Keeping Your Images from Adorning Other Sites Page 2
One of these header fields is of particular importance to what we want to
do. It's called the
Referer field (yes, I know, it's
misspelt--but that's how it's misspelt in the definition, too), and
it indicates the URL of the client's last page if and only if
the client is following a link. That is, if you're viewing
page A, and click on a link to page B, the request for page B will
Referer field that says "I'm following a link
on page A." If no link is being followed, such as if the user
just typed B's URL into the Location field of his browser,
there will be no
Referer field in the request header.
How does this help? Well, it gives us a way to tell whether an image is being requested because it was linked to by one of our pages -- or by someone else's.
For a simple case, suppose our Web site's main page is
<http://my.apache.org/>. In this case, we want
to restrict any artwork requests that don't originate on our site
(i.e., only allow them if the image was linked to by one
of our pages). We can do this by using an environment variable
(also called an envariable) as a flag, and setting it if the
conditions are right. Something like the following ought to do it:
SetEnvIfNoCase Referer "^http://my.apache.org/" local_ref=1
When Apache processes a request, it will examine the
Refererfield in the header, and set the environment variable
local_refto "1" if the value starts with our site address--i.e., is one of our pages.
The string inside the quotation marks is a regular expression pattern that the value must match in order for the environment variable to be set. Describing how to use regular expressions (REs) is far beyond the scope of this article; for now, just be aware that the
SetEnvIf*directives use them.
NoCase" portion of the directive name means, "do this whether the
Refereris 'http://my.apache.org/', or 'http://My.Apache.Org/', or 'http://MY.APACHE.ORG/' -- in other words, ignore the upper/lower caseness of the value.
Denydirectives allow us to control access to documents based upon the setting (or unset-ness) of an envariable. The first thing to do is to indicate the order in which Apache will process
Denydirectives; you do with the
Orderdirective as follows:Order Allow,Deny
This means that Apache will go through any list of
Allowdirectives it has that apply to the current request, and then repeat the process with any
Denydirectives. With this ordering, the default condition is 'denied;' that is, no-one will be able to access anything unless there's an applicable
All right, so let's add the directive that will let local references work:Order Allow,Deny Allow from env=local_ref