What is the best/simplest way to prevent people hotlinking to images from my hosted ASP.NET website? I don't need to prevent all images/resources from hotlinking, I just want to prevent hotlinking to specific images/resources on a site. FYI. It's hostesd on GoDaddy.com so IIS tricks probably wont work.
Simplest way to do this is with a UrlRewrite in IIS 7.0.
https://help.maximumasp.com/KB/a738/using-url-rewrite-to-prevent-image-hotlinking.aspx
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="PreventImageHotlinking" enabled="true" stopProcessing="true">
<match url=".*\.(gif|jpg|png)$" />
<conditions>
<add input="{HTTP_REFERER}" negate="true" pattern="^$" />
<add input="{HTTP_REFERER}" negate="true" pattern="http://www.YourDomain.com/.*" />
</conditions>
<action type="Rewrite" url="/images/hotlinking.jpg" />
</rule>
</rules>
</rewrite>
</system.webServer>
Streaming the images through an ASPX page is a good solution. Though Referrer could be hacked.
What you could do is use a unique salt (keyword) and generate against MD5 (SHA-1 or SHA-2) if you are really concerned with security. Run the current epoch time as well against this as well, this puts an expiry on images as well. Store this "keycode" in the cookies. Whenever images are served you basically pass this via the querystring. The validation happens on the ASPX on the other end. You could even regenerate a new "keycode" between each request using either an HTTPRequestModule or the Global.asax page.
There will be overhead, but it will prevent anyone from hotlinking.
You could refuse any requests for images that don't have your site in the HTTP referer header field. That's the theory. In order to control requests in your application, you'd have to stream all images through an ASP page (as opposed to linking to them directly).
One thing I've seen that I thought was clever is to add an extra portion to the bottom of the image, and then use a css sprite technique to cut it off when shown on your site. A naive hotlink will result in displaying your extra portion. This will mean the image is skewed, so it doesn't look right on the other site, and you can use the extra portion to show your own url or whatever else you want.
Related
I have been browsing similar questions here but i haven't found my specific scenario.
I have domain.com. I have video.domain.com.
Now, before I continue, I am going to clarify. I am not trying to "protect" my video from being "stolen". This is virtually impossible.
I just don't want direct access to it in order to avoid leeching or downloads. My intention is to "protect" this video from unauthorized access (login and password will do for the website), but of course, if I don't do RTMP (which I intend to do) you got in your browser the full address of the video.
video.domain.com/course/1/Intro.mp4.
and that would not stop you from downloading it directly.
So, I tried a couple of things but didn't seem to work.
First, URL Rewrite. I am using IIS 7. I tried to block any request that {HTTP_REFERRER} was different than domain.com. Didn't work. Yes, it did block me from download it, but that's because my {HTTP_REFERRER} was empty. Which is also empty when domain.com try to access my subdomain. So, it did block the download but also to be able to play it from my website.
So, that, didn't work.
Next, I tried some IP Address Domain and Restrictions but didn't work either.
Has someone be able to do this successfully? I know amazon services are able to do this successfully but I can't think of a way.
Thank you
SOLUTION.
So, at the IIS level, in my videos.domain.com site, I created an URL Rewrite Rule where every request to a MP4 triggers this verification.
No empty Referer (if you call the video from video.domain.com/..../Intro.mp4, then it would not have a Referer).
Match ONLY "http://domain.com". If it doesn't match that, it would not serve the video. It would serve an image saying "Do not steal the videos" :)
Very simple.
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ONLY from DOMAIN.COM" stopProcessing="true">
<match url="(?:mp4)$" />
<conditions>
<add input="{HTTP_REFERER}" pattern="^$" />
<add input="{HTTP_REFERER}" pattern="^http://domain\.com/.*$" negate="true" />
</conditions>
<action type="Redirect" url="http://videos.domain.com/leechingisbad.jpg" appendQueryString="false" redirectType="Temporary" />
</rule>
</rules>
</rewrite>
</system.webServer>
Is there a way to configure ASP.NET routing in the web.config file? I do not need anything fancy. If a user visits /myApp/list, I want to load /myApp/list.html. However, I do NOT want the address bar to change.
Is this possible? If so, how?
The best way is to use UrlRewrite module in IIS: http://www.iis.net/learn/extensions/url-rewrite-module
How you make this rule into web.config after installing UrlRewrite:
<system.webServer>
<rewrite>
<rules>
<rule name="my-first-url-rule" stopProcessing="true">
<match url="^/myApp/list$" />
<action type="Rewrite" url="/myApp/list.html" appendQueryString="true" />
</rule>
</rules>
</rewrite>
</system.webServer>
As of now there is No out-of-the-box way to configure routes in web.config file.
It seems vision was/is to add new routes on Application Start.
This doesn't stop us from creating custom configuration section and reading routes from there.
These are guesses why.
Most of the time, it seems, adding new routes could be prone to introduction of routing bugs and should be followed up with good regression testing. And therefore it probably will be done as part of new product release anyway. Perhaps that could be one the reasons why it's not configurable through configuration file.
Another reason could be that routes rules can be quite complex to put them into xml format - constraints, custom route handlers,etc.
I have a webpage that host documents on iis. When linking to those files for examples say I go to
www.webpage.com/Documents/testdocuments/innerfolder/1.pdf
I get the file back and have the complete url in the address bar. Is there a way to be able to browser to
www.webpage.com/Documents/testdocuments/innerfolder/1.pdf
, and get for example
www.webpage.com/Webdocs/1.pdf
as the url in the browser. My theory was make
www.webpage.com/Documents
a virtual directory, but I am not sure if I would still be able to access my files as
www.webpage.com/Documents/testdocuments/innerfolder/1.pdf
or if I would have to use for example
www.webpage.com/Webdocs/testdocuments/innerfolder/1.pdf
which defeats the purpose really. My ultimate goal is for the physical path of the file to not be visible to the user.
Any ideas would be greatly appreciated.
Thanks,
Since you are looking only to map one path to another you should use IIS url rewriting.
<rewrite>
<rules>
<rule name="Map Docs" stopProcessing="true">
<match url="^Webdocs/([_0-9a-z-]+)" />
<action type="Rewrite" url="Documents/testdocuments/innerfolder/{R:1}" />
</rule>
</rules>
</rewrite>
The other alternative is asp.net url routing. But it would be an overkill for what you need.
We have a new Sitefinity site that is replacing our marketing site. The switchover happened last friday, and we uncovered a problem today: there is content (pdfs, jpgs) on the old site that can no longer be accessed, and did not make it into the content migration plan. On top of that, management has removed rollback as an option.
So, the solution I have come up with is to use IIS 7's url rewriting module to point to a new url that hosts the old site so that content can be accessed. This is the xml in my web.config that I have come up with:
<rewrite>
<rules>
<rule name="RedirectFileNotFound" stopProcessing="true">
<match url=".*" />
<conditions logicalGrouping="MatchAll">
<add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" />
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" />
<add input="{URL}" negate="false" pattern="/\.*$" />
</conditions>
<action type="Redirect" url="http://www.oldsite.com{REQUEST_URI}" appendQueryString="true" />
</rule>
</rules>
</rewrite>
It attempts to test if the URL resolves to a file or folder, and makes sure that we are requesting something with an extension. If the rules pass, it redirects to the same location on the old site. Ideally, this would mean that anything linking to the old site previously would be able to be left alone.
The problem is, nothing gets redirected.
By fiddling with the rules, I have verified that the module is operational, i.e. i can set it up to rewrite everything, and it works. but these rules do not work.
My theory is that since Sitefinity uses database storage, it somehow short circuits the "IsFile" match type. Complete guess, but I'm kind of at a loss at this point.
How to I use urlrewriting to redirect for 404's in this manner?
I am not sure how the rewriter is implemented, but those rules seem to be too general. Sitefinity uses the routing engine and registers a series of routes that it handles. By definition, those routes are interpreted sequentially, so if a more general rule exists before a more specific one, the latter will not work.
I suspect what may be happening is that the Sitefinity rules already handle the request before the rewriter gets a chance to redirect it. What I can advise is to either implement more specific rewrite/redirect rules, or just handle the whole issue using a different approach. What was the reason your old files were inaccessible after the migration? Can you give a specific URL that fails to return the file, so we can work with a scenario?
this is just a shot in the dark, but do you have "file system fallback" enabled in the sitefinity advanced settings for libraries? perhaps the module is intercepting the request and not letting it proceeed to the file-system...
Thank you guys for your help, but it turned out to be a problem with Dynamic Served Content in general.
Assume that all requests are actually handled by a Default.aspx page. This isn't the way that Sitefinity works, but it is the way that DotNetNuke works, and illustrates the problem nicely.
The url rewrite isfile and isdirectory flags check for physical existence of files. In this case, only Default.aspx actually physically exists. All the other dynamically served content is generated later in the request cycle, and has no physical existence whatsoever.
Because of that, the isfile flag will always fail, and the redirect rule will always execute.
The solution I went with was to allow IIS and .NET to handle the 404s themselves, which properly respects generated content. and route that to a custom error page, 404redirection.aspx. There is code on that page that redirects to my old site, where that content is likely to be host. That site then has additional 404 handling that routes back to the 404NotFound.aspx page, so requests for files that don't exist in either system make a round trip and look like they never went anywhere. This also has the nice side effect of pages that aren't found on the old server get to display our new, pretty, rebranded 404 on the new server.
Simply put, rather than attempting to pre-empt the content generation and error handing, I took a more "go with the flow" approach, and then diverted the flow at a more opportune time.
I've got an Search Engine Optimisation problem where users are able to access my site by specifying any sub-domain. This is causing duplicate page issues with SEO.
For example if a user mis-types 'www' then posts a link on a forum, google is crawling 'wwww.domain.com'. Furthermore, google is also crawling 'domain.com'.
I need a way of forcing the site to always redirect to 'www.domain.com' regardless of how the user accesses the site.
Is it possible to do this in the web.config file? If not, how else can I achieve this?
Cheers, Curt.
You can do this using the IIS URL Rewrite module. Here's the config to rewrite domain.com to www.domain.com:
<system.webServer>
<rewrite>
<rules>
<rule name="Canonical host name">
<match url="^(.*)" />
<conditions>
<add input="{HTTP_HOST}" pattern="^www\.domain\.com$" negate="true" />
</conditions>
<action type="Redirect" url="http://www.domain.com/{R:1}" />
</rule>
</rules>
</rewrite>
</system.webServer>
You might need to modify the regex a bit or add a second rule to support rewrite of specific subdomains as well.
Unfortunately URL Rewrite module is not available on IIS6.
If you want to use url rewriting, you could check one of the following:
http://www.isapirewrite.com/ (not free)
http://urlrewriter.net/ (free)
http://cheeso.members.winisp.net/IIRF.aspx (my favourite)
Ah, just did this!
Set the default site to just redirect all calls using URL Redirect to your www.site.com, then create another site with your actual content that binds just to the www subdomain.
This will mean that all traffic will be redirected to the www site if there is no other binding available.
This has worked perfectly for me:
IIS 6 how to redirect from http://example.com/* to http://www.example.com/*
I had to change a bit of the code to get it to work with my Url-Rewriting, but apart from that, spot on!