Testing HTTPD.CONF Setup

I just put this code in my httpd.conf file at the root of webjones.org:

SetEnvIfNoCase Referer “^http://my.apache.org/” local_ref=1
<FilesMatch “.(gif|jpg)”>
Order Allow,Deny
Allow from env=local_ref
</FilesMatch>

This should keep anyone from directly linking to any of the image files there. This command SHOULD affect the image files in every subdirectory as well.

Let’s try to link to one of Joanie’s images (which is stored at webjones.org):

The link as taken from the URL shown in the browser’s address bar:
Click Here!

Okay, the problem here is that when I visit any Gallery page and narrow the view down to the one image I want to steal, the URL in the address bar doesn’t pick up the file extension (*.jpg, *.gif, *.png and so forth). Just cutting and pasting the URL that Gallery shows — for example, www.myserver.com/gallery/mycatphoto — will NOT keep the thief from using THAT URL to successfully link to your image.

Manually adding the file extension — which no thief is going to do — to the URL shown in the browser’s address bar:
Click Here!

If you deliberately put the file extension in, though, http://www.myserver.com/gallery/mycatphoto.jpg, then you get an error page, which means the httpd.conf file is working as set up.

This may be an issue with how the Gallery pages are set up and may or may not be user-configurable. I’ll have to visit the Gallery forum to find out if anyone has a solution to this. If not, it’s a pretty easy way to steal images.

Leave a Comment