Active TopicsActive Topics  Display List of Forum MembersMemberlist  HelpHelp   RegisterRegister  LoginLogin
ISAPI_Rewrite 2.x
 Helicon Tech : ISAPI_Rewrite 2.x
Subject Topic: hotlink blocking edge case problems Post ReplyPost New Topic
Author
Message << Prev Topic | Next Topic >>
iis6
Newbie
Newbie


Joined: 20 May 2010
Online Status: Offline
Posts: 8
Posted: 20 May 2010 at 5:51am | IP Logged Quote iis6
We are successfully using ISAPI_Rewrite 2.9

However we are also seeing a rare edge case with hotlink blocking. The relevant config is:

#Stop Hotlinking
RewriteCond Host: (.+)
RewriteCond Referer: (?!http://\1.*).*
RewriteRule .*\.(?:gif|jpg|png) /images/blocked.jpg [I,O]

The vast majority of users have zero issues but some consistently see the blocked image.

In a couple of cases clearing their cache has solved the problem and in one case a user behind a corporate proxy eventually worked after allowing some weeks to pass.

We can find no pattern in client side browser type/version.

Is there anything wrong with this config? Is there a known bug that causes this? Any suggestions cause as it stands we might need to abandon ISAPI_Rewrite completely.
Back to Top View iis6's Profile Search for other posts by iis6
 
Anton
Admin Group
Admin Group


Joined: 30 January 2007
Location: Ukraine
Online Status: Offline
Posts: 10489
Posted: 20 May 2010 at 7:09am | IP Logged Quote Anton
The issue may be due to the fact that some browsers (e.g. IE) do not always set Referer header and then Cond doesn't match.
It's hard to fix in ISAPI_Rewrite, the only way out is to use specialized HotlinkBlocker product.

__________________
Regards,
Anton
Back to Top View Anton's Profile Search for other posts by Anton
 
iis6
Newbie
Newbie


Joined: 20 May 2010
Online Status: Offline
Posts: 8
Posted: 20 May 2010 at 7:32am | IP Logged Quote iis6
We have licenses for both ISAPI_Rewrite and HotlinkBlocker.

Previously we used only HotlinkBlocker but when we needed to add some rules that only ISAPI_Rewrite could handle we opted to migrate solely to ISAPI_Rewrite.

Is there really no way to to do this solely with ISAPI_Rewrite even if we upgrade to the new version?

We would rather not run two products to essentially perform two halfs of one task. Every ms counts when you get as much traffic as we do.
Back to Top View iis6's Profile Search for other posts by iis6
 
Anton
Admin Group
Admin Group


Joined: 30 January 2007
Location: Ukraine
Online Status: Offline
Posts: 10489
Posted: 20 May 2010 at 8:03am | IP Logged Quote Anton
"Is there really no way to to do this solely with ISAPI_Rewrite even if we upgrade to the new version?"
- you see, it's not dependant on our products (it's the browser's fault).
And as ISAPI_Rewrite is not actually destined for hotlink blocking, it does not possess such comprehensive algorithms HotlinkBlocker does.


__________________
Regards,
Anton
Back to Top View Anton's Profile Search for other posts by Anton
 
iis6
Newbie
Newbie


Joined: 20 May 2010
Online Status: Offline
Posts: 8
Posted: 20 May 2010 at 8:47am | IP Logged Quote iis6
How would I alter my configuration to allow blank referer but in all other instances operate the same?
Back to Top View iis6's Profile Search for other posts by iis6
 
Anton
Admin Group
Admin Group


Joined: 30 January 2007
Location: Ukraine
Online Status: Offline
Posts: 10489
Posted: 21 May 2010 at 2:58am | IP Logged Quote Anton
I guess you may try to use this:

RewriteCond Referer: ^$
RewriteRule .* $0 [I,O,L]

#Stop Hotlinking
RewriteCond Host: (.+)
RewriteCond Referer: (?!http://\1.*).*
RewriteRule .*\.(?:gif|jpg|png) /images/blocked.jpg [I,O,L]

__________________
Regards,
Anton
Back to Top View Anton's Profile Search for other posts by Anton
 
iis6
Newbie
Newbie


Joined: 20 May 2010
Online Status: Offline
Posts: 8
Posted: 28 May 2010 at 4:10am | IP Logged Quote iis6
Thanks for this.

Because of the nature of the site it takes time to test and implement so will post back with an update asap.

thanks again
Back to Top View iis6's Profile Search for other posts by iis6
 
iis6
Newbie
Newbie


Joined: 20 May 2010
Online Status: Offline
Posts: 8
Posted: 01 June 2010 at 4:02am | IP Logged Quote iis6
We managed to squeeze this test in.

The example you quoted above seemed to cause problems where no one could browse the homepage giving directory listing denied. Whilst I don't pretend to know why this was the case this gave me a simple idea.

We limited the rewrite rule to the main images on the site then immediately before that rule created a new rule that matched access to these images with no refrerer and then rewrote the URL to itself.

i.e. something like

#Allow Blank reffer Hotlinking
RewriteCond Referer: ^$
RewriteRule (.*\.(?:gif|jpg|png)) $1 [I,O,L]

#Stop Hotlinking
RewriteCond Host: (.+)
RewriteCond Referer: (?!http://\1.*).*
RewriteRule .*\.(?:gif|jpg|png) /images/blocked.jpg [I,O,L]

In tests this seems to reduce the problem significantly so hopefully it will point other people in the correct direction in the future.
Back to Top View iis6's Profile Search for other posts by iis6
 

If you wish to post a reply to this topic you must first login
If you are not already registered you must first register

  Post ReplyPost New Topic
Printable version Printable version

Forum Jump
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum