[sambro]

Well I made that name up on the spot. The boring name is sv_downloadurl_protection.

I have been trying to come up with a way to effectively prevent the possibility of other servers from using your sv_downloadurl themselves and letting users leech off your precious bandwidth.

The problem is Valve are pathetically lazy, and Steam does not pass the Referer along the line when it makes requests to your web server from HLDS. This means you can't really differentiate between Mr. EvilLeechers server and your own.

As a side note, they implemented the referer system in SRCDS, I believe the Referer is in the format of hl2://<IP of server>.

This plugin aims to solve the leeching problem with the combination of a .htaccess, a .php proxy, and a AMXX script.

Let's say your sv_downloadurl root is "http://www.testsite.com/naturalselection/". The .htaccess file provided will deny access to anything in this folder and any subfolders, with the exception of the PHP file also provided; file.php.

The file.php will check a IP address "whitelist" database table. If a user has been added to the whitelist, the PHP script will deliver the file (uses readfile(), shouldn't be a big memory hog, if anyone knows an even better way, let me know), otherwise it will 404 (basically telling a potential leech to sod-off).

There is also a Expiry system setup, if a user doesn't connect to the HTTP download server within 10 seconds, or there is more than a 10 second delay between file requests (shouldn't happen unless internet drops), then they are removed from the whitelist.

The AMXX script will watch for client connects, and when a client goes off to download files, their IP address will be added to the IP whitelist database table.

So in a nutshell, with this system it is 100% impossible for another server to directly leech your sv_downloadurl (unless they compromised your MySQL database). Also, with the fairly strict Expiry system set in place, it is very difficult for users to directly leech from you. The way they would attempt to achieve this is begin connecting to your server, disconnect quickly, then connect to another server which is using your HTTP server unlawfully. The chances of this happening are pretty slim anyway.

Let me know what you think. I'm pretty new to AMXX scripting, I think I did a crappy addon ages ago, but only just back into it yesterday, so if there's any nubbish mistakes in the code, be nice

INSTALLATION:
You need to have MySQL setup correctly, meaning valid login information in sql.cfg, and the mysql module enabled.

Your webserver needs PHP installed correctly, script has been tested in PHP4 and PHP5.

Your webserver also needs .htaccess support.

If you have all of the above, there is a few simple steps to take.

1) Open the file.php file, edit the database settings at the top of the file. Use the same settings you have set up in addons/amxmodx/configs/sql.cfg. There's also a couple of other settings you can tweak in there if you have experience.

2) Upload the .htaccess and edited file.php files to the sv_downloadurl root. For example if your sv_downloadurl is "http://www.testsite.com/naturalselection/" then upload the files into the naturalselection folder.

3) Edit your mods server.cfg file, and change the sv_downloadurl. Following the previous example, you need to change the sv_downloadurl from

http://www.testsite.com/naturalselection/

to:

http://www.testsite.com/naturalselection/file.php/

Make sure the link has the trailing slash.

4) Add the sv_downloadurl_protection.amxx file to your plugins directory and plugins.ini list.

5) Restart server.

6) ???

7) Profit.

[Alka]

Sounds very cool! Gj

[sambro]

Actually I'm still terrified that someone is going to tell me I'm an idiot and there's a really simple way to do this with a .htaccess or something

There just seems to be 0 documentation on sv_downloadurl, apart from the myriad of websites that helpfully tell you to

"Put sv_downloadurl in your server.cfg, put it in quotes"

And that's about the extent of their knoweledge

[vvg125]

Quote:

Originally Posted by sambro Actually I'm still terrified that someone is going to tell me I'm an idiot and there's a really simple way to do this with a .htaccess or something

TBH, you can do this.

But still a pretty good plugin nonetheless. Especially for those that don't know what an .htaccess is.

[M249-M4A1]

This is wonderful, I'll be sure to give this a shot!

[Voi]

good idea

[sambro]

vvg125, how would you achieve this though?

If you look in your Apache access_log, you'll notice the Referer isn't sent from HLDS (it is from SRCDS), so what other ways are there to determine what server a client is coming from?

[vvg125]

Hmm... I'm starting to have second thoughts. At first I was thinking you could block everything and allow the server as an exception, but it just dawned on me that the client might be directly connecting to the web server rather then through the game server.

I think I need to test this...

[sambro]

Quote:

Originally Posted by vvg125 ... it just dawned on me that the client might be directly connecting to the web server rather then through the game server.

This is exactly right btw. With the Source Engine, when it makes a request for a file on the HTTP server, it will fill in the Referer HTTP header, in the form of hl2://<IP of gameserver the client came from>. Unfortunately this functionality doesn't extend to GoldSrc it seems, lol.

[sambro]

A simple test is this:
Well there's a quick way to see stuff:

Make a file called log.php in your sv_downloadurl location:

Code:

  $filename = ltrim(str_replace($_SERVER["SCRIPT_NAME"], "", $_SERVER["REQUEST_URI"]), "/\\");

  $fp = fopen("access.txt", "a");
  fwrite($fp, "File: $filename Referer: " . $_SERVER["HTTP_REFERER"] . "\r\n");
  fclose($fp);

  header("Content-Type: application/octet-stream");
  header("Content-Length: " . filesize($filename));

  readfile($filename);

Then append log.php/ to your sv_downloadurl, it will add a log entry everytime something is requested. You'll notice REFERER is empty