Mongrel users - Feb 2007 - Modifying Apache Conf To Block Leachers

Howdy,

I''m using Apache 2.2 + Mongrel with great success, using the sample  
configs from the Mongrel site.

We have some MP3s on the site and recently someone has been stealing  
them and basically leaching them from the site, linking to them from  
an off-site location.

I''ve been trying to modify my Apache conf to check the referrer and  
adjust accordingly as below but no luck. I''m wondering if someone  
else has any suggestions on getting this to work... I would expect  
this to send the user to error.html if the referrer is not the site  
in question but nothing at all happens...

Any suggestions appreciated, this stuff drives me batty.

URL: http://www.mysite.com/audio_file/the_audio_file/file.mp3

RewriteCond %{REQUEST_FILENAME} .*mp3$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !mysite\.com [NC]
RewriteCond %{HTTP_REFERER} !friendlysite\.com [NC]
RewriteCond %{HTTP_REFERER} !google\. [NC]
RewriteCond %{HTTP_REFERER} !search\?q=cache [NC]
RewriteRule (.*) /error.html

RewriteCond %{DOCUMENT_ROOT}/maintenance.html -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.html
RewriteRule ^.*$ /maintenance.html [L]
# Rewrite index to check for static index.html
RewriteRule ^/$ /index.html [QSA]
# Rewrite to check for Rails cached pages with .html extensions
RewriteRule ^([^.]+)$ $1.html [QSA]
# All dynamic requests get sent to the cluster
RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
RewriteRule ^/(.*)$ balancer://sitejive%{REQUEST_URI} [P,QSA,L]

Thanks,
Hunter

If people are stealing MP3s, checking referer won''t work. It can be  
trivially spoofed.

You''ll need real authentication to stop theft -- either with  
sessions, or HTTP auth.

-Nate

On Feb 22, 2007, at 12:28 PM, Hunter Hillegas wrote:
> We have some MP3s on the site and recently someone has been stealing
> them and basically leaching them from the site, linking to them from
> an off-site location.
>
> I''ve been trying to modify my Apache conf to check the referrer
and
> adjust accordingly as below but no luck. I''m wondering if someone
> else has any suggestions on getting this to work... I would expect
> this to send the user to error.html if the referrer is not the site
> in question but nothing at all happens...

Op 22-feb-2007, om 20:46 heeft Nathan Vack het volgende geschreven:
> If people are stealing MP3s, checking referer won''t work. It can
be
> trivially spoofed.
Can be, but usually isn''t. The good thing about hotlinking is that  
nobody uses the web with referers disabled. I certainly don''t.
> You''ll need real authentication to stop theft -- either with
> sessions, or HTTP auth.
That would be best indeed. It''s just that direct links to mp3 files  
never see Rails, so you need to fix it in the web server. Pretty soon  
you''re looking at quite some work if you want to do it right. Some  
web servers provide an easy switch to prevent hotlinking; it might-- 
might--be an interesting addition to Mongrel. At Zed''s discretion.

I use sessions and prevent hotlinking at server level too--it''s just  
an easy thing to do and has great results. I think there might be a  
problem with the poster''s regexps. This page lists good ones and has  
a quick test to see of your rules work.

http://altlab.com/htaccess_tutorial.html

The example they provide:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?myspace\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?blogspot\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?livejournal\.com/ [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpe [L]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2423 bytes
Desc: not available
Url :
http://rubyforge.org/pipermail/mongrel-users/attachments/20070222/4ccb19c2/attachment.bin

Actually, the minimum of checking is fine - we just want to stop the  
lazy people, not create a secure system to protect these files.

This is content that is available to the world, we just want folks  
grabbing it from our site, not linking in stuff from MySpace, etc..

The technique I''m trying to implement is used often for images and  
the like.

So, given that, anyone have any idea why the checking isn''t working?

On Feb 22, 2007, at 11:46 AM, Nathan Vack wrote:
> If people are stealing MP3s, checking referer won''t work. It can
be
> trivially spoofed.
>
> You''ll need real authentication to stop theft -- either with
> sessions, or HTTP auth.
>
> -Nate
>
> On Feb 22, 2007, at 12:28 PM, Hunter Hillegas wrote:
>
>> We have some MP3s on the site and recently someone has been stealing
>> them and basically leaching them from the site, linking to them from
>> an off-site location.
>>
>> I''ve been trying to modify my Apache conf to check the
referrer and
>> adjust accordingly as below but no luck. I''m wondering if
someone
>> else has any suggestions on getting this to work... I would expect
>> this to send the user to error.html if the referrer is not the site
>> in question but nothing at all happens...
>
> _______________________________________________
> Mongrel-users mailing list
> Mongrel-users at rubyforge.org
> http://rubyforge.org/mailman/listinfo/mongrel-users

On Thu, Feb 22, 2007 at 10:28:46AM -0800, Hunter Hillegas
wrote:
> Howdy,
> 
> I''m using Apache 2.2 + Mongrel with great success, using the
sample
> configs from the Mongrel site.
> 
> We have some MP3s on the site and recently someone has been stealing  
> them and basically leaching them from the site, linking to them from  
> an off-site location.
> 
> I''ve been trying to modify my Apache conf to check the referrer
and
> adjust accordingly as below but no luck. I''m wondering if someone
> else has any suggestions on getting this to work... I would expect  
> this to send the user to error.html if the referrer is not the site  
> in question but nothing at all happens...
> 
> Any suggestions appreciated, this stuff drives me batty.
> 
> URL: http://www.mysite.com/audio_file/the_audio_file/file.mp3
> 
> RewriteCond %{REQUEST_FILENAME} .*mp3$ [NC]
> RewriteCond %{HTTP_REFERER} !^$
> RewriteCond %{HTTP_REFERER} !mysite\.com [NC]
> RewriteCond %{HTTP_REFERER} !friendlysite\.com [NC]
> RewriteCond %{HTTP_REFERER} !google\. [NC]
> RewriteCond %{HTTP_REFERER} !search\?q=cache [NC]
> RewriteRule (.*) /error.html
try appending [L] to the RewriteRule above. And be sure to enable
rewrite logging to debug such things:

RewriteLog /path/to/logfile
RewriteLogLevel 4 

and be sure to disable logging once it works - these logs tend to grow
to enormous sizes fast :-)

cheers,
Jens

-- 
Jens Kr?mer
webit! Gesellschaft f?r neue Medien mbH
Schnorrstra?e 76 | 01069 Dresden
Telefon +49 351 46766-0 | Telefax +49 351 46766-66
kraemer at webit.de | www.webit.de
 
Amtsgericht Dresden | HRB 15422
GF Sven Haubold, Hagen Malessa