Use Referer to prevent pictures hotlinking _php Tutorials

Source: Internet
Author: User
use Referer to prevent pictures hotlinking _php Tutorials

When the browser sends the request to the Web server, it usually takes the Referer, tells the server I was from which page link, the server can get some information for processing, but this referer can be forged, see an example below, we will understand

What is HTTP Referer

In short, the HTTP Referer is part of the header, and when the browser sends the request to the Web server, it usually takes referer to tell the server which page link I took from, and the server can get some information for processing. For example, if you link to a friend from my home page, his server will be able to count the number of users who click on the link on my page to visit his website from HTTP Referer.

Referer in fact should be the English word referrer, but there are too many misspelled people, so the people who write the standard will wrong.

My question

I have just changed the feed reader to Gregarius, but he did not like my previous use of Liferea, when visiting Sina Blog, unable to display the pictures, "This image is limited to Sina Blog user communication and communication", I know, this is the HTTP referer caused.

Due to the particularity of my Internet client configuration, it was first suspected that squid was a problem, but it was ruled out by experiments, but at the same time found a privacy leak with squid and Tor, Privoxy, to be researched later.

Can gregarius deal with this problem?

The answer is no, because Gregarius is only responsible for outputting HTML code, while access to the image is requested by the client browser to the server.

However, the installation of a Firefox extension may solve the problem, the article recommended "Send Referrer" I did not find, but found another available: "Refcontrol", according to the different access to the site, control the use of different referer.

But I do not like to use the Firefox extension to solve the problem, because I think he is too inefficient, so I--privoxy in a better way.

Privoxy's awesome.

Add two lines to the default.action in Privoxy:

{+hide-referrer{forge}}.album.sina.com.cn

So gregarius in the Sina blog image is out of it? +hide-referrer is a privoxy filter, set the access to the HTTP Referer processing, the following forge representative with the access address as refere, but also can be replaced by block, on behalf of the cancellation of Referer, Or just write the referer URL you want to use here.

Use Privoxy more simple than with Firefox, quickly change it.

From HTTPS to HTTP

I also found that when accessing a non-encrypted HTTP page from a link on an HTTPS page, the HTTP Referer was not checked on the HTTP page, such as when I clicked on my HTTPS page under the Web-based XHTML verification icon (HTTP// Validator.w3.org/check?uri=referer), can never complete the verification, prompt:

No Referer Header found!

Originally, there are definitions in the RFC documentation for the HTTP protocol:

The code is as follows:

15.1.3 Encoding sensitive information in URI ' s clients should does include a Referer header field in a (non-secure) HTTP req Uest if the referring page is transferred with a secureprotocol.

This is for security reasons, when accessing a non-encrypted page, if the source is an encrypted page, the client does not send Referer,ie has always been implemented, Firefox browser is no exception. However, this does not affect access from encrypted pages to encrypted pages.

Settings for Referer in Firefox

All in, there are two key values:

Network.http.sendRefererHeader (default=2) Set Referer send method, 0 is not sent at all, 1 is only when the link is clicked, when the image in the access page is not sent, 2 is always sent. See Privacy Tip #3: Block Referer Headers in Firefox

Network.http.sendSecureXSiteReferrer (default=true) sets whether to send referer,true for sending when accessing another encrypted page from an encrypted page, false to not send.

Use Referer to prevent picture hotlinking

Although Referer is not reliable, it is enough to prevent the picture from hotlinking, after all, not everyone will modify the configuration of the client. The implementation is generally through the Apache configuration file, first set the allowed access to the address, marked down:

# only allow access from don.com, the picture may be placed on the page of the Don.com website

Setenvifnocase Referer "^http://www.don.com/" Local_ref

# Direct access via address

Setenvif Referer "^$" Local_ref

The marked access is then allowed:

The code is as follows:

<filesmatch ". (gif|jpg) ">order Allow,denyallow from env=local_ref</filesmatch>

Or

The code is as follows:

<Directory/web/images>   Order Deny,allow Deny from all to   env=local_ref</directory>

Do not use the Rerferer place

Do not use Rerferer for authentication or other very important checks, because Rerferer is very easy to change on the client, either through the Firefox extensions described above, or privoxy, or even libcurl calls, So the rerferer data is very unreliable.

If you want to restrict the user from having access to a portal page, instead of using Referer, use the session, write to the session on the portal page, and then check on the other pages, if the user has not visited the portal page, then the corresponding session does not exist, see the discussion here. However, as mentioned above, do not believe too much in this way of "verification" results.

Personal feeling now rerferer in addition to the use of anti-theft chain, other uses of the most is to access statistics, such as the statistics users are from where the link access to come and so on.


Http-referer This variable has become more and more unreliable, is completely can be forged out of the stuff.

The following are the forgery methods:

PHP (provided that curl is installed):

The code is as follows:

$ch = Curl_init (); curl_setopt ($ch, Curlopt_url, "http://www.d.cn/xxx.asp"); curl_setopt ($ch, Curlopt_referer, "http:/ /www.d.cn/"); Curl_exec ($ch); Curl_close ($ch); PHP (do not install curl with sock) $server = ' www.dc9.cn '; $host = ' www.dc9.cn '; $target = '/xxx.asp '; $referer = ' http://www.d.cn/'; Referer$port = $fp = Fsockopen ($server, $port, $errno, $errstr,), if (! $fp) {echo "$errstr ($errno) <br/>n"; } else {$out = "GET $target http/1.1rn"; $out. = "Host: $hostrn"; $out. = "Cookie:aspsessionidsqtbqsda=dfcapklbbficdafmhnki Gkegrn "; $out. =" Referer: $refererrn "; $out. =" Connection:closernrn "; fwrite ($fp, $out); while (!feof ($fp)) {echo fgets ($ FP, 128);} Fclose ($FP);} Javascriptxmlhttp.setrequestheader ("Referer", "Http://URL");//   hehe ~ fake ~

JS does not support ^_^

The principle is sock constructs the HTTP header to SendData. Other languages such as Perl are also available,

At present, the relatively simple method of defending forgery Referer is to use the verification Code (Session).

Now there are some commercial companies that can be anti-theft chain software, such as Uudog,linkgate,virtualwall, are developed to apply to IIS above the DLL.

Some are the use of cookie authentication, thread control, some can randomly generate filenames and then do URL rewrite. Some methods can really achieve a good result.

But however persuasive, outsmart, these tricks eventually have a way to crack.

Generally this is the case, but the server is not a good implementation of forgery, can only produce a few data, if you can achieve access to the Web page can be forged, it can achieve a true forgery, the realization of natural IP distribution.

The above is the use of referer to prevent pictures hotlinking _php tutorial content, more relevant content please pay attention to topic.alibabacloud.com (www.php.cn)!

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.