Stopping hotlinking from a directory using web.config - 【StackMirror】|asp.net|.net|web-config|url-rewrite-module

I have a folder on my site for caching large flash movies and I want to stop other people from embedding them in their site; I would like to try and do this using the web.config file only. How could this be done?

My first attempt at a rule (which doesn't work):

The following rule was supposed to prevent public access (and embedding) to .swf files in the cache folder 'CurrentCache' - http://myurl.com/ContentCache/ and give a replacement movie 'NoEmbedFromCacheSWF.swf' instead.

<rule name="Prevent SWF hotlinking" enabled="true">
      <match url="^(ContentCache)(.swf)$" ignoreCase="true" />
      <conditions>
        <add input="{HTTP_REFERER}" pattern="^http://(.*\.)?myurl\.com/.*$" negate="true" />
      </conditions>
      <action type="Rewrite" url="/Content/Flash/NoEmbedFromCacheSWF.swf" />
    </rule>

Thanks in advance!

Note: I think I have got the regex wrong in the <match url="A swf inside /ContentCache/" ignoreCase="true" /> line, any ideas what it should?

2012-04-05 15:40
by James

You can build an HttpModule for this. There is a blog posting describing exactly what you want to do I think:

HttpModule to block external referrers in ASP.NET

Edit: Of course I'm bending the rules here about web.config only. You have to use an external module, but then you can use it referencing from web.config only without modifying any of your code.

Edit2: If you want to do it using a rewrite rule, you have to change your pattern, like this:

<rule name="Prevent SWF hotlinking" enabled="true">   
  <match url="/ContentCache/.*\.swf$" ignoreCase="true" />   
  <conditions>   
    <add input="{HTTP_REFERER}" pattern="^http://(.*\.)?myurl\.com/.*$" negate="true" />   
  </conditions>   
  <action type="Rewrite" url="/Content/Flash/NoEmbedFromCacheSWF.swf" />   
</rule>

The pattern used is a regular expression, you can read up on them here and you can test them for example on this webpage.

2012-04-05 15:47
by aKzenT

Yes, I can see this would work but I was really looking for a simpleish code free solution like this http://www.it-notebook.org/iis/article/preventhotlinkingurl_rewrite.htm - this one for images - but the real problem I have is not knowing what to write for the <match url="???" /> part - James 2012-04-05 15:52

see my ultimate edit - aKzenT 2012-04-05 16:00

The final edit looked perfect, I tried it but unfortunately it still lets other websites with different urls get hold of swfs in my contentcache folder. I think you are very close tho - James 2012-04-05 16:10

Did you check what referer value the web pages send? You can also try removing the condition to see if the rewrite works at least (for all pages) then trying to readd the condition. It looks good to me.. - aKzenT 2012-04-05 16:23

Right, after some careful testing I found this works: <match url="^(ContentCache).*?swf$" ignoreCase="true" /> The problem now is that <action type="Rewrite" url="/Content/Flash/NoEmbedFromCacheSWF.swf" /> always seems to result in an error 404 no matter what url I stick in it as the one to rewrite to. Your help would be much appreciated - James 2012-04-05 17:02

Did you check what URL you get in the browser after the redirect - aKzenT 2012-04-05 17:41

Well since it was a rewrite, the url in the browser didn't change...but no worries...I've got it working now thanks to you @aKzenT! I think there was a typo in my action line because i recopied and edited one off the net and it works a charm now: http://towerdefence.me/ContentCache/KingdomRush1073.swf Thanks again - James 2012-04-05 17:51

glad it worked - aKzenT 2012-04-05 18:02