More on image link blocking
By jmccabe on Jul 20, 2007
A long while ago I wrote about blocking external linking to images on Web Server 6.1. That solution has been working really well for me for a long while, but I've found it to be lacking for my Gallery2 install.
Under Gallery2 the URIs for images aren't exactly "clean." They look something like this:
This obviously won't get caught by my previous Client tag, so I've now got an excuse to recreate that bad boy using the <If ...> syntax in Web Server 7.0.
My first step was to force Gallery2 to use URL Rewriting to create prettier URI space:
I still want to block image linking to the rest of the VS, so I won't be using the Gallery2 rule to block linking. Instead I'll run with a more general rule, and I'm inserting it above the rules for Gallery2 (making this the first thing evaluated once a request comes in):
<If defined $referer and $referer !~ "($VSids)" and $uri !~ '\^/export_images/' and $uri =~ '(?i)(gif|jpg|jpeg|png)'> AuthTrans fn="set-variable" error="302" set-srvhdrs="Location: http://www.foobar.com/export_images/direct.png" </If>
So the logic follows this flow:
- If the $referer variable is defined
- AND it does not contain a match for the VSids variable (I defined this in the server element of server.xml. It contains a list of VS IDs seperated by bars: foo.com|bar.com )
- AND the URI is not in my "it's OK to serve these images remotely" directory
- AND the URI (case insensitive) does not contain a GIF, JPG, JPEG, or PNG (I should probably make this sticky to the end of the URI with a $ at the end)
- Then redirect the user-agent to my "You're a bad person" image that will be displayed in place of the linked image.
An addition in there would be to include a white-list of external domains (basically what I do with $VSids) that ARE allowed to direct link.
and $referer !~ "($PartnerDomains)"
Obviously this mechanism isn't real hard for a determined user to work around. All they have to do is not send a Referer header. Most people don't know this though, and have no idea how to do it.