The attack and defense of picture hotlinking

Objective:
    Before finishing the Nginx data, the inside talked about the security chain configuration. At the time I felt a little fresh (or ignorant), after all, I seldom touched the concept or the noun. In general, it is a measure to prevent other people's websites from referencing your pictures and thus consume your network bandwidth resources.
    This article will explain the principle of anti-theft chain, nginx How to configure the anti-theft chain, and how anti-theft chain of some ideas. The author of this is a simple talk, right when the discussion.

　　

Science:
    Someone else's website references your site's resource links (images/documents) without your permission. Not only consumes your server's network bandwidth, even infringes your interest, indirectly steals your website traffic, so the harm is very big.
    Public number, Sina blog and other pictures, all open the anti-theft chain function. For example, when someone else's site refers to their pictures, the picture looks like this:
    

　　

The principle of anti-theft chain:
    In the HTTP protocol, the General browser access page, in addition to the browser address bar directly input, the other link click/resource reference, will be included in the subsequent HTTP request header Referer field, it represents from which specific source page link .
    many servers will simply determine whether the source link is their own or a suspicious hotlinking link to others based on the Referer field .
    • Give a simple example:
    For example, site A (domain name: www.a.com), its next page content refers to the site B (domain name: www.b.com) of the picture resources.
    When a user accesses a page (referring to a picture of B), the browser automatically initiates a picture request (injecting referer:www.b.com/xxx HTTP header information). Then the site B server receives a picture request, the server can be based on the Referer field, found that the source link is www.a.com, rather than its own www.b.com, so can be judged as hotlinking, and finally denied access.
    The public number seems to be based on this to the anti-theft map.

Nginx configuration anti-theft chain:
    Nginx is to borrow Ngx_http_referer_module to block the origin of illegal domain requests, and its configuration rules are as follows:

Valid_referers None | Blocked | Server_names | String ...;

    Indicates that the Referer field is empty
    Represents a source link that does not start with HTTP./or https://
    Server domain name for the current location configuration
    A specific case configuration is as follows:

    Location ~* \. (gif|jpg|png|bmp) $ {        Valid_referers none blocked *.your-website.com server_names ~\.google\. ~\.baidu\.;        if ($invalid _referer) {            return 403;            #rewrite ^/http://www.your-website.com/xxx/403.jpg;        }    }    Location =/xxx/403.jpg    {        //Prevent cyclic redirection    }

    Note: Many legitimate requests may not be set referer, in the spirit rather let 1000, can not be wrong to kill a fraternity spirit, or should let go of restrictions, but also left a room for tampering.
    

Anti-theft chain ideas:
    Once again know the anti-theft chain of the principle, anti-burglar chain thinking is basically a lot clearer.
    is to modify the Referer field in the HTTP request . However, the browser is very upright, it will not help us cheat. So the road is put on hold for a moment.
    Back to the beginning, since the winding, it can only crawl the original image, is really becoming a thief (no longer hotlinking, directly copy the diagram).
    Synchronizing Picture Resources
    Download picture resources synchronously to your own server, then replace your own picture link. This is also a helpless move, tantamount to surrender ^_^.
    There are two ways to store picture resources, one on-premises and the other in cloud storage services.
    
    Proxy mode
    The picture request passes through own server first, modifies the Referer head, then transfers to the real server address, carries on the stream copy .

　　

    based on the byte stream transmission, the proxy server has made the modification referer, spoofing the post-level server .
    The original link:

    Http://www.a.com/zzz?source_url=${source_url}

    This way, the other server's anti-theft chain restrictions are bypassed, and the local server does not need to store these resource files.
    For small resources such as pictures, it is not recommended to do so for extra-large resources (over 10M) .

Summarize:
    The Internet's attack and prevention of a lot, magic feet, the road, I hope the world has become beautiful.

Public Number & Games sites:
Personal public Number: Wooden purpose H5 game world

　　

Personal Game Folio site (still under construction ...): www.mmxfgame.com, also direct IP access : http://120.26.221.54/. 

The attack and defense of picture hotlinking