This forum has been moved here:
Helicon Tech Community Forum

  Active TopicsActive Topics  Display List of Forum MembersMemberlist  HelpHelp   RegisterRegister  LoginLogin
HotlinkBlocker (Forum Locked Forum Locked)
 Helicon Tech : HotlinkBlocker
Subject Topic: Multiple local websites (Topic Closed Topic Closed)
Author
Message |
Reports
Newbie


Joined: 06 January 2006
Location: United States
Posts: 13
Posted: 06 January 2006 at 6:47pm  

We use more than 90 domains on one IIS5 server and most content is served dynamically all using the same Coldfusion code. We also use the URL ReWrite DLL, works fine.

We installed HotLinksBlocker and it seems to work fine. Are local domains as websites installed on the server automatically considered be be in the WHITELIST? It seems so but this is not clear.  I'd like to be certain, and I hate the idea of having to type not only all our local domains for the whitelist but dozens of other domains on the black list.

If not considered local, will HotLinksBlocker handle all 90 lcoal domains without having to type all of those domains as [ReferersWhiteList]?

And just as important, how much of an overhead will all those extra lines create on a standard Win2000 server and CF5? I understand it depends on the CPU and memory, disk access, etc, but perhaps you will give us some kind of idea of this will be negligable or not.

 

Back to Top
 
Yaroslav
Admin Group


Joined: 15 August 2002
Posts: 6520
Posted: 09 January 2006 at 5:26am  

In REFERER protection mode HotlinkBlocker automatically consider request as valid if Host header in the request to the file matches host name in Referer header. So if all your 90 domains have only internal references to the images then it will work without whitelisting. If yor sites include direct external references to the image files on other domains then you will need to use whitelists.
Another solution is to use LINK protection method that does not rely on HTTP Referer header values at all.
Whitelisting 90 domains is possible, your users will not see any notable performance differences, onlu CPU usage may grow to 5%-10%. But this is not a graceful solution.

__________________
Yaroslav Govorunov,
Helicon Tech
Back to Top Visit Yaroslav's Homepage
 
Reports
Newbie


Joined: 06 January 2006
Location: United States
Posts: 13
Posted: 12 January 2006 at 7:42pm  

I posted all domains, to see how this would work. One of our customers reported not long after I installed HotLinkBlocker, that all the images on the home page had X's, which I take to mean they were not found, could not be displayed. However, I cannot reproduce that problem but I am worried.

Our cold fusion code displays all the websites based on a website variable, such as #Website_Domain#. The variable is expanded correctly, of course, but I'm wondering if that could in any way you know, create a problem? I can't display any problems, but then I can't reproduce every possible situation. I'm just not that bright.

Also, the domains listed in the ini file are all upper case. I want to be sure this makes no difference? Is there a default case or is this simply not important?

And finally, the domain should be enter like this in the ini file?

*.domain1.com
*.domain2.com

etc?

 

 

Back to Top
 
Yaroslav
Admin Group


Joined: 15 August 2002
Posts: 6520
Posted: 13 January 2006 at 2:47pm  

This is happening when user sits behind some firewall that replaces HTTP referrer header value with it's advertising. This is one of the reasons why we recommend always use LINK protection method - it does not depend on referrer header and other client-dependent things.
I didn't understand question about ColdFusion, HotlinkBlocker works only with URLs and HTTP headers irrespectively on what server or client technology used.
All patterns (including regular expressions) in HotlinkBlocker are case insensitive.

__________________
Yaroslav Govorunov,
Helicon Tech
Back to Top Visit Yaroslav's Homepage
 
Reports
Newbie


Joined: 06 January 2006
Location: United States
Posts: 13
Posted: 13 January 2006 at 8:39pm  

Thanks for your input, Yaroslav.

In reference to a previous message above, I have no idea what "direct external references" means and I'm not sure I have the time today to figure it out. That creates a big of time delay for which I'm not at all abot to accept. Why not use plain English terms? That would be helpful.  Making a decision on which configuration to choose is difficult itself, let alone fighting install errors, and manual configuration. But we'll stay with it because strange as it may sound, we have a good feeling about your company, for a while, as long as friendly help is forthcoming, we'll ask questions.

We�ve removed the HotLinkBlocker for the time being so we can find time to jump into this again, with a different configuration.

It appears we have Microsoft�s URL Rewrite DLL installed and would rather buy what you offer but it seems one cannot edit the your rewrite ini file as it is read only, so I�ll have to find time to study this much more and probably have to take it down somehow so I can edit the ini file and do some testing, and yes, read the instructions!

 

Back to Top
 
ebizduro
Newbie


Joined: 13 January 2006
Location: United States
Posts: 3
Posted: 13 January 2006 at 8:47pm  

Quote: Originally posted by Yaroslav on 09 January 2006
In REFERER protection mode HotlinkBlocker automatically consider request as valid if Host header in the request to the file matches host name in Referer header.

Is there a way or could you have an option where we can disable this feature?  We are trying out your awesome product and this is the only downfall we see with your product.  If we could turn off the validation to where the REFERER contains the HOST, your product would be 100% perfect!

Thanks,
Bryan

Back to Top
 
Reports
Newbie


Joined: 06 January 2006
Location: United States
Posts: 13
Posted: 13 January 2006 at 11:38pm  

Yaroslav:

 > This is happening when user sits behind some firewall that replaces HTTP referrer header value with it's advertising. 

Not sure what you mean by "with it's advertising".

But if I understand the gist of what you�re saying, then no commercial business should be using that sort of configuration. More than half our 125,000 customer base are behind broadband. I did not see this documented, at least not up front where it should be. That worried me.

> didn't understand question about ColdFusion
Then it�s probably not important. I was grasping.

> All patterns (including regular expressions) in HotlinkBlocker are case insensitive.

Great!

Back to Top
 
Yaroslav
Admin Group


Joined: 15 August 2002
Posts: 6520
Posted: 14 January 2006 at 10:31am  

2Reports:
1) By "direct external references" I mean that none of your site has crosslinks to the images on others of your sites, i.e. if your sites in fact hotlinking images from each other. You may not think of it as hotlinking, but form the HotlinkBlocker point of view it will be a hotlinking so you will need to whitelist some sites.
2) What install errors you are talking about? Have you experienced some errors you want to report?
I didn't understand what read only files you are talking about.
3) By "with it's advertising" I mean that some client internet security tools may remove HTTP referrer header and replace it with the values advertising tool itself. While it is possible to serve requests without referrer header by enabling empty referrers, it is impossible to workaround situation when the referrer header was modified.
4)
>More than half our 125,000 customer base are behind broadband.

And actually only few of them are behind a security tools I described above. But yes, this is a price you pay for using HTTP referrer header based protection. And actually no other solution that uses referrer headers can help you here, only LINK protection is not sensitive to this problem.


__________________
Yaroslav Govorunov,
Helicon Tech
Back to Top Visit Yaroslav's Homepage
 
Yaroslav
Admin Group


Joined: 15 August 2002
Posts: 6520
Posted: 14 January 2006 at 10:39am  

2ebizduro:
I don't understand why you may need it because it will prevent the site pages from accessing images located on the same site but you may try to blacklist the site name.
Also in LINK protection mode HotlinkBlocker will not check referrer header at all (except for wite & black lists).

__________________
Yaroslav Govorunov,
Helicon Tech
Back to Top Visit Yaroslav's Homepage
 
Reports
Newbie


Joined: 06 January 2006
Location: United States
Posts: 13
Posted: 14 January 2006 at 6:40pm  

> Have you experienced some errors you want to report

The installation error where I had to manually set up.

> didn't understand what read only files you are talking about.

That would be the httpd.ini file.  When editing and attempting to save it, the system tells me it is a read only file.

Back to Top
 
Reports
Newbie


Joined: 06 January 2006
Location: United States
Posts: 13
Posted: 14 January 2006 at 7:31pm  

After installing your full version of your rewrite filter ISAPI_Rewrite 2.8, the httpd.ini file was read only. I had to remove the read only attributes so I could modify it.  You might want to check as to why that's happening.

As your HotLinkBlocker.ini file, I assume that once I edit and save the httpd.ini file that  is is updated and ready for use. Is that correct?

When using your ISAPI REWRITE filter, I wanted to use the same rewrite rules used in what I assume is the microsoft rewrite filter. Here is what I use to use:

 

[ISAPI_Rewrite]

# 3600 = 1 hour
CacheClockRate 3600

RepeatLimit 32

# Block external access to the httpd.ini and httpd.parse.errors files
RewriteRule /httpd(?:\.ini|\.parse\.errors).* / [F,I,O]
# Block external access to the Helper ISAPI Extension
RewriteRule .*\.isrwhlp / [F,I,O]

RewriteEngine On

RewriteRule ^/members/(.*)/(.*) /download/download.cfm?area_word=$1&filename=$2 [L]

RewriteRule (.*)\/page\-(.*) $1\&page\=$2

RewriteRule ^/files/area\-(.*) /files/index.htm?area=$1 [L]
RewriteRule ^/pages/area\-(.*) /pages/page.htm?area=$1 [L]
RewriteRule ^/biography/(.*) /biography/bio.htm?$1 [L]

They don't seem to work. Can you modify them for me, or let me know if I'd have to start from the beginning to rewrite this code? I did not originally write it. Our programmer is not with us any longer. I'm a reporter and so programming is not that easy for me, and we cannot hire another programmer so I have to get this done myself.

So, what I'd like to see from you is one of the following:

1) It should work just as it is.
2) It will not work at all. Read the docs and see if you can figure it out.
3) It will not work.  Here's a modfied version. Try this...

Thanks

Back to Top
 
Reports
Newbie


Joined: 06 January 2006
Location: United States
Posts: 13
Posted: 14 January 2006 at 7:48pm  

what does URI stand for in your ISAPI_Rewrite 2.8 documentation? I thought perhaps URL but this is too important to guess. I want to be sure I'm not missing something. I know what URL means, certainly. But URI is repeated throughout the docs.

The documentation looks as though it was originally written in another language and poorly translated to English. It is extremely difficult to read and understand. This is frustrating.

Back to Top
 
Yaroslav
Admin Group


Joined: 15 August 2002
Posts: 6520
Posted: 15 January 2006 at 2:41am  

So you are talking about ISAPI_Rewrite product, now I understand. Please note you are posting in HotlinkBlocker support forum.

Here is a translation of rules:

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
[ISAPI_Rewrite]

# 3600 = 1 hour
CacheClockRate 3600

RepeatLimit 32

# Block external access to the httpd.ini and httpd.parse.errors files
RewriteRule /httpd(?:\.ini|\.parse\.errors).* / [F,I,O]
# Block external access to the Helper ISAPI Extension
RewriteRule .*\.isrwhlp / [F,I,O]

RewriteRule /members/([^/]*)/(.*) /download/download.cfm\?area_word=$1&filename=$2 [L]

RewriteRule (.*)/page-(.*) $1&page=$2

RewriteRule /files/area-(.*) /files/index.htm\?area=$1 [L]
RewriteRule /pages/area-(.*) /pages/page.htm\?area=$1 [L]
RewriteRule /biography/(.*) /biography/bio.htm\?$1 [L]

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

httpd.ini file is updated automatically in real time.

ISAPI_Rewrite RewriteRule directive operates on a URL without protocol and host name parts i.e. http:\\www.somsite.com/somedir/somepage.asp?param=val matches in RewriteRule as /somedir/somepage.asp?param=val

__________________
Yaroslav Govorunov,
Helicon Tech
Back to Top Visit Yaroslav's Homepage
 
ebizduro
Newbie


Joined: 13 January 2006
Location: United States
Posts: 3
Posted: 16 January 2006 at 12:06pm  

Quote: Originally posted by Yaroslav on 14 January 2006
2ebizduro:
I don't understand why you may need it because it will prevent the site pages from accessing images located on the same site but you may try to blacklist the site name.
Also in LINK protection mode HotlinkBlocker will not check referrer header at all (except for wite & black lists).

We cannot use LINK protection.  We only want to blacklist a few sites leeching our images.  The reason why we would want to turn off the validation to where the REFERER contains the HOST is because if another site has a dynamic page where your image url is passed as a url parameter, it will allow the image to be served.  This is because the http referer url will contain the host name. 

Back to Top
 
Yaroslav
Admin Group


Joined: 15 August 2002
Posts: 6520
Posted: 16 January 2006 at 12:19pm  

HotlinkBlocker is not so stupid. It will first normalize URL and checks referrer origin if it is equal to the current host value. So using host name in the parameters will not work. Maybe I was not quite clear when using the term 'contains'.

__________________
Yaroslav Govorunov,
Helicon Tech
Back to Top Visit Yaroslav's Homepage
 
ebizduro
Newbie


Joined: 13 January 2006
Location: United States
Posts: 3
Posted: 16 January 2006 at 12:32pm  

For this example, let 'bar.com' be our host and 'foo.com' be a site we want to block.

Here is my configuration file:

#################################################
# HotlinkBlocker Configuration file


Signature=896a58bc-2390-484a-b234-985a98aaf3b5
LinkExpires=1800


[Protect]
REFERER  / 


[ReferersBlackList]
*russianshopper.com*
*internetautoguide.com*
*www.automotive.com*
*foo.com*
*carsearch.com*
[ReferersWhiteList]
*
[UserAgentsBlackList]
[UserAgentsWhiteList]

 

------------------


This configuration works and blocks hotlinking from a referer like:

http://www.foo.com/fe/autos/searchResult.aspx?st=5&so1=0&so2=1&dt=9748454&zip=85231&inv=0&d=-2&pr=0%3a3000&t=5&g=0&id=0

But this configuration does not work and does not block from a referer like:

http://www.foo.com/fe/common/displayPhotoURL.aspx?page=http://photos.bar.com/1312/711637_1.jpg

Any suggestions why?

Thank You! :)

Back to Top
 
Yaroslav
Admin Group


Joined: 15 August 2002
Posts: 6520
Posted: 18 January 2006 at 5:38am  

Please download and install build 43 of HotlinkBlocker, it will act as I have described.

__________________
Yaroslav Govorunov,
Helicon Tech
Back to Top Visit Yaroslav's Homepage
 

Sorry, you can NOT post a reply.
This forum has been locked by a forum administrator.

Printable version Printable version
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot delete your posts in this forum
You cannot edit your posts in this forum
You cannot create polls in this forum
You cannot vote in polls in this forum