Rewrite rules for IIS to block Hot Linking Images and Stop Download Theft

Discussion in 'Application Guides' started by Nimrod, Jul 19, 2014.

  1. Nimrod

    Nimrod Exotic Vendor

    Joined:
    Jun 1, 2007
    Messages:
    1,991
    Likes Received:
    534
    Location:
    London, United Kingdom
    Rewrite rules for IIS to block Hot Linking Images and Stop Download Theft

    There's nothing worse than when you write up or post a load of content on your own website with loads of images or downloads, than to find your content or work copied onto by users (or even illegitimate webmasters) onto their own website (content theft). It then gets worse than you realise they are hot linking (leeching) your images direct from your own server, or even worse linking to you to host the large download for their users. Luckily with most Web Servers, you can easily block this so at least if someone is going to steal your content they have to at least host their own images and downloads so you don't pick up the bill / resources for their theft. I'm going to detail below the process for use in IIS (Internet Information Services) the built in Web Server in Windows in which you can block any file extensions (say Images, or Downloads) from being linked to directly, and even use redirect or rewrite rules to block them and try to drive users back to your website where the original content is from.


    Preparing Internet Information Services (IIS):

    For IIS to be able to block this, you need to install the URL Rewrite Module if it's not already installed. This module is an official Microsoft package so there is no need to worry about any security risks associated with this. If you already have the Web Platform Installer package installed on your IIS you can go ahead and select it from there, or use the link below on the Server to get it installed:

    URL Rewrite : The Official Microsoft IIS Site


    Setting up the IIS URL Rewrite Hot Link (Leeching) Protection Rule:

    Once installed, open you're Internet Information Services (IIS) Manager and browse to the site in question. Click on the newly appeared URL Rewrite Icon:

    URL Rewrite.PNG

    On the right hand side, select Add Rules:

    Add Rules.PNG

    Select Inbound Rules, and select Blank Rule and click ok:

    New Rule - Blank Rule.PNG

    Give the rule a nice new name, we made two rules (One for Downloads, and one for Images) so something like 'Prevent Image Hotlinking'. Next in the Match URL part you need to select Matches the Pattern and enter the below in the Pattern area:

    Code:
    .*\.(gif|jpg|png)$
    Note the file extensions gif, jpg and png. You can edit these to your heart's content. So if this rule was to block Download you could use rar|zip like we did in the below:

    Match URL.PNG


    It's recommended to ignore case as sometimes you can have either like image.JPG or image.jpg.

    Next it's time to set some conditions to trigger this rule. It's important here we have two rules as this is using the HTTP REFERER flag. One for your own URL(S) and one for blank. This is because some users have privacy settings or tools installed which block the referrer flag being sent in HTTP requests, so we want those users to be able to still view the content (so we don't break the site for them) and of course anyone with your own legitimate URL's. Effectively we are blocking anyone who both doesn't have a blank referrer or your own sites referrer and is coming from someone else's site.

    Select the 'Add..' button in the Conditions area and let's first add a blank referrer allowed condition like so:

    Code:
     Condition input: {HTTP_REFERER}
    Check if input string: Does Not Match the Pattern
    Pattern: ^$ 
    Conditions - Blank.PNG

    Once that one is added, let's add a second one for your own site. In this example I will be using digiex.net so you will need to tweak it for your own site.

    Code:
     Condition input: {HTTP_REFERER}
    Check if input string: Does Not Match the Pattern
    Pattern: ^http://(.*\.)?digiex\.net/.*$ 
    Conditions - Main URL.PNG

    This specific rule will allow anyone using HTTP to access the content providing at some point digiex.net is in the URL (so allows sub domains etc to be used).

    Once done, you should find a series of Conditions added like below (note for this screenshot, I also added one for https as we have an https site to):

    Condition Rules Complete.PNG


    Actions for the IIS URL Rewrite Hot Link (Leeching) Protection Rule:

    Now onto the fun part, the Actions once these rules have been triggered. Here you can be quite creative in how you wish to deal with those who are leeching your content, or even attempt to convert those users into visitors onto your site. I'll go through two examples which we have used on Digiex:

    Action: Redirect

    We host a lot of downloads on Digiex, and none of our downloads require you to register or have any reCAPTCHA or waiting times. Sadly a lot of other webmasters abused this and directly linked to our downloads from there pages so we picked up the bill. We needed to stop this, but instead of flat out blocking the downloads or just showing error messages we wanted to engage those visitors clicking on the links that the content was stolen which damages the creditability of the site they were on, and give them a chance to find the original content on our site giving us page views as well as a chance to earn back some of the costs of the download.
    We did this by setting up a custom page (which you are welcome to browse at digiex.net/leech.php) which then contains a custom google search box which gives them a chance to realistically find the original content on our site and likely see the original authors work.

    In IIS, we then set the Action to Redirect and placed the full URL in like below:

    Action Redirect.PNG

    You'll notice we set the redirect type as Temporary. This is just incase any search engine bots managed to trigger the rule, we didn't want them to think Leech.php was the permanent home for the download.

    Once done the rule was enabled, and we saw 20-50 views an hour to our leech.php page showing a lot of sites were directly linking, and our overall page views on our main site increased as users were funnelled into seeing the original content.

    Action: Rewrite

    This Action Rule only really works well on images as it hides any redirect/changes to the user and instead on the fly replaces the content. When a website directly links to your images, what you can do is on the fly replace the images just for those users with something like your websites logo, or even a full information picture saying like 'Content stolen, browse at digiex.net'. It will however not affect any legitimate browses on your own site as the rule is set to accept them.

    You can set the rule up like below (note, I used a relative location to the site home):

    Action - Rewrite.PNG

    Once done, this rule can be enabled and you are set to go.

    Please note: If you use any CDN service like Cloudflare, I strongly recommend not setting up an image blocking rule as this will interfere with the CDN and they could cache the wrong image for all users to see. Instead, use the CDN interface to request hot link protection on the images instead of doing it on your web server.



    I hope this guide helps :) If you have any questions, feel free to drop them below and I will get back to you.
     
    InsaneNutter likes this.

Share This Page