Hotlink protection before proxy when using proxy_pass?

randallk867 at 123mail.org randallk867 at 123mail.org
Fri May 25 16:06:32 UTC 2012


Hi,

I have nginx 1.3.0 configured for a server that forwards to a proxy

	server {
		server_name dev.local.lan;
		listen      192.168.1.100:80;
		root                      /var/empty;
		access_log                /var/log/nginx/access.log
		main;
		rewrite_log               on;
		ssl                       off;
		location / {
			proxy_pass             http://PROXY;
			proxy_redirect         off;
			proxy_set_header       Host $host;
			proxy_set_header       X-Real-IP $remote_addr;
			proxy_connect_timeout  600s;
			proxy_read_timeout     600s;
		}
	}

It works like it should.

192.168.1.100 is the IP of my workstation; the server is on this same
workstation while I develop.

I want to add hotlink protection at the nginx so attempted hotlinks from
unauthorized hosts never get passed to the proxy, but all OK image
requests do as usual.

Using

	http://nginxlibrary.com/hotlink-protection/

I modify the server config

	server {
		server_name dev.local.lan;
		listen      192.168.1.100:80;
		root                      /var/empty;
		access_log                /var/log/nginx/access.log
		main;
		rewrite_log               on;
		ssl                       off;

+               location ~* \.(png|gif|jpg|jpeg|swf|ico)(\?[0-9]+)?$ {
+                       valid_referers none blocked dev.local.lan
*.dev.local.lan;
+                       if ($invalid_referer) {
+                               return   403;
+                       }
+               }

		location / {
			proxy_pass            http://PROXY;
			proxy_redirect         off;
			proxy_set_header       Host $host;
			proxy_set_header       X-Real-IP $remote_addr;
			proxy_set_header       X-Forwarded-For
			$proxy_add_x_forwarded_for;
			proxy_set_header       X-Client-Verify SUCCESS;
			proxy_connect_timeout  600s;
			proxy_read_timeout     600s;
		}
	}


With this config, If I nav as usual to my site root

	http://dev.local.lan

I get my site content displayed in the browser -- minus ANY images.

And in the logs lots of these,

	==> /var/log/nginx/error.log <==
	2012/05/25 08:52:37 [error] 21132#0: *48 open()
	"/var/empty/img/img1.png" failed (2: No such file or directory),
	client: 192.168.1.100, server: dev.local.lan, request: "GET
	/img/img1.png HTTP/1.1", host: "dev.local.lan", referrer:
	"http://dev.local.lan/"
	2012/05/25 08:52:37 [error] 21132#0: *49 open()
	"/var/empty/img/img2.png" failed (2: No such file or directory),
	client: 192.168.1.100, server: dev.local.lan, request: "GET
	/img/img2.png HTTP/1.1", host: "dev.local.lan", referrer:
	"http://dev.local.lan/"
	2012/05/25 08:52:37 [error] 21132#0: *51 open()
	"/var/empty/img/img3.png" failed (2: No such file or directory),
	client: 192.168.1.100, server: dev.local.lan, request: "GET
	/img/img3.png HTTP/1.1", host: "dev.local.lan", referrer:
	"http://dev.local.lan/"
	2012/05/25 08:52:37 [error] 21132#0: *50 open()
	"/var/empty/img/img4.png" failed (2: No such file or directory),
	client: 192.168.1.100, server: dev.local.lan, request: "GET
	/img/img4.png HTTP/1.1", host: "dev.local.lan", referrer:
	"http://dev.local.lan/"
	2012/05/25 08:52:37 [error] 21132#0: *48 open()
	"/var/empty/img/imgA.gif" failed (2: No such file or directory),
	client: 192.168.1.100, server: dev.local.lan, request: "GET
	/img/imgA.gif HTTP/1.1", host: "dev.local.lan", referrer:
	"http://dev.local.lan/css/css_i9LjMH-EfBMHZV516oBxThl0uqd7YYp4V7x4fuvUFVs.css"
	2012/05/25 08:52:37 [error] 21132#0: *50 open()
	"/var/empty/img/img4.png" failed (2: No such file or directory),
	client: 192.168.1.100, server: dev.local.lan, request: "GET
	/img/img4.png HTTP/1.1", host: "dev.local.lan", referrer:
	"http://dev.local.lan/"
	...

The anti-hotlink stanza IS having an effect, just not the one I want.

What do I need to correct?

RandyK



More information about the nginx mailing list