[Mongrel] Modifying Apache Conf To Block Leachers

joost baaij joost at spacebabies.nl
Thu Feb 22 16:04:10 EST 2007

Op 22-feb-2007, om 20:46 heeft Nathan Vack het volgende geschreven:

> If people are stealing MP3s, checking referer won't work. It can be
> trivially spoofed.

Can be, but usually isn't. The good thing about hotlinking is that  
nobody uses the web with referers disabled. I certainly don't.

> You'll need real authentication to stop theft -- either with
> sessions, or HTTP auth.

That would be best indeed. It's just that direct links to mp3 files  
never see Rails, so you need to fix it in the web server. Pretty soon  
you're looking at quite some work if you want to do it right. Some  
web servers provide an easy switch to prevent hotlinking; it might-- 
might--be an interesting addition to Mongrel. At Zed's discretion.

I use sessions and prevent hotlinking at server level too--it's just  
an easy thing to do and has great results. I think there might be a  
problem with the poster's regexps. This page lists good ones and has  
a quick test to see of your rules work.


The example they provide:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?myspace\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?blogspot\.com/ [NC,OR]
RewriteCond %{HTTP_REFERER} ^http://(.+\.)?livejournal\.com/ [NC]
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpe [L]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2423 bytes
Desc: not available
Url : http://rubyforge.org/pipermail/mongrel-users/attachments/20070222/4ccb19c2/attachment.bin 

More information about the Mongrel-users mailing list