Publish: 2019-05-31 | Modify: 2024-07-05
Sometimes you may find that other websites directly use images from your website, causing additional server bandwidth and traffic consumption. If your server has limited bandwidth and traffic, being hotlinked by others will definitely have a certain impact. This article shares how to set up anti-hotlinking through Nginx to prevent other websites from unauthorized use of images.
The principle of anti-hotlinking is actually very simple. The popular method currently is to judge and restrict through the "Referer" header. Here is an explanation of the "Referer":
HTTP Referer is part of the header. When the browser sends a request to the web server, it generally includes the Referer, telling the server where I came from. The server can obtain some information for processing based on this. ——From Baidu Baike
Simply put, if my blog domain is xiaoz.me
, I can set in Nginx to only allow requests for images from a Referer with *.xiaoz.me
, and block requests from other websites. Here we need to use the ngx_http_referer_module
module and the $invalid_referer
variable, as explained further below.
The ngx_http_referer_module
module is used to block requests to the site with invalid values in the "Referer" header field. It should be noted that it is very easy to construct requests with appropriate "Referer" field values. Therefore, the expected purpose of this module is not to completely block such requests, but to block a large amount of traffic from regular browser-sent requests. It should also be considered that even for valid requests, regular browsers may not send the "Referer" field.
In the valid_referers
directive, there are some parameters like none|blocked, with the following meanings:
After setting the valid_referers
directive, the result is passed to a variable $invalid_referer
, with a value of 0 or 1. This variable can be used to implement anti-hotlinking functionality. If the value of the Referer header is not included in the valid_referers
list, $invalid_referer
will be set to 1.
A whitelist allows only domains in the whitelist to access, while others are blocked.
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico|webp)$ {
valid_referers none blocked *.xiaoz.me *.xiaoz.top;
if ($invalid_referer) {
return 403;
}
}
The above configuration means to first match the required formats (images and videos) using location, then set the allowed domain names using the valid_referers
directive. If a domain is not included in the valid_referers
list, the value returned by $invalid_referer
is 1, and a 403 error is returned, prohibiting access. This is how the anti-hotlinking whitelist is set up.
The blacklist is the opposite of the whitelist, only blocking requests from domains in the blacklist, while allowing others. Compared to the whitelist, the blacklist restrictions are more relaxed. Most online tutorials only mention setting up anti-hotlinking whitelists, but once you understand the principle, setting up a blacklist is similar.
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico|webp)$ {
valid_referers *.baidu.com;
if ($invalid_referer = 0) {
return 403;
}
}
In the above configuration, we use the valid_referers
directive to set the blacklist domain *.baidu.com
. After obtaining the specified Referer header, if the value of $invalid_referer
is 0, a 403 error is returned, prohibiting access from Baidu's domain.
The above is the setup for Nginx anti-hotlinking (black and white lists). Once you understand the principle, it is actually very simple. However, since the Referer can be easily faked, the above methods cannot intercept requests with forged Referers. Nevertheless, it is effective in most common scenarios. If your server has limited bandwidth and traffic, it is recommended to set up anti-hotlinking.
If you are interested, you can also check out my other article "Nginx Common Blocking Rules for a Safer Website".
This article references:
I come from China and I am a freelancer. I specialize in Linux operations, PHP, Golang, and front-end development. I have developed open-source projects such as Zdir, ImgURL, CCAA, and OneNav.