Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Block images, CSS or JS if the user did not visit my site

I suddenly get a lot of requests to my site (wget, curl etc...).

I do not want any of these request to be executed unless a user has visited my site at least once using a valid browser (like Firefox or Chrome).

Is there an Apache Module to do this? What can I do?

like image 679
Tech4Wilco Avatar asked Oct 06 '11 13:10

Tech4Wilco


1 Answers

The concept is simple: create a token that will be used in the files you want to protect. This This token (key like "abc123" - saved in the session, not cookies) will be used in every file you load. This way, if the token does not match from the file you can redirect to a page not found or access denied.

Setup the token in the index.php:

<?php
  session_start();
  header("Cache-Control: no-cache, must-revalidate");
  header("Expires: Mon, 10 Oct 2005 05:00:00 GMT");
  $_SESSION['siteToken'] = "abc123";
?>

<html>
<head> 
  <link rel="stylesheet" type="text/css" href="/style.css" />
</head>
<body>

Now for CSS and JavaScript files you need to check the token to make sure it's set and it's the right value.

// style.css
<?php
  session_start();
  header("Content-type: text/css");
  header("Cache-Control: no-cache, must-revalidate");
  header("Expires: Mon, 10 Oct 2005 05:00:00 GMT");
  if($_SESSION["siteToken"] != "abc123") {
    session_regenerate_id();
    die(); // or redirect
  } 
?>
body { background-color: #000; color: #fff; }
etc...

You do the same thing for the JavaScript file.

The next step if you update your .htaccess to make sure the CSS and JavaScript file are parsed correctly:

RewriteEngine on
RewriteBase /
RewriteRule style.css style.php [NC,L]

In addition you can add this in your .htaccess to protect bad bots from querying files:

SetEnvIfNoCase User-Agent "^Wget" bad_bot
SetEnvIfNoCase User-Agent "^EmailSiphon" bad_bot
SetEnvIfNoCase User-Agent "^EmailWolf" bad_bot
SetEnvIfNoCase User-Agent "^libwww-perl" bad_bot
#etc...
Deny from env=bad_bot

Now as for the images. This solution will work as well but it will be slower than parsing the CSS and JavaScript files. The logic is the same but instead of echoing you have to read the file (using readfile). Also, you have to change the header based on the extension of the file.

The alternative for this will be to set this in your .htaccess file:

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com [NC]
RewriteRule \.jpg$ - [NC,F,L]

Although, this is not bulletproof.

like image 169
Book Of Zeus Avatar answered Oct 21 '22 13:10

Book Of Zeus