Asp. Net Core uses middleware to prevent image leeching instances,
I. Principles
To implement anti-Leech, we must first understand the implementation principle of leeching. When talking about the implementation principle of anti-Leech, we have to start with the HTTP protocol. In the HTTP protocol, there is a header field called referer, the URL format is used to indicate the link from where to the current webpage or file. In other words, through referer, the website can detect the source webpage accessed by the target webpage. If it is a resource file, it can track its webpage address. With the referer tracking source, you can use technical means to handle the problem. Once the source is detected, it will block or return to the specified page. If you want to protect your website against anti-leech protection, you need to treat the situation differently.
If the website server uses apache, using the Url Rewrite function provided by apache can easily prevent various leeching. The principle is to check refer, if the refer information comes from another website, it is redirected to the specified image or webpage.
If the server uses IIS, you need to use a third-party plug-in to implement the anti-leech function. Now, a commonly used product called ISAPI_Rewrite can implement anti-leech functions similar to apache. In addition, for the Forum, you can also use the "login verification" Method for anti-leech protection.
Ii. implement anti-leech Protection
Now let's implement anti-leech Technology in ASP. NET Core to protect our applications and site files. This requires listening and processing of all incoming requests through the middleware technology in ASP. NET Core, and checking whether these requests come from our applications.
Let's create the anti-leech middleware program:
public class HotlinkingPreventionMiddleware{ private readonly string _wwwrootFolder; private readonly RequestDelegate _next; public HotlinkingPreventionMiddleware(RequestDelegate next, IHostingEnvironment env) { _wwwrootFolder = envWebRootPath; _next = next; } public async Task Invoke(HttpContext context) { var applicationUrl = $"{contextRequestScheme}://{contextRequestHostValue}"; var headersDictionary = contextRequestHeaders; var urlReferrer = headersDictionary[HeaderNamesReferer]ToString(); if(!stringIsNullOrEmpty(urlReferrer) && !urlReferrerStartsWith(applicationUrl)) { var unauthorizedImagePath = PathCombine(_wwwrootFolder,"Images/Unauthorizedpng"); await contextResponseSendFileAsync(unauthorizedImagePath); } await _next(context); }}
In this middleware, we can see that the Request object in ASP. NET Core does not encapsulate the Referrer. To obtain the Referrer, We need to access it through the HTTP header information (Headers.
Generally, an IApplicationBuilder extension is required:
public static class BuilderExtensions{ public static IApplicationBuilder UseHotlinkingPreventionMiddleware(this IApplicationBuilder app) { return appUseMiddleware(); }}
Finally, you only need to call the extension function above in the Configure function.
app.UseHotlinkingPreventionMiddleware();
3. Is it true?
How to break through anti-leech protection? For the refer check method, you can go to another page of the target address in the page middleware and go to the target page. In this way, the refer of the page is the refer of the target site, that is, to achieve breakthroughs. There are many tools available in this regard, especially mature web project test packages, such as HtmlUnit, which allow you to set refer directly in the request.
If the website is an https protocol and the image link is http, requests sent from https to http will be sent without referer due to security regulations, so as to bypass anti-leech protection.
Finally, I can only say that this method can only be used to defend against all attacks to a certain extent. We recommend that you use mature server applications, such as Nginx.
The above is all the content of this article. I hope it will be helpful for your learning and support for helping customers.