This is my .htaccess file

ErrorDocument 403 http://www.slackercracker.com/403.html
ErrorDocument 404 http://www.slackercracker.com/404.html
ErrorDocument 500 http://www.slackercracker.com/403.html


RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.slackercracker.com [NC]
RewriteCond %{HTTP_REFERER} !^http://slackercracker.com [NC]
RewriteCond %{HTTP_REFERER} !^http://www.highperformancetoys.com [NC]
RewriteCond %{HTTP_REFERER} !^http://highperformancetoys.com [NC]
RewriteCond %{HTTP_REFERER} !^http://www.streetcarforums.com [NC]
RewriteCond %{HTTP_REFERER} !^http://streetcarforums.com [NC]
RewriteRule [^/]+.(WMV|wmv|AVI|avi|mpg|MPG|MOV|mov)$ - [F]


What would allow people to view files but not be able to rt click and save them? Thanks!

http://www.dynamicdrive.com/dynamicindex9/noright.htm

Thank you for your help Crochunter, but I guess my question was worded poorly. When users are visiting folders that I host video files in (even when they come from a referring site that is allowed by my htaccess) they can only watch the videos, but not save them to their computer. When they rt click and try to save as, they get referred to my 403 error page. I want them to be able to rt click, but for some reason my htaccess is not allowing it.

Can you give us a link to the vids in question?. I looked your site over but gave up after the 12th pop-up or so. Something doesn't sound right. The code you give is for anti-leech and should not affect right click.

Yes, here is a directory that contains some movie files. As you can see in my .htaccess, I have attempted to stop leeching of these movies (after having my bandwidth exceeded several times).

old link used to be here

When you left click a movie, it'll play, but when you rt click to save it, it returns the 403 page. Any thoughts?

Thank you for your help Croc Hunter.

I get an error while downloading it saying the file does not exist...and I cannot directly link to it from the browser.

Where is one of the files located...so we can actually download it.

Me to. Is that folder and all folders before it Chmod to 755?.
http://webftp.powweb.com

I can't even play them. Get the dreaded:
0x80040241: Windows Media Player does not support this file type

I had them on 755...but now they are all 777 (and that still didn't fix it). I didn't think the 777 would be too risky as the root folder for the ftp logins is an upload folder. They supposedly cannot get access to any other folders. I can view videos through the website I listed earlier (old linkused to be here) but I cannot save them. Are you saying that you guys can't even watch them?


These problems make me sad. :(

Don't be sad :D

Actually the mpg and mov files play for me...the wmv files come up corrupt for me.

Remove the anti-leeching from your .htaccess...and see what it does.

Ok!.. Lets try by making use of mod_rewrite.

Try this code instead:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://slackercracker.com/.*$ "NC"
RewriteCond %{HTTP_REFERER} !^http://www.slackercracker.com/.*$ "NC"
RewriteCond %{HTTP_REFERER} !^http://www.trusted.com/.*$ "NC"
RewriteRule .*\.(mov|MOV|avi|AVI|wmv|WMV)$ - "F"

Edit it to suit.
And use 755. never 777or 666 for security reasons.

[edit] yep, only the wmv WMV avi AVI files won't play or r-click> save, I guess its possible they have been corupted.. strange though..

Thank you very much for your help! It is much appreciated.

I changed my .htaccess with the new code you supplied. That does block people leeching my files. I also changed all folders to 755 (except the upload folder which is still 777). Despite the progress, a new problem has arisen. One of the old links to one of my files was posted here (on another messageboard) (http://www.ls1tech.com/forums/showpost.php?p=1160207&postcount=20). When you left click the movie link, you get the 403 error page (:)), but when you rt click, it lets you save the movie (:(). What can I do to stop this?



My new .htaccess looks like this:

ErrorDocument 403 http://www.slackercracker.com/403.html
ErrorDocument 404 http://www.slackercracker.com/404.html
ErrorDocument 500 http://www.slackercracker.com/403.html


RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://slackercracker.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.slackercracker.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://highperformancetoys.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://www.highperformancetoys.com/.*$ [NC]
RewriteRule .*\.(mov|MOV|avi|AVI|wmv|WMV|mpg|MPG)$ - [F]

Damn.. I even gave you the fuzzy quote version .*\ Ummm.. try adding a redirect to the last line. But It doubt it will work.

RewriteRule .*\.(mov|MOV|avi|AVI|wmv|WMV|mpg|MPG)$ - [F]

To

RewriteRule .*\.(mov|MOV|avi|AVI|wmv|WMV|mpg|MPG)$ http://www.slackercracker.com/iraqiminister.jpg [R] Well, apart from download manager software or Javascipt plus blocking IP and/or htpasswd protecting files, I dunno. You can rename folders to break links to them. Of course that means updating valid links. I guess it's like they say.. If you don't want it stolen don't put it on the net.

Perhaps another member can offer a solution?.

p.s. Check your PM (Private Messages).

When I have problem with my .htaccess or test new things,
I usually go step by step, gathering information, and it helps me.

If I were you, I would see the error_log entries for the
"right click" requests because they could be the key for solving your problem.

You can use FTP, WebFTP, or script like this to see your error_log.

#!/bin/sh
# This shellscript will show you last 30 entries of error_log
# Upload this in ascii mode to a password protected directory
# as "te.cgi" or anything with ".cgi" , and set permission to 700.
# You can modify LNUM value if you prefer to see more (or less)
# (If you change, don't put any space between '=' and the number.)

LNUM=30
echo "Content-Type: text/html

<HTML><BODY bgcolor=#f0e0c8><PRE>"
echo "---- error_log ---- last $LNUM lines ----"

# Change "U/Username"...
tail "-$LNUM" /www/U/USERNAME/logs/error_log

# You can remove following uptime and ps command if you prefer.
echo "---- uptime -----"
/usr/bin/uptime
echo "---- ps -----"
/bin/ps -uxww

echo "---- done ----"


After gathering a little more info, I would comment out
most of RewriteCond to find out, exactly what is causing problem.
(Assuming that Rewrite rule is causing it....)

I'm not sure at all about this, but maybe Referer info is
not sent by browser when we "right click".
This can be checked by commenting out (or removing)
the first RewriteCondition of yours.
( RewriteCond %{HTTP_REFERER} !^$ )

If it was the case, then you have another problem....
Because it means you cann't forbid someone without
correct referer info if you want to have "right click to work".

Other than that, it all depends of the entries in error_log.

It cuold be the port number attached after the hostname
like http://yourdomain.com:80/xxx/yyy/zzz.
Some browser and proxy may do that, and if you get
Referer with port number, you will get 403.
(Because your conditions ask for very specific match,
anything slightly diferent will cause 403.)

Anyway, I think the "key" is in the error_log.
And when you see it, you may find what to correct by yourself,
or show it here, and it should be easier for people to assist you .

Good luck.


PS.[edit]

As error_log does not give Referer, URL requested,
you may want to see corresponding entries in access_log, as well.

If you don't have really a lot of visitors, this should be enough.
(Call this script as soon as you test "right click" thing...)


#!/bin/sh
# This shellscript will show you last 30 entries of error_log
# and last 100 entries from access_log.
# Upload this in ascii mode to a password protected directory
# as "tea.cgi" or anything with ".cgi" , and set permission to 700.
# You can modify LNUM value if you prefer to see more (or less)
# (If you change, don't put any space between '=' and the number.)

# For error_log
LNUM=30

# For access_log
LNUMA=100

echo "Content-Type: text/html

<HTML><BODY bgcolor=#f0e0c8><PRE>"

# Change "U/Username"...
# (Do not put '/' at the end.)
MPATH=/www/U/USERNAME

echo "---- error_log ---- last $LNUM lines ----"
tail "-$LNUM" "$MPATH/logs/error_log"
echo "---- access_log ---- last $LNUMA lines ----"
tail "-$LNUMA" "$MPATH/logs/access_log"

# You can remove following uptime and ps command if you prefer.
echo "---- uptime -----"
/usr/bin/uptime
echo "---- ps -----"
/bin/ps -uxww

echo "---- done ----"

Sorry to waste this post being absolutley NO help to your discussion, but somebody has to bring this point up.

I have to give you credit, M.Ousley, for having one of the funniest 403 pages I have every had the pleasure of viewing.

You are totally wrong, BeenBusted!

I mean, humor does help us to loosen up,
and find right answers....well, at least for me.
So, your post may well be very helpful!

Commenting out the first line solved the problem! Thank you all very much for your help! No more leeching!

Glad you enjoyed the 403 page. ;):D

May I ask what line you commented out? Just a blank line?

Just curious.

This line: RewriteCond %{HTTP_REFERER} !^$


I tested it both ways several times. With the line in, leeching sites could rt click and download my movies (but not left click and watch). With the line removed, leeching sites can't do anything except meet my 403 lady. :)

Your new setting may cause a little bit of frustration for
good visitors to your site.

As other people have pointed out elsewhere,
some Browsers send No Referer or Wrong Referer....

MSIE is known to send Wrong Referer after POSTing to a form.
IE may continue to supply the URL of the last form it posted!
( Imagine if it is a posting form for supposedly hidden
but not protected BBS or something like that. )

Maybe you want to tell your visitors that
due to leeching activity, you have tighten up things,
and sometime they may experience dificulity.

Other than that, there is a way to forge Referer, too.
Very easy...

I don't actually link to the videos from my website. I simply have them in a directory for FTP use. So far so good on the new .htaccess. If I have any more trouble, I know who to turn to! ;) Thanks again!

Check this post on one of the allowed referrers and see if you can explain why you can't rt click and save the movie but you can left click and watch it? I want people to be able to watch the movies directly but also be able to save the movie to their computer.


Post on another messageboard (http://www.highperformancetoys.com/forum/showthread.php?postid=98742#post98742) where you can't save the video. :(

Because you took this line out:

RewriteCond %{HTTP_REFERER} !^$

Can't have your cake and eat it to. ;)

Yeah..He/She tried that one, and it caused another problem
or another dilenma...
If that satisfies all her needs, it would be nice.

If not, I would check the USER_AGENT and
other info of failed requests.
Probably, it's "WindowMediaPlayer", or something
other than normal browser.

Then, he/she can add rewrite condition to allow that USER_AGENT.

RewriteCond %{HTTP_USER_AGENT} !(WindowMedia) [NC]

Adding a line like this will allow that particular USER_AGENT.
(You have to check and find out that "WindowMedia" part, though)
Maybe he/she needs more than one.

RewriteCond %{HTTP_USER_AGENT} !(WindowMedia|Realone|Applething) [NC]


Anyway, M.Ousley, you have to find correct combination of
Referer, USER_AGENT, and any other thing you can possibly use,
and put them into rewrite condition.


If that is not enough to distinguish good requests from bad one,
"echo server" may help to check the header info we get from
mediaplayer, realplayer, and so on.
Then, rewrite condition can be defined accordingly;
RewriteCond %{HTTP:certain_header} !(what_ever) [NC]

Maybe you have to spend a bit of time to install "echo server"
on your machine, test, and learn about these things.

You may find these info by searching the web, as well.


It's not always easy to distinguish good visitor from bad one.
And bad one often imitate good visitor very well,
sometime perfectly....

So, what you want to achieve may not be easy task, at all.
I think it's possible. But is it worth lots of effort? I don't know...

Thank you extras...I will definately try your suggestions. I will also research the topics you mentioned. It is worth the time/effort for me because I am hosting files for a messageboard community and I plan to be a member of this community (and have my powweb account) for a long time. Thanks for your help guys!


(BTW, I am male. :D Name is Michael Ousley...it has been a pleasure dealing with you guys, and I'll post up any solutions that I end up finding.)

Ooops. I said "her" because the 403 Error page was
so impressive/imposing that anytime I think of your stuff,
subconsciously but automatically I see that woman....and
somehow I start to treat you and your site with female gender...:)

For your project, maybe you want to issue cookies for
those who register, and kick out unwanted access without cookies.
(Personally, I don't like cookies, and I never used this method.)

It can be something like this.

First you would set up a password protected directory,
where you will guide your firiends.
There, they will eat cookie issued by CGI/.htaccess/asis documents
or whatever you feel at ease.
Then use header info (Was it %{HTTP:cookie} ? You have to check)
in you rewrite condition to validate or eliminate depending on that.
(Of course, you can combine REMOTE_ADDR, HTTP_USER_AGENT,
and other info, as well if you want)

This way, you can exercise positive control over who will get access.
And failed attempts to get that cookie will be logged in error_log.

Also, there are many many other ways to do things.
I try to choose a method that is simple, easy for both me and users,
and light CPU/resource load factor.


(Note. It is possible to steal cookie, and imitate valid user...
But I would not worry about that in your situation.)

Michael, I just thought about something you may want to use.

http://forum.powweb.com/showthread.php?postid=207810

This is an anti-leech based on the IP address.
Relatively simple.
No need for cookies, nor membership.

Users just have to access certain page.
(Usually the page containing movie, pics,
but it can be any page...)

Well, the thing is I want to just have all my stuff in a folder that can be accessed independent of my actual website.

For example:

www.mysite.com/files/

I want them to be able to enter an address like this and be able to access files, but at the same time I do not want those files linked to anywhere but our group's messageboard.


Right now it is 80% done. They can watch the videos but can't rt click and save them. I am currently looking into your previous suggestion of user agents headers and echoing the server. My head is barely above water on this stuff...so I am learning as I go. :) Thanks for the help!