20 Jul 2007

Blocking image linking to (Sun|Open) Web Server

By jmccabe
technical: 
Sun Web Server
Open Web Server
HowTo
URL rewriting
blocking

[Note: I no longer work for Sun. I am slowly migrating the more worthwhile blog entries I made for Sun to my own blog. I need the Google love.]

Originally posted on July 20, 2007:

In the Web Server 6.1 time frame I had hacked together a <Client> tag solution to block external image linking to my site (I'm glad people like my images, but my server has limited bandwidth and I'd rather that my purdy images chew up bandwidth making my site purdy instead of someone else's). This worked great until I began using Gallery 2. Under Gallery2 the URIs for images aren't exactly "clean." They look something like this:

/main.php?g2_view=core.DownloadItem&g2_itemId=10436&g2_serialNumber=2

This obviously won't get caught by my original <Client> tag (it looks specifically for file names that look like, you know, file names), so I've now got an excuse to recreate that bad boy using the <If ...> syntax in Web Server 7.0.

My first step was to force Gallery2 to use URL Rewriting to create prettier URI space:

/d/2862-4/dsc_6912.jpg

I still want to block image linking to the rest of the Virtual Server, so I won't be using the recommended Gallery2 rule to block linking. Instead I'll run with a more general rule, and I'm inserting it above the rules for Gallery2 (making this the first thing evaluated once a request comes in):

<If defined  $referer
    and $referer !~ "($VSids)"
    and $uri !~ '^/export_images/'
    and $uri =~ '(?i)(gif|jpg|jpeg|png)'>
  AuthTrans fn="set-variable" error="302" set-srvhdrs="Location: http://www.foobar.com/export_images/direct.png"
</If>

So the logic follows this flow:

  1. If the $referer variable is defined
  2. AND it does not contain a match for the VSids variable (I defined this in the server element of server.xml. It contains a list of VS IDs seperated by bars: foo.com|bar.com )
  3. AND the URI is not in my "it's OK to serve these images remotely" directory
  4. AND the URI (case insensitive) does not contain a GIF, JPG, JPEG, or PNG (I should probably make this sticky to the end of the URI with a $ at the end)
  5. Then redirect the user-agent to my "You're a bad person" image that will be displayed in place of the linked image.

An addition in there would be to include a white-list of external domains (basically what I do with $VSids) that ARE allowed to direct link.

    and $referer !~ "($PartnerDomains)"

Obviously this mechanism isn't hard for a determined user to work around. All they have to do is not send a Referer header. Most people don't know this though, and have no idea how to do it.

Post new comment

More information about text formats

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <pre> <code>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.