You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Uri Raz <ur...@private.org.il> on 2005/05/11 12:01:15 UTC

[users@httpd] Apache improvement suggestion

Hello,

  I have a problem with object theft on my web site - bloggers & forum 
participants link directly to images on my web site, so they get the 
content and I get the traffic bill at the end of the site. The solution 
suggested to me by the hosting company (which uses apache) is to use an 
'.htaccess' file which would block access based on the referrer field.

  Problem with that solution is that many surfers block the referrer field 
using a proxy or a firewall, including some surfers who browse my site and 
legitimately expect the graphics to come up. My idea is to have apache 
remember which IP requested for a page (a file with an appropriate 
extension / MIME type, e.g. HTML) in the last X seconds and allow only 
those who did get graphics files.

  This does require managing a lookup table (and thus requires memory and 
CPU cycles), but as the table is kept at the IP level (host X requested a 
page - any page) it would grow in a linear fashion with the number of 
surfers (say a hash table), regardless of the number of files in the site. 
Any surfer who browses the site would have no problems, while a surfer who 
tries to get a graphics file linked from another site would get nothing.

  This has two limitations - people who have surfed the site in the last X 
seconds (not very likely for a reasonable value of X, say 1 to 5 minutes), 
and several users who share a proxy so that one surfs the site and another 
surfs the site that links to objects in it. Though the solution is not 100% 
watertight, it looks to me like a significant improvement at a low cost.

Thanks, Uri Raz. 



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache improvement suggestion

Posted by Arne Heizmann <Ar...@csr.com>.

Uri Raz wrote:
> 
> Problem with that solution is that many surfers block the referrer 
> field using a proxy or a firewall, including some surfers who browse
> my site and legitimately expect the graphics to come up.

As Joshua already mentioned, this is not a problem as this is a small
fraction of the users of the website that is stealing your images.

> My idea is to have apache remember which IP requested for a page (a
> file with an appropriate extension / MIME type, e.g. HTML) in the
> last X seconds and allow only those who did get graphics files.

That doesn't solve your problem, because people will just add a small

	<img src='http://www.yoursite.com/' width='1' height='1' />

in the top-right corner of their website, and your Apache will think 
everyone has visited your site when in fact they are visited the thief's.

I've been thinking for almost 10 years now that HTTP is really dumb 
because it has problems like this one. I always thought it would make a 
lot more sense to transfer some or all images (and CSS and JS) within 
the same request as the containing HTML page. Then your problem would go 
away because you could make it impossible to request just the image, but 
still make it possible for people to view the image when they visit your 
site.

Timwi

**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

**********************************************************************

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache improvement suggestion

Posted by Uri Raz <ur...@private.org.il>.

Sorry if those question are dummy, but -

1. How do I check for *no* referer field ?

2. Are you sure only 5% of the requests will have no referer field, 
considering the number of surfers using firewalls ?

3. Why is it you think checking for no referer field is more expensive, 
server side, than the solution I've offered ?

Thanks, Uri.

At 01:46 PM 5/11/2005, Joshua wrote:
>To solve this problem, simply allow through any request with *no*
>referer field, in addition to requests with the proper referer.  Then
>anyone trying to inline your images will still find that 95% of people
>visiting their page will find it broken, so they won't get any benefit
>from the inlining.  The fact that 5% of the requests will succeed
>shouldn't matter.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache improvement suggestion

Posted by Joshua Slive <js...@gmail.com>.

On 5/11/05, Uri Raz <ur...@private.org.il> wrote:
> Hello,
> 
>  I have a problem with object theft on my web site - bloggers & forum
> participants link directly to images on my web site, so they get the
> content and I get the traffic bill at the end of the site. The solution
> suggested to me by the hosting company (which uses apache) is to use an
> '.htaccess' file which would block access based on the referrer field.
> 
>  Problem with that solution is that many surfers block the referrer field
> using a proxy or a firewall, including some surfers who browse my site and
> legitimately expect the graphics to come up. My idea is to have apache
> remember which IP requested for a page (a file with an appropriate
> extension / MIME type, e.g. HTML) in the last X seconds and allow only
> those who did get graphics files.

This has major problems (some of which you mention) and, more
importantly, is unnecessary.

To solve this problem, simply allow through any request with *no*
referer field, in addition to requests with the proper referer.  Then
anyone trying to inline your images will still find that 95% of people
visiting their page will find it broken, so they won't get any benefit
from the inlining.  The fact that 5% of the requests will succeed
shouldn't matter.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Apache improvement suggestion

Posted by Joshua Kugler <jo...@uaf.edu>.

On Wednesday 11 May 2005 02:01, Uri Raz wrote:
>   Problem with that solution is that many surfers block the referrer field
> using a proxy or a firewall, including some surfers who browse my site and
> legitimately expect the graphics to come up. My idea is to have apache
> remember which IP requested for a page (a file with an appropriate
> extension / MIME type, e.g. HTML) in the last X seconds and allow only
> those who did get graphics files.
>
>   This does require managing a lookup table (and thus requires memory and
> CPU cycles), but as the table is kept at the IP level (host X requested a
> page - any page) it would grow in a linear fashion with the number of
> surfers (say a hash table), regardless of the number of files in the site.
> Any surfer who browses the site would have no problems, while a surfer who
> tries to get a graphics file linked from another site would get nothing.
>
>   This has two limitations - people who have surfed the site in the last X
> seconds (not very likely for a reasonable value of X, say 1 to 5 minutes),
> and several users who share a proxy so that one surfs the site and another
> surfs the site that links to objects in it. Though the solution is not 100%
> watertight, it looks to me like a significant improvement at a low cost.

Another problem that no one has mentioned is that some big outfits, say AOL, 
use "proxy farms."  Thus, it is possible for one client, every request for 
your site would come from a different IP, thus even legitimate browsers 
wouldn't be able to access your site.

j----- k-----

-- 
Joshua Kugler
CDE System Administrator
http://distance.uaf.edu/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org