<br><br><div class="gmail_quote"><div dir="ltr">On Thu, Apr 6, 2017, 10:50 shahzaib mushtaq <<a href="mailto:shahzaib.cb@gmail.com">shahzaib.cb@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="gmail_msg">>><span style="font-size:12.8px" class="gmail_msg">With the controls sites have over the referrer header, it's not very</span><br style="font-size:12.8px" class="gmail_msg"><span style="font-size:12.8px" class="gmail_msg">effective as an access control mechanism. You can use something like</span><br style="font-size:12.8px" class="gmail_msg"><a href="http://nginx.org/en/docs/http/ngx_http_secure_link_module.html" rel="noreferrer" style="font-size:12.8px" class="gmail_msg" target="_blank">http://nginx.org/en/docs/http/ngx_http_secure_link_module.html</a><br style="font-size:12.8px" class="gmail_msg"><span style="font-size:12.8px" class="gmail_msg">instead.</span><div class="gmail_msg"><span style="font-size:12.8px" class="gmail_msg"><br class="gmail_msg"></span></div></div><div dir="ltr" class="gmail_msg"><div class="gmail_msg"><span style="font-size:12.8px" class="gmail_msg">We're also using Nginx secure link module based on HASH + expiry but somehow this secure link is exploited by that website. The video link hash on his website is exactly matching with ours means no matter if hash get expire & new takes it place that leacher is also getting the new hash & we're unable to find how he exploited us. Though on digging more into this we found that he's using following script to fetch video links from our website : </span></div><div class="gmail_msg"><span style="font-size:12.8px" class="gmail_msg"><br class="gmail_msg"></span></div><div class="gmail_msg"><span style="font-size:12.8px" class="gmail_msg"><a href="https://github.com/XvBMC/repository.xvbmc/blob/master/plugin.video.saltsrd.lite/scrapers/dizibox_scraper.py" class="gmail_msg" target="_blank">https://github.com/XvBMC/repository.xvbmc/blob/master/plugin.video.saltsrd.lite/scrapers/dizibox_scraper.py</a></span><br class="gmail_msg"></div><div class="gmail_msg"><span style="font-size:12.8px" class="gmail_msg"><br class="gmail_msg"></span></div><div class="gmail_msg"><span style="font-size:12.8px" class="gmail_msg">His website name is also dizibox1.</span></div></div></blockquote></div><div>IT happens because your secure links hash doesn't have any end user unique attributes like ip address </div><div>If you'll include enduser ip to the secure link hash, secure link become unique for the end user. Any direct video link grabbed and shared by the enduser or some script become useless. </div><div><br></div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class="gmail_msg"><div class="gmail_msg"><span style="font-size:12.8px" class="gmail_msg"><br class="gmail_msg"></span></div></div><div class="gmail_extra gmail_msg"><br class="gmail_msg"><div class="gmail_quote gmail_msg">On Wed, Apr 5, 2017 at 1:54 AM, Francis Daly <span dir="ltr" class="gmail_msg"><<a href="mailto:francis@daoine.org" class="gmail_msg" target="_blank">francis@daoine.org</a>></span> wrote:<br class="gmail_msg"><blockquote class="gmail_quote gmail_msg" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On Tue, Apr 04, 2017 at 04:39:23PM +0500, shahzaib mushtaq wrote:<br class="gmail_msg">
<br class="gmail_msg">
Hi there,<br class="gmail_msg">
<span class="gmail_msg"><br class="gmail_msg">
> Thanks for quick response. Well its reverse, he's putting our HTTPS video<br class="gmail_msg">
> link on his HTTP website. Could that create issue as well? If yes, what's<br class="gmail_msg">
> the fix of it.<br class="gmail_msg">
<br class="gmail_msg">
</span>nginx does not know (or care) what the linking site does. All it can<br class="gmail_msg">
see is the request made to it.<br class="gmail_msg">
<br class="gmail_msg">
The browser entirely controls what request headers the browser sends.<br class="gmail_msg">
<br class="gmail_msg">
If you want to deny all requests that have no Referer header, you can<br class="gmail_msg">
do that.<br class="gmail_msg">
<br class="gmail_msg">
If you want to deny only some requests that have no Referer header,<br class="gmail_msg">
you will need to tell nginx which requests to deny and which requests to<br class="gmail_msg">
allow. But before you can do that, you will have to know how to identify<br class="gmail_msg">
the requests in one of the sets.<br class="gmail_msg">
<span class="m_1524833994544469615HOEnZb gmail_msg"><font color="#888888" class="gmail_msg"><br class="gmail_msg">
f<br class="gmail_msg">
--<br class="gmail_msg">
Francis Daly <a href="mailto:francis@daoine.org" class="gmail_msg" target="_blank">francis@daoine.org</a><br class="gmail_msg">
</font></span><div class="m_1524833994544469615HOEnZb gmail_msg"><div class="m_1524833994544469615h5 gmail_msg">_______________________________________________<br class="gmail_msg">
nginx mailing list<br class="gmail_msg">
<a href="mailto:nginx@nginx.org" class="gmail_msg" target="_blank">nginx@nginx.org</a><br class="gmail_msg">
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" class="gmail_msg" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br class="gmail_msg">
</div></div></blockquote></div><br class="gmail_msg"></div>
_______________________________________________<br class="gmail_msg">
nginx mailing list<br class="gmail_msg">
<a href="mailto:nginx@nginx.org" class="gmail_msg" target="_blank">nginx@nginx.org</a><br class="gmail_msg">
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" rel="noreferrer" class="gmail_msg" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a></blockquote></div>