You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Uri Raz <ur...@private.org.il> on 2005/05/11 12:01:15 UTC
[users@httpd] Apache improvement suggestion
Hello,
I have a problem with object theft on my web site - bloggers & forum
participants link directly to images on my web site, so they get the
content and I get the traffic bill at the end of the site. The solution
suggested to me by the hosting company (which uses apache) is to use an
'.htaccess' file which would block access based on the referrer field.
Problem with that solution is that many surfers block the referrer field
using a proxy or a firewall, including some surfers who browse my site and
legitimately expect the graphics to come up. My idea is to have apache
remember which IP requested for a page (a file with an appropriate
extension / MIME type, e.g. HTML) in the last X seconds and allow only
those who did get graphics files.
This does require managing a lookup table (and thus requires memory and
CPU cycles), but as the table is kept at the IP level (host X requested a
page - any page) it would grow in a linear fashion with the number of
surfers (say a hash table), regardless of the number of files in the site.
Any surfer who browses the site would have no problems, while a surfer who
tries to get a graphics file linked from another site would get nothing.
This has two limitations - people who have surfed the site in the last X
seconds (not very likely for a reasonable value of X, say 1 to 5 minutes),
and several users who share a proxy so that one surfs the site and another
surfs the site that links to objects in it. Though the solution is not 100%
watertight, it looks to me like a significant improvement at a low cost.
Thanks, Uri Raz.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache improvement suggestion
Posted by Arne Heizmann <Ar...@csr.com>.
Uri Raz wrote:
>
> Problem with that solution is that many surfers block the referrer
> field using a proxy or a firewall, including some surfers who browse
> my site and legitimately expect the graphics to come up.
As Joshua already mentioned, this is not a problem as this is a small
fraction of the users of the website that is stealing your images.
> My idea is to have apache remember which IP requested for a page (a
> file with an appropriate extension / MIME type, e.g. HTML) in the
> last X seconds and allow only those who did get graphics files.
That doesn't solve your problem, because people will just add a small
<img src='http://www.yoursite.com/' width='1' height='1' />
in the top-right corner of their website, and your Apache will think
everyone has visited your site when in fact they are visited the thief's.
I've been thinking for almost 10 years now that HTTP is really dumb
because it has problems like this one. I always thought it would make a
lot more sense to transfer some or all images (and CSS and JS) within
the same request as the containing HTML page. Then your problem would go
away because you could make it impossible to request just the image, but
still make it possible for people to view the image when they visit your
site.
Timwi
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
**********************************************************************
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache improvement suggestion
Posted by Uri Raz <ur...@private.org.il>.
Sorry if those question are dummy, but -
1. How do I check for *no* referer field ?
2. Are you sure only 5% of the requests will have no referer field,
considering the number of surfers using firewalls ?
3. Why is it you think checking for no referer field is more expensive,
server side, than the solution I've offered ?
Thanks, Uri.
At 01:46 PM 5/11/2005, Joshua wrote:
>To solve this problem, simply allow through any request with *no*
>referer field, in addition to requests with the proper referer. Then
>anyone trying to inline your images will still find that 95% of people
>visiting their page will find it broken, so they won't get any benefit
>from the inlining. The fact that 5% of the requests will succeed
>shouldn't matter.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache improvement suggestion
Posted by Joshua Slive <js...@gmail.com>.
On 5/11/05, Uri Raz <ur...@private.org.il> wrote:
> Hello,
>
> I have a problem with object theft on my web site - bloggers & forum
> participants link directly to images on my web site, so they get the
> content and I get the traffic bill at the end of the site. The solution
> suggested to me by the hosting company (which uses apache) is to use an
> '.htaccess' file which would block access based on the referrer field.
>
> Problem with that solution is that many surfers block the referrer field
> using a proxy or a firewall, including some surfers who browse my site and
> legitimately expect the graphics to come up. My idea is to have apache
> remember which IP requested for a page (a file with an appropriate
> extension / MIME type, e.g. HTML) in the last X seconds and allow only
> those who did get graphics files.
This has major problems (some of which you mention) and, more
importantly, is unnecessary.
To solve this problem, simply allow through any request with *no*
referer field, in addition to requests with the proper referer. Then
anyone trying to inline your images will still find that 95% of people
visiting their page will find it broken, so they won't get any benefit
from the inlining. The fact that 5% of the requests will succeed
shouldn't matter.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache improvement suggestion
Posted by Joshua Kugler <jo...@uaf.edu>.
On Wednesday 11 May 2005 02:01, Uri Raz wrote:
> Problem with that solution is that many surfers block the referrer field
> using a proxy or a firewall, including some surfers who browse my site and
> legitimately expect the graphics to come up. My idea is to have apache
> remember which IP requested for a page (a file with an appropriate
> extension / MIME type, e.g. HTML) in the last X seconds and allow only
> those who did get graphics files.
>
> This does require managing a lookup table (and thus requires memory and
> CPU cycles), but as the table is kept at the IP level (host X requested a
> page - any page) it would grow in a linear fashion with the number of
> surfers (say a hash table), regardless of the number of files in the site.
> Any surfer who browses the site would have no problems, while a surfer who
> tries to get a graphics file linked from another site would get nothing.
>
> This has two limitations - people who have surfed the site in the last X
> seconds (not very likely for a reasonable value of X, say 1 to 5 minutes),
> and several users who share a proxy so that one surfs the site and another
> surfs the site that links to objects in it. Though the solution is not 100%
> watertight, it looks to me like a significant improvement at a low cost.
Another problem that no one has mentioned is that some big outfits, say AOL,
use "proxy farms." Thus, it is possible for one client, every request for
your site would come from a different IP, thus even legitimate browsers
wouldn't be able to access your site.
j----- k-----
--
Joshua Kugler
CDE System Administrator
http://distance.uaf.edu/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org