Stop Hotlinking and Leeching .htaccess (allow multiple domains)
There are thousands of references on the web about how to stop people from hotlinking your content and leeching your bandwidth;
However I own several domains and wanted to allow myself to hotlink from every one of them while keeping the leeches at bay and I could not find any clear reference on how to do it at least not in the first results of my searches, so I had to go ahead and RTFM of Apache mod_rewrite.
I must say that to understand what they mean to say you need to be a Internet guru and very web savvy, I am not much of both so i had to resort to trial and error until i found the right directives to write in my .htaccess file.
So I will try to share that knowledge here in a clear and easy to understand way.
What the hell is hotlinking?
Bandwidth theft or “hotlinking” is direct linking to a web site’s files (images, video, etc.). An example would be using an <img>
tag to display a JPEG image you found on someone else’s web page so it will appear on your own site, eBay auction listing, weblog, forum message post, etc.
Bandwidth refers to the amount of data transferred from a web site to a user’s computer. When you view a web page, you are using that site’s bandwidth to display the files. Since web hosts charge based on the amount of data transferred, bandwidth is an issue. If a site is over its monthly bandwidth, it’s billed for the extra data or taken offline.
A simple analogy for bandwidth theft: Imagine a random stranger plugging into your electrical outlets, using your electricity without your consent, and you paying for it.
This becomes even worse when oyu host MODS for games and Patches that are bigger then 1GB! (that is my case), By the way when you host with my company you don’t get charged on a bandwidth base…
The Tutorial
An example .htaccess file for your perusal we will go trough each line and what it does.
Now before you start messing around with your .htaccess be advised that any small error can produce undesirable effects in your server / host, so before you start backup the current .htaccess file, a common error is a 500 error usually related to SQL server but that can be caused by a badly written rewrite rule or a too aggressive one.
The beginning; protect access to .htaccess:
The following code will make your .htaccess file inaccessible for everyone, thus it is recommended that you also set the permissions of the file to chmod 644 instead.
Note that this example can also be used to block access to any specific file in the server, just replace the part with the file name of your choice.
# secure htaccess file
<Files .htaccess>
deny from all
</Files>
order allow,deny
Going Deeper; Serve a custom Web-page instead of those ugly 404 error pages that apache shows by default:
(You can catch any error code with this technique… just replace the 404 with the 40x error of your choice…
ErrorDocument 404 http://www.yourdomain.com/path/filename.html
Or redirect the 404 to a folder inside your webpage (note that an index.html should exist in that folder else you will serve a ugly default 403:
ErrorDocument 404 http://www.yourdomain.com/path/
Set a custom file name for the index page of your site, or allow a series of file names;
This is useful to change your index to a php script or a complete different name. (portal in the example)
DirectoryIndex portal.php index.php index.html index.htm
Now we turn off the directory indexation;
When index.html or .php don’t exist in a folder Apache can Show a list of the files in such folder, this is an invitation for leeches to steal your files so indexes has 2 behaviors; the + operator shows the list, the – operator disables it and shows a 403 page instead.
Options -Indexes
Now Stopping Hot-linking of your files and general Leeching:
For doing that we rely in the HTTP_REFERER send by the browser to our server / host
The following example does(Line by line):
Turns on Rewriting URLs
Condition: Allows access for clients that send an empty HTTP_REFERER, (1)
Condition: Allows access for clients refered from a domain www.domain1.com (2)
Condition: Allows access for clients refered from a domain www.domain2.com (3)
The RULE: In the example the rule checks if the client is trying to access a especific file type (4) if so, it redirects to a custom page in my blog (5)
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(.*.)?domain1.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(.*.)?domain2.com/.*$ [NC]
RewriteRule .*.(sh|zip|msi|exe|rar|jpg|)$ http://parabans.com/landing-from-hotlink-leech/ [R,NC,L]
(1) Unfortunately some browsers don’t send the referrer so you need this one or you may block good traffic. You can still check your logs and ban the IPs of leechers taking advantage of the empty REFERER
(2) Note the funny symbols in the after “http” and before the domain name, and after the dot com; well those will allow hotlink from any sub-domain, any rewrited URL, folder ETC on the referer domain; also http or https will be allowed… isn’t life nice ?
(3) Remember to put your own domain in the list 
(4) SH or ZIP or MSI or EXE or RAR or JPG, separate the file types with the “|” and keep adding/removing until you have met your needs.
(5) You should really use a custom page of yours but you can leave mine if you feel like doing it i will appreciate the visits
Instead of blocking a specific file type, block anything…
And redirect them to the custom page / post of your preference.
RewriteRule ^.* http://parabans.com/landing-from-hotlink-leech/ [R,NC,L]
Or Just kill the connection (the client will see a 404 error instead of your file)
RewriteRule ^.* - [F,L]
For more information I found in this post a very detailed explanation on .htaccess thanks to the author for taking the time to write it!
Stupid htaccess Tricks
