≡ Menu

stop image hotlinking

Many of our regular readers like to know more about lighttpd hotlink protection using mod_rewrite. Lighttpd can use HTTP referrer to detect hotlink and can be configured to partially protect hosted media from inline linking, usually by not serving the media or by serving a different file.

Lighttpd anti hotlinking configuration - redirect to another media

Open lighttpd.conf configuration file:
# vi /etc/lighttpd/lighttpd.conf
Append the following directive to redirect to a default picture called /hotlink.png:

$HTTP["referer"] =~ ".*BADDOMAIN\.com.*|.*IMAGESUCKERDOMAIN\.com.*|.*blogspot\.com.*" {
  url.rewrite = ("(?i)(/.*\.(jpe?g|png))$" => "/hotlink.png" )
}

So if anyone from *.blogspot.com linked www.cyberciti.biz/image.png it will be replaced with www.cyberciti.biz/hotlink.png. I've written small script to detect excessive hotlink from log file and ban all those domains. Most types of electronic media can be redirected this way, including video files, music files, and animations etc.

Related: Apache web server user can stop leechers using mod_rewrite / .htaccess rules.

Stop Hotlinking with Lighttpd

The technology behind the World Wide Web, the Hypertext Transfer Protocol (HTTP), does not make any distinction of types of links -- all links are functionally equal. Resources may be located on any server at any location. Linking to an image stored on another site increases the bandwidth use of that site even though the site is not being viewed as intended. The complaint may be the loss of ad revenue or changing the perceived meaning through an unapproved context.

Here is easy and simple way to stop hotlinking :
Open lighttpd.conf file:
$ vi lighttpd.conf

#### stop image hijacking (anti-hotlinking)
$HTTP["referer"] =~ ".*BADDOMIN\.com.*" {
        url.access-deny = ( "" )
#      url.access-deny = ( "jpg", "png", "js", "jpeg", "gif" )
}

You can also enforce password protection:

$HTTP["referer"] =~ ".*BADDOMIN\.com.*" {
 auth.require = ( "/" =>
                   (        "method"  => "digest",
                            "realm"   => "Authorized users only",
                            "require" => "valid-user"
                   )
                 )
}

Restart lighttpd:
# service lighttpd restart