IIS 10 Web Farm - URL Rewrite rule for stopping Image Hotlinking - Not working

Wayne Barron 1 Reputation point
2022-02-04T04:22:02.647+00:00

Hello, All.
I am creating an IIS URL Rewrite Rule for stopping Image Hotlinking (Stealing) from our image hosting server.
This script is on a Forest "Load Balanced" set of servers.

Code I've tried in different formations.

First code.
In these examples,
DomainOne = Image Hosting server, This site also displays images to the page for viewing, so they cannot be blocked. It is with a www. not any other sub.
The below code, will display the "stop-hotlinking.png" image across all domains, including the DomainOne Image Hosting Site.

     <rewrite>
        <rules>
<rule name="Prevent Image Hotlinking" enabled="true" stopProcessing="true">
<match url=".*\.(jpg|jpeg|png|gif|bmp)$" />
<conditions>
    <add input="{HTTP_REFERER}" pattern="^https?://(www\.)?domainOne\.com/.*$" negate="true"/>
</conditions>
<action type="Rewrite" url="/graph/stop-hotlinking.png" logRewrittenUrl="true" />
</rule>
</rules>
</rewrite>

Second code
This <add input> was provided to me by another forum, the DomainTwo and DomainThree, are the two sites which are allowed to have images linked to them from the DomainOne Image Hosting Site.
Keeping in mind that DomainTwo and DomainThree, are their own Domains, they are NOT a sub of the DomainOne.
I've added a test page with a linked Image from DomainOne which is used to test for blocking, it is DomainFour in this example.
Which at the current moment, does not have a place in the codes, it is simply used to test for showing and blocking of images when I Enable either of the two provided scripts here.

 <rewrite>
    <rules>
<rule name="Prevent Image Hotlinking" enabled="true" stopProcessing="true">
<match url=".*\.(jpg|jpeg|png|gif|bmp)$" />
<conditions>
        <add input="{HTTP_REFERER}" pattern="^https?://(www\.)?(?:domainOne\.com|domainTwo\.com|domainThree\.com)/.*$" negate="true"/>
</conditions>
<action type="Rewrite" url="/graph/stop-hotlinking.png" logRewrittenUrl="true" />
</rule>
</rules>
</rewrite>

When I try the last one, it does not work at all. All domain test.asp pages, all show the actual image which is linked to it.
I've tried to run a Failed Request Tracing but it does not log anything.
I've monitored it through Google Chrome Tools and Headers
(Using the above DomainOne etc.)

authority: DomainOne (This is the same across all of them)
DomainOne is showing
referer: DomainOne/test.asp (This is the only one that shows the test.asp page)

--

authority: DomainOne (This is the same across all of them)
DomainTwo is showing
referer: DomainTwo

--

authority: DomainOne (This is the same across all of them)
DomainThree is showing
referer: DomainThree

--

authority: DomainOne (This is the same across all of them)
DomainFour is showing
referer: DomainFour

--
So it is doing as it supposed too, just not working like it needs to work.

Any information on this and what steps to take to make it work like this.

DomainOne - Image Hosting Site, needs to NOT be blocked, as images are shown to the page for visitors.
DomainTwo and DomainThree - Need to be allowed to show images provided by DomainOne to their pages.
DomainFour - This would be blocked.

Thanks for any information you can provide.
Wayne

Internet Information Services
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sam Wu-MSFT 7,036 Reputation points Microsoft Vendor
    2022-02-07T02:40:44.703+00:00

    @Wayne Barron

    I've tried to run a Failed Request Tracing but it does not log anything.

    How did you use failed request tracing? You have rewritten, the failed request trace will definitely have a record. you can refer to this link on how to use failed request tracking.

    Or you can tro to add this code to your rule condition and try again. 

    <add input="{HTTP_REFERER}" pattern="^$" negate="true" />

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Wayne Barron 1 Reputation point
    2022-02-07T11:58:12.147+00:00

    Sorry for not updating this thread.

    I was assisted on another forum, and this was the issue.
    I was testing the same image on multiple domains we own.
    And that was the biggest problem, was the image would get cached, even when Google Tools was open, it would still cache it for whatever reason, we never could figure it out.
    I changed to another image from the hosting site, and it started working.
    We also found out that Google Chrome needed a referral meta tag in the head of the hosting sites page. 

    <meta name="referrer" content="origin">

    Once all the above was taken care of and the following code in place. It started working. 

    <rule name="Prevent Image Hotlinking" enabled="true" stopProcessing="true">
<match url=".*\.(jpg|jpeg|png|gif|bmp)$" />
<conditions>
   <add input="{HTTP_REFERER}" pattern="^https?://(www\.)?(?:DomainOne\.com|DomainTwo\.com|DomainThree\.com)/.*$" negate="true"/>
</conditions>
<action type="Rewrite" url="/graph/stop-hotlinking.png" logRewrittenUrl="true" />
</rule>

    In the above, you will see there are multiple domains, this is to allow images to be hosted on their domains, and all other domains will get the STOP image.

    This is completed.
    I want to thank gr8gonzo from the other forum for helping me out in this long venture.

    0 comments
  3. Wayne Barron 1 Reputation point
    2022-02-07T12:01:03.85+00:00

    Thanks for the link Sam, I will keep that was future reference.

    0 comments