Problem with Hotlink Protection

Francis Daly francis at
Wed Sep 14 15:52:32 UTC 2011

On Wed, Sep 14, 2011 at 11:19:05AM -0400, dullnicker wrote:

Hi there,

> I am having a problem getting hotlinking protection to work.

> I have the following code in my location block:

> location ~* \.(png|gif|jpg|jpeg)$ {
>     valid_referers server_names;
>     if ($invalid_referer) {
>     return   403;
>   }
> }

That applies to locations that end in one of those four words.


That location ends in ".php", since things after the ? don't count for
location matching. And so the above config doesn't apply, as you saw.

> These do not trigger the hotlink protection. I am totally lost and have
> no idea how I might be able to protect those image links from
> hotlinking.

The two simplest (to me) ways of approaching it would be (a) if /image.php
counts as "an image link", then configure it like one -- wherever in
your configuration you match this location, add the "invalid_referer"
check. (If you have something like "location ~* \.php$", and you don't
want all matching urls to have this configuration, then copy the content
to a new "location = /image.php" and add the extra bit there);

or (b) if image.php is your modifiable script, and it has access to
HTTP_REFERER, code the protection in there yourself.

If neither of those applies, then you can probably try mucking around
with $arg_twg_show; but that feels wrong to me.

All the best,

Francis Daly        francis at

More information about the nginx mailing list