> Tim wrote: > >Next I'm working on mod_rewrite-like referrer checking that will issue > >a 403 error if the referrer isn't the same as the host domain (or empty). > ^^^^^^^^ > (from Re: Automatic vhosts, based on directories) > > You still allow for referrers that are empty (which is what happens > ^^^^^ ^^^^^ > > when paranoid people turn off referrers or a proxy server blocks them). > > could you please check those two statements of yours? > when i read the first one i was going to ask you about it, but in > the other thread it seems you perfectly understand the issue there.
In both statements I'm saying that I allow access to certain files if the referrer matches the host OR the referrer is empty (which happens if you directly type in the url, bookmark it, or use a proxy/application to block referrers). Sites that block access when the referrer is empty would cause a huge problem to the paranoid ;-) On all of my sites, and all of my hosted sites, I block all "outside" access to all binary files and all image files. By "outside" access I mean if the referrer doesn't match the host but not if the referrer is empty. With mod_rewrite and Apache you can do some nice things with this like outside linked images I redirect to an image that shows an ad for the site and outside linked binaries I redirect to my download page that still allows them to download the file, but they get my site interface and my ads first. Those that think this isn't important don't understand the magnitude of binary and image leeching. Because I send my outside linked binaries through mod_rewrite, I also log these leeching sites and their refereeing url. The log shows about 2,000 leech attempts per day. If the average binary file size is only 250k, it saves 14.5GB worth of leeched bandwidth a month (and these are low-ball estimates for just one site). When you serve over a million page views a day and push 2+TB per month, leeching can be a HUGE strain on the server and provides zero revenue in return. > (one of the paranoid, who set up his proxy to filter referrers and > still had to hack his browser to send fake ones) A good proxy server or software package that blocks referrers should actually send referrers to match the host name. That will make browsing perfect on almost every site. I allow empty referrers so everyone can use my sites without any problems. A question though: Does it really matter if a site knows that 206.107.239.10 came from yahoo.com? What's the harm in that? I use referrers on my sites to track where people come from for three reasons: 1) block remote access to binary files 2) reports to show where people are coming from 3) for link exchange purposes. I think a lot of these paranoid practices make things worse. Like blocking cookies causes more things to not work and more ads and blocking JavaScript causes even more things to break. I really don't understand why anyone would care if someone else knew that 206.107.239.10 purchased a Widget and came from yahoo.com. If someone's into child porn or a terrorist, I could see wanting to be anonymous, but shy of that? Tim
