red on white) file that weighs in at a mere 1.6K.
If your site is not set up (as mine is) to automatically put "www" in front of any web requests (so that rootes-chrysler.co.uk is automatically turned into www.rootes-chrysler.co.uk), you'll want an extra line to cover the "non-www" requests:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://rootes-chrysler.co.uk/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.rootes-chrysler.co.uk/.*$ [NC]
RewriteRule .*\.(gif|GIF|jpg|JPG)$ http://www.rootes-chrysler.co.uk/bad.gif [R]
This includes an extra line showing the domain name without www in front.
By the way, for this to work, the images have to be in a folder, and this must in a .htaccess file inside that folder. (A .htaccess file is simply a text file named .htaccess!). Or you have to have bad.gif in a folder. Otherwise it won't be able to send out bad.gif. You also need ModRewrite installed, as we noted earlier. Fortunately, there's a workaround. This simply gives people a "broken image" icon instead of sending an image out from your server:
SetEnvIfNoCase Referer "^http://rootes-chrysler.co.uk(/|$)" allowed=1
SetEnvIfNoCase Referer "^http://www.rootes-chrysler.co.uk(/|$)" allowed=1
SetEnvIfNoCase Referer "^$" allowed=1
Order Allow,Deny
Allow from env=allowed
Again, this goes into your .htaccess file.
Whichever method you use, test it to make sure it works - first make sure your images are still showing up when you're on your own web site (do a shift-reload in your web browser to be certain, or use a different computer), then see if they're still being successfully hijacked (again, do a shift-reload to get the old images out of your cache).
About .htaccess files
If you're relatively new to this stuff, you may find it hard to find a .htaccess file. Mac OS X users will find it even harder because Linux and UNIX both use the period at the beginning of a file to say "this is supposed to be invisible." (That's why .htaccess starts with a period - it's supposed to be invisible.) Fear not - most FTP/SFTP clients, such as Transmit and OpenSSH, either show these files by default and let you edit them, or have a preference setting to show invisible files.
Most web servers don't have .haccess files in each directory. You can either go in terminal mode and put them in using Pico, vi, or the like, or you can create them on your computer using TextWrangler, BBEdit, or TextEdit and upload them. One way to work around the Linux/Mac issue (other than changing your Finder preference to show invisible files) is to name the file htaccess (no period), transfer it over (in text mode!), and then rename it with the period once it's there.
Apache configuration file method
Now, let's say you have control of your Apache configuration file. then we can go to plan B, which isn't necessarily better. Go into your Apache file and search for:
LoadModule rewrite_module libexec/mod_rewrite.so
That tells you that mod_rewrite is installed. You don't actually need it for the following method, which simply chokes off image display instead of substituting your own ads.
Then go down a bit to the various <Directory...> statements (above where you define any virtual servers) and put in a line like this for each of your domain names:
SetEnvIf REFERER "rootes-chrysler\.co\.uk" linked_from_here
SetEnvIf REFERER "ptcruizer\.com" linked_from_here
The \ before the period tells the computer to interpret the period as just a plain old period instead of a "any character" wildcard. What you're saying now is that linked_from_here is on if the referer is one of your sites. (You have to put them all in, but you don't need to bother with the www nonsense at this point.) Then add in this line somewhere:
SetEnvIf REFERER "^$" linked_from_here
So it should look like:
SetEnvIf REFERER "^$" linked_from_here
SetEnvIf REFERER "rootes-chrysler\.co\.uk" linked_from_here
SetEnvIf REFERER "ptcruizer\.com" linked_from_here
SetEnvIf REFERER "your_other_sites\.com" linked_from_here
Now, for each folder with images, put in a statement that tells where the folder is (in server terms, that is, from the root folder - not the URL, but the UNIX/Linux/Windows path):
<Directory /home/vhosts/rootes/htdocs/images>
Order deny,allow
Deny from all
Allow from env=linked_from_here
</Directory>
<Directory /home/ptcruizer/htdocs/forums/style_images>
Order deny,allow
Deny from all
Allow from env=linked_from_here
</Directory>
Do this for each directory, and you'll choke off access to your images for unauthorized sources while still allowing it for legitimate users.