Problem with Hotlink Protection
Francis Daly
francis at daoine.org
Wed Sep 14 15:52:32 UTC 2011
On Wed, Sep 14, 2011 at 11:19:05AM -0400, dullnicker wrote:
Hi there,
> I am having a problem getting hotlinking protection to work.
> I have the following code in my location block:
> location ~* \.(png|gif|jpg|jpeg)$ {
> valid_referers server_names;
> if ($invalid_referer) {
> return 403;
> }
> }
That applies to locations that end in one of those four words.
> http://www.mydomain.com/image.php?twg_album=album-05900-05999&twg_show=image-05995.jpg
That location ends in ".php", since things after the ? don't count for
location matching. And so the above config doesn't apply, as you saw.
> These do not trigger the hotlink protection. I am totally lost and have
> no idea how I might be able to protect those image links from
> hotlinking.
The two simplest (to me) ways of approaching it would be (a) if /image.php
counts as "an image link", then configure it like one -- wherever in
your configuration you match this location, add the "invalid_referer"
check. (If you have something like "location ~* \.php$", and you don't
want all matching urls to have this configuration, then copy the content
to a new "location = /image.php" and add the extra bit there);
or (b) if image.php is your modifiable script, and it has access to
HTTP_REFERER, code the protection in there yourself.
If neither of those applies, then you can probably try mucking around
with $arg_twg_show; but that feels wrong to me.
All the best,
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list