Hotlink protection issue on image

For Workes & Pages, what is the name of the domain?

staticimg.ttef.in

What is the issue or error you’re encountering

hotlink protection issue on image

What steps have you taken to resolve the issue?

i have a below url which we are using it for image optimization/transformation purpose but it is showing as forbidden we url to call this url but the base url is opening properly. I have checked on cloudflare config hotlink is not enabled. Please help on the same

https://staticimg.ttef.in/cdn-cgi/image/width=328,quality=70,format=auto/https://assets.telegraphindia.com/abp/2024/Aug/1724305614_abhishek-bannerjee.jpg

Base URL - https://assets.telegraphindia.com/abp/2024/Aug/1724305614_abhishek-bannerjee.jpg

i found what is the issue which is i need to check Resize from any origin under image optimization option but now kinldy suggest how can i only allowlist the particular domain to allowlisted which is assets.telegraphindia.com

If you have a Business or Enterprise plan, you can set up a rule under Security > WAF > Custom Rules to filter requests to your transformation zone.

Create a rule that blocks all incoming requests that match:

(http.request.uri.path matches “^/cdn-cgi/image/[^/]*/http(s)?:”) and (not http.request.uri.path matches “^/cdn-cgi/image/[^/]*https://assets.telegraphindia.com

This allows you to transform only source images from your specified zone (assets.telegraphindia.com).

This means, for example:

  • staticimg.ttef.in/cdn-cgi/image/format=auto/https://example.com/image.jpg is blocked
  • staticimg.ttef.in/cdn-cgi/image/format=auto/https://assets.telegraphindia.com/image.jpg is allowed

@deanna I have Pro Plan can i implement the same on Pro plan also if not is there any alternate solution for this

@deanna Just need to verify the below expression

(http.request.uri.path eq “^/cdn-cgi/image/[^/]*/http(s)?:” and http.request.uri.path ne “^/cdn-cgi/image/[^/]*https://assets.telegraphindia.com”)

Then take action > Block

OR

(http.request.uri.path matches r"^/cdn-cgi/image/[^/]*/http(s)?:" and not http.request.uri.path matches r"^/cdn-cgi/image/[^/]*https://assets.telegraphindia.com")

Then take action > Block

And post this should i unchecked that resize from any origin?

Currently, the matches operator is available only for Business or higher plans, but we’re scoping out a solution to let any customer on any plan specify an allowlist for transformations.

The rule that I shared has three parts:

Take ActionBlock

  • Any request that matches the conditions will be blocked.

http.request.uri matches "^/cdn-cgi/image/[^/]*/http(s)?://"

  • Here, we’re checking the request to make sure that some part of the path starts with cdn-cgi/image/, then has some segment (like format=auto,quality=70), then includes https://.
  • If your path doesn’t meet this condition, then the rule doesn’t apply. For example, https://staticimg.ttef.in/blog/ doesn’t meet the above condition, so it won’t be blocked by this rule.

We don’t want to block all requests with /cdn-cgi/image/ since we want to allow requests using assets.telegraphindia.com as the origin of the source image. This is where we set up the last part of the rule:

and (not (http.request.uri matches "^/cdn-cgi/image/[^/]*/assets.telegraphindia.com/"))

  • Here, we’re checking whether the request includes the path /cdn-cgi/image/<some-segment>/https://assets.telegraphindia.com/.
  • Our rule is blocking requests that don’t match. However, if the request does include this path, then it won’t be blocked by this rule.

Keep the Resize from any origin setting checked (enabled).

2 Likes

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.