Nginx real case - hotlinking security chain and Detailed
1. What is hotlinking
Hotlinking refers to the service provider does not provide its own content service, bypassing other end-user interface with interests (such as advertising), direct provision of services to other service providers to end users through technical means on their own websites, cheat end user's browser and click-through rate. Beneficiary does not provide resources or provide few resources, while the real ISP do not get any benefits.
2. What is the security chain
WEB application firewall by enabling URL-level access control, client requests for testing, if the picture is found, HTTP requests resource information files from other sites, then stop hotlinking request, saving bandwidth due to misappropriation of resources consumed and links performance.
3. Analog Daolian
server2 server1 steal resources:
modify the configuration file to add a virtual web on server1:
vim /usr/local/nginx/conf/nginx.conf
132 server {
133 listen 80;
134 server_name www.westos.org;
135 location / {
136 root /web;
137 index index.html;
138 }
139 }
cd /web/ #在该目录中放一张图片
nginx -t #语法检测
nginx -s reload #在不暂停服务的情况下重新加载
test:
网页搜索www.westos.org/c.jpg 可以查看到该图片
Modify the configuration file to add a virtual web and written in server2 hotlinking rules:
vim /usr/local/nginx/conf/nginx.conf
126 server {
127 listen 80;
128 server_name daolian.westos.org;
129 charset utf-8; #不加这个参数网页上看到的汉字是乱码
130 location / {
131 root /web;
132 index index.html;
133 }
134 }
mkdir /web
vim /web/index.html
1 <html>
2
3 <body>
4 <br>盗链图片</br>
5 <img src="http://www.westos.org/c.jpg">
6 </body>
7
8 </html>
Add resolved in server2 in:
vim /etc/hosts
nginx -t #语法检测
nginx -s reload #在不暂停服务的情况下重新加载
Add resolved in the real machine in:
vim /etc/hosts
test:
http://daolian.westos.org/ 盗链成功(server2的目录中并没有该图片,而是从www.westos.org网站中盗链过来的)
4. The anti-theft chain
Modify the configuration file is written in serve1 in place hotlinking rules:
vim /usr/local/nginx/conf/nginx.conf
139 location ~* \.(gif|jpg|png|jpeg)$ {
140 root /web;
141 valid_referers none blocked www.westos.org;
142 if ($invalid_referer) {
143 return 403;
144 }
145 }
nginx -t #语法检测
nginx -s reload #在不暂停服务的情况下重新加载
test:
http://daolian.westos.org/ 盗链失败(要盗链的图片变成了小灰色的图标)
We can put it to redirect. The other server returned when hotlinking is not 403, but we want to see the contents:
Modify the configuration file:
vim /usr/local/nginx/conf/nginx.conf
139 location ~* \.(gif|jpg|png|jpeg)$ {
140 root /web;
141 valid_referers none blocked www.westos.org;
142 if ($invalid_referer) {
143 rewrite ^/(.*)$ http://bbs.westos.org/daolian.jpg; #将原网页重定向到http://bbs.westos.org/daolian.jpg
144 }
145 }
146
147 }
148 server {
149 listen 80;
150 server_name bbs.westos.org;
151 location / {
152 root /bbs;
153 index index.html;
154 }
155 }
在/bbs下放一张图片daolian.jpg
nginx -t #语法检测
nginx -s reload #在不暂停服务的情况下重新加载
test:
http://daolian.westos.org/ 盗链失败(查看到的图片为daolian.jpg)