Two sites A and B, B cites the pictures on the website A website, this behavior is called hotlinking. Anti-theft chain, is to prevent the reference picture B of A.
1. How to distinguish what is not normal user?
HTTP Referer Header is part of, when the browser sends a request to a Web server, usually bring Referer, I tell the server which page links from over, whereby you can get some information server for processing, for example, did not prevent permission
websites hotlinking images, files and so on. Therefore the HTTP Referer header information is generated by a program camouflage, so the security chain by the Referer not 100% reliable, however, it is possible to limit Daolian most cases.
2. The security chain configuration
Note the following:
1.如果你是编译安装的nginx,你需要去配置文件中将日志格式的注释去掉
[root@localhost ~]# vim /etc/nginx/nginx.conf #配置文件
# 日志格式添加"$http_referer"
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#将上面的注释去掉,编译安装默认是注释掉的
2.如果你是yum安装的话,默认这些日志格式是没有被注释的,可以不用做任何操作
3.准备两台装有nginx的虚拟机
图片网站服务器:上传图片 192.168.13.133
盗链机器:用于盗链测试192.168.13.129
3. Photo Web Server Configuration (192.168.13.133)
We are in this picture, for example
[root@localhost ~]# mv test.jpg /usr/share/nginx/html/
#上传图片并改名为test.jpg,并将其移动到/usr/share/nginx/html/目录下,yum安装的默认有这个目录(这个目录编译安装的nginx可能没有,没有的话自己创建)
[root@localhost ~]# chmod 644 /usr/share/nginx/html/test.jpg
#有的虚拟机上传图片后可能权限不够,需要给其添加权限。如果权限不够的话,盗链机器访问时会返回403状态码
开始配置(这里是yum安装的nginx)
[root@localhost ~]# cp /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf,bak #备份配置文件以防万一
[root@localhost ~]# vim /etc/nginx/conf.d/default.conf
清空并添加以下代码
server {
listen 80;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
[root@localhost ~]# nginx -t #看看配置又没有出错
[root@localhost ~]# nginx -s reload #重新加载配置文件
Then open the site, enter: http: //192.168.13.133/test.jpg
apparently successful upload pictures
4. Daolian machine configuration (192.168.13.129)
[root@localhost ~]# cp /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf,bak #备份配置文件以防万一
[root@localhost ~]# vim /etc/nginx/conf.d/default.conf
同样清空并添加以下代码
server{
listen 80;
server_name locahost;
location / {
root /usr/share/nginx/html;
index index.html;
}
}
[root@localhost ~]# cd /usr/share/nginx/html/
[root@localhost ~]# cp index.html index.html.bak #备份
[root@localhost ~]# vim index.html
清空并添加以下代码
<html>
<head>
<meta charset="utf-8">
<title>test.com</title>
</head>
<body style="background-color:red;">
<img src="http://192.168.13.133/test.jpg"/>
</body>
</html>
#这里面只需要将ip地址改为你自己的图片服务器的地址,其它的都是一些网页的格式
[root@localhost ~]# nginx -t #看看配置又没有出错
[root@localhost ~]# nginx -s reload #重新加载配置文件
Open the Web page input hotlinking machines ip address: 192.168.13.129
You will find hotlinking machine can steal your images
how to prevent it?
The anti-theft chain (192.168.13.133)
[root@localhost ~]# vim /etc/nginx/conf.d/default.conf
清空并添加以下代码
server {
listen 80;
server_name localhost;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
valid_referers none blocked www.jd.com; #允许这些访问
if ($invalid_referer) {
return 403;
}
}
}
- none: not allowed to request access to the resources of http_refer
- blocked: allow instead of http: // at the beginning of the agreement without requesting access to resources - are filtered out of the firewall;
[root@localhost ~]# nginx -t #看看配置又没有出错
[root@localhost ~]# nginx -s reload #重新加载配置文件
Then open the web page address input hotlinking machines ip: 192.168.13.129
you will find hotlinking machines do not see the picture.
And you see the picture machine server access log
[root@localhost ~]# tail -f /var/log/nginx/access.log
You will find that access to your machine ip is displayed.
