Setting Up Image Hotlink Protection in Nginx (Whitelist and Blacklist)

Publish: 2019-05-31 | Modify: 2024-07-05

Sometimes you may find that other websites directly use images from your website, causing additional server bandwidth and traffic consumption. If your server has limited bandwidth and traffic, being hotlinked by others will definitely have a certain impact. This article shares how to set up anti-hotlinking through Nginx to prevent other websites from unauthorized use of images.

Anti-Hotlinking Principle

The principle of anti-hotlinking is actually very simple. The popular method currently is to judge and restrict through the "Referer" header. Here is an explanation of the "Referer":

HTTP Referer is part of the header. When the browser sends a request to the web server, it generally includes the Referer, telling the server where I came from. The server can obtain some information for processing based on this. ——From Baidu Baike

Simply put, if my blog domain is xiaoz.me, I can set in Nginx to only allow requests for images from a Referer with *.xiaoz.me, and block requests from other websites. Here we need to use the ngx_http_referer_module module and the $invalid_referer variable, as explained further below.

ngx_http_referer_module Module

The ngx_http_referer_module module is used to block requests to the site with invalid values in the "Referer" header field. It should be noted that it is very easy to construct requests with appropriate "Referer" field values. Therefore, the expected purpose of this module is not to completely block such requests, but to block a large amount of traffic from regular browser-sent requests. It should also be considered that even for valid requests, regular browsers may not send the "Referer" field.

  • Syntax: valid_referers none | blocked | server_names | string ...;
  • Context: server, location

In the valid_referers directive, there are some parameters like none|blocked, with the following meanings:

  • none: The "Referer" field is missing in the request header, meaning the Referer is empty, which is usually the case when the browser accesses directly.
  • blocked: The "Referer" field appears in the request header, but its value has been removed by a firewall or proxy server; these values are strings that do not start with "http://" or "https://".
  • server_names: Server names, which are a list of domain names.

$invalid_referer Variable

After setting the valid_referers directive, the result is passed to a variable $invalid_referer, with a value of 0 or 1. This variable can be used to implement anti-hotlinking functionality. If the value of the Referer header is not included in the valid_referers list, $invalid_referer will be set to 1.

Setting Up Anti-Hotlinking Whitelist

A whitelist allows only domains in the whitelist to access, while others are blocked.

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico|webp)$ {
    valid_referers none blocked *.xiaoz.me *.xiaoz.top;
    if ($invalid_referer) {
        return 403;
    }
}

The above configuration means to first match the required formats (images and videos) using location, then set the allowed domain names using the valid_referers directive. If a domain is not included in the valid_referers list, the value returned by $invalid_referer is 1, and a 403 error is returned, prohibiting access. This is how the anti-hotlinking whitelist is set up.

Anti-Hotlinking Blacklist

The blacklist is the opposite of the whitelist, only blocking requests from domains in the blacklist, while allowing others. Compared to the whitelist, the blacklist restrictions are more relaxed. Most online tutorials only mention setting up anti-hotlinking whitelists, but once you understand the principle, setting up a blacklist is similar.

location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico|webp)$ {
    valid_referers *.baidu.com;
    if ($invalid_referer = 0) {
        return 403;
    }
}

In the above configuration, we use the valid_referers directive to set the blacklist domain *.baidu.com. After obtaining the specified Referer header, if the value of $invalid_referer is 0, a 403 error is returned, prohibiting access from Baidu's domain.

Conclusion

The above is the setup for Nginx anti-hotlinking (black and white lists). Once you understand the principle, it is actually very simple. However, since the Referer can be easily faked, the above methods cannot intercept requests with forged Referers. Nevertheless, it is effective in most common scenarios. If your server has limited bandwidth and traffic, it is recommended to set up anti-hotlinking.

If you are interested, you can also check out my other article "Nginx Common Blocking Rules for a Safer Website".

This article references:


Comments