I have these two sets of rules in .htaccess:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !=/favicon.ico
RewriteRule ^ index.php [L]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://my\.site\.com\/ [NC]
RewriteRule .*\.(gif|jpg|png)$ - [NC,L,F]
The first set is a default Drupal index catch-all, and the second set is my own rule, with purpose to prevent hotlinking and direct access to images.
As I understand, if someone types my.site.com/some.jpg directly to the browser, the first set of rules does not catch it because of its first condition (url is a regular existing filename) but then the second set of rules should return a 403 Forbidden status code to the client (because there is no referer and the pattern ends with .jpg).
Here is what happens: I get lots of entries in Drupal error db log with jpg filenames and no referrer. So it means that those requests hit index.php, because Apache can't write to db log, only Drupal can.
My question: is it possible and how to do it to stop those requests hitting index.php and instead return 403 directly to the client?
Moving the second ruleset (with jpg) before the first ruleset (index catch-all) didn't help. Commenting out the condition with empty referer (RewriteCond %{HTTP_REFERER} !^$) did help, the entries in db log stopped appearing, but the purpose is to also block requests with empty referer.
