Hello, All.
I am creating an IIS URL Rewrite Rule for stopping Image Hotlinking (Stealing) from our image hosting server.
This script is on a Forest "Load Balanced" set of servers.
Code I've tried in different formations.
First code.
In these examples,
DomainOne = Image Hosting server, This site also displays images to the page for viewing, so they cannot be blocked. It is with a www. not any other sub.
The below code, will display the "stop-hotlinking.png" image across all domains, including the DomainOne Image Hosting Site.
<rewrite>
<rules>
<rule name="Prevent Image Hotlinking" enabled="true" stopProcessing="true">
<match url=".*\.(jpg|jpeg|png|gif|bmp)$" />
<conditions>
<add input="{HTTP_REFERER}" pattern="^https?://(www\.)?domainOne\.com/.*$" negate="true"/>
</conditions>
<action type="Rewrite" url="/graph/stop-hotlinking.png" logRewrittenUrl="true" />
</rule>
</rules>
</rewrite>
Second code
This <add input> was provided to me by another forum, the DomainTwo and DomainThree, are the two sites which are allowed to have images linked to them from the DomainOne Image Hosting Site.
Keeping in mind that DomainTwo and DomainThree, are their own Domains, they are NOT a sub of the DomainOne.
I've added a test page with a linked Image from DomainOne which is used to test for blocking, it is DomainFour in this example.
Which at the current moment, does not have a place in the codes, it is simply used to test for showing and blocking of images when I Enable either of the two provided scripts here.
<rewrite>
<rules>
<rule name="Prevent Image Hotlinking" enabled="true" stopProcessing="true">
<match url=".*\.(jpg|jpeg|png|gif|bmp)$" />
<conditions>
<add input="{HTTP_REFERER}" pattern="^https?://(www\.)?(?:domainOne\.com|domainTwo\.com|domainThree\.com)/.*$" negate="true"/>
</conditions>
<action type="Rewrite" url="/graph/stop-hotlinking.png" logRewrittenUrl="true" />
</rule>
</rules>
</rewrite>
When I try the last one, it does not work at all. All domain test.asp pages, all show the actual image which is linked to it.
I've tried to run a Failed Request Tracing but it does not log anything.
I've monitored it through Google Chrome Tools and Headers
(Using the above DomainOne etc.)
authority: DomainOne (This is the same across all of them)
DomainOne is showing
referer: DomainOne/test.asp (This is the only one that shows the test.asp page)
--
authority: DomainOne (This is the same across all of them)
DomainTwo is showing
referer: DomainTwo
--
authority: DomainOne (This is the same across all of them)
DomainThree is showing
referer: DomainThree
--
authority: DomainOne (This is the same across all of them)
DomainFour is showing
referer: DomainFour
--
So it is doing as it supposed too, just not working like it needs to work.
Any information on this and what steps to take to make it work like this.
DomainOne - Image Hosting Site, needs to NOT be blocked, as images are shown to the page for visitors.
DomainTwo and DomainThree - Need to be allowed to show images provided by DomainOne to their pages.
DomainFour - This would be blocked.
Thanks for any information you can provide.
Wayne