I have hosted a static webpage on Gitlab pages. The URL of the webpage is myname.gitlab.io
I have another website hosted with hostgator which has the URL "mysecondwebsite.com". "mysecondwebsite.com" has thousands of static html pages hosted on the various paths like "mysecondwebsite.com/charts/folder1/1.html", "mysecondwebsite.com/charts/folder1/2.html", "mysecondwebsite.com/charts/folder1/3.html" & so on.
I don’t want "mysecondwebsite.com" to be accessible directly nor the pages in it. Hence, I’ve enabled hotlink protection which works as expected. Now, I also want to allow access to "mysecondwebsite.com" ONLY FROM myname.gitlab.io. This website has list of hyperlinks which when clicked should open anapprpriate page in "mysecondwebsite.com". To achieve this, I’ve entered the following in .htaccess file on hostgator which isn’t helping. I see 403 forbidden
# IP to allow
order allow,deny
deny from all
allow from gitlab.io
Current hotlink protection settings –
# DO NOT REMOVE THIS LINE AND THE LINES BELOW HOTLINKID:r2xGl7fjrh
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?mysecondwebsite.com/.*$ [NC]
RewriteRule .*.(.*|jpg|jpeg|gif|png|bmp|tiff|avi|mpeg|mpg|wma|mov|zip|rar|exe|mp3|pdf|swf|psd|txt|html|htm|php)$ https://mysecondwebsite.com [R,NC]
# DO NOT REMOVE THIS LINE AND THE LINES ABOVE r2xGl7fjrh:HOTLINKID
I am in no way an expert with web hosting. Please could I get some help to get this working.
UDPATED htaccess
Options All -Indexes
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://((myfirstwebsite.com)|((www.)?mysecondwebsite.com))/ [NC]
RewriteRule .* - [F]
HTTP LIVE HEADER DUMP
https://mysecondwebsite.com/charts/thisfolder/thisfile.html
Host: mysecondwebsite.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Alt-Used: mysecondwebsite.com
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
GET: HTTP/2.0 403 Forbidden
cache-control: private, no-cache, no-store, must-revalidate, max-age=0
pragma: no-cache
content-type: text/html
content-length: 699
date: Wed, 06 Apr 2022 07:13:17 GMT
server: LiteSpeed
content-security-policy: upgrade-insecure-requests
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
X-Firefox-Spdy: h2
---------------------
https://mysecondwebsite.com/favicon.ico
Host: mysecondwebsite.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:98.0) Gecko/20100101 Firefox/98.0
Accept: image/avif,image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Alt-Used: mysecondwebsite.com
Connection: keep-alive
Referer: https://mysecondwebsite.com/charts/thisfolder/thisfile.html
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
GET: HTTP/3.0 404 Not Found
content-type: text/html
last-modified: Mon, 28 Mar 2022 13:48:20 GMT
etag: "999-6241bca4-dfd29bee5117e228;br"
accept-ranges: bytes
content-encoding: br
vary: Accept-Encoding
content-length: 911
date: Mon, 04 Apr 2022 10:11:14 GMT
server: LiteSpeed
content-security-policy: upgrade-insecure-requests
alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
X-Firefox-Http3: h3
---------------------
2
Answers
allow from gitlab.iodoesn’t work on the http referer header like you seem to be expecting. Rather it works based on the IP address of user making the request.Instead you want to use something that checks the referer and denies access when it doesn’t contain
myname.gitlab.ioor your own website’s host name. You can do that withmod_rewriteby placing the following in your.htaccessfile:This would allow referrers from your gitlab site, and would then allow those pages to fetch further resources such as images, js, and css. In this rule:
RewriteEngine on– turns on rewrites, this needs to be specified once in your.htaccessand is shared between all the rewrite rules and conditionsRewriteCond– specifies a condition for the next rewrite rule!says that the following regular expression should be negated (not matched)^is the beginning of the regular expressionNCis "no case" meaning that this rule is case insensitive and will work for both upper-case and lower-case inputRewriteRuleis the actual rule.*says that it matches all URLs (in this case the condition specified above it what matters)-means that there is no destination URLFsays that it should show the "forbidden" status as opposed to redirecting or internally changing the URL.The problem with this approach is that it will forbid some requests that actually are referred from gitlab. Not all browsers actually send a referer header in all circumstances.
This is just an alternative to @StephenOstermiller’s excellent answer…
You could instead keep your existing "hotlink protection" script unaltered, as generated by your control panel GUI (and make any changes through the GUI as required). But include an additional rule before your hotlink protection to make an exception for any domains you need to give access to.
This prevents the hotlink protection from being processed when the request is coming from the allowed domain. So access is permitted.
This does assume you have no other directives that should be processed, following this rule.