Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how to protect Nginx from hotlink". In daily operation, I believe many people have doubts about how to protect Nginx from hotlink. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts about "how to protect Nginx from hotlink protection". Next, please follow the editor to study!

Simple and effective hotlink protection scenario

If you have been a classmate of a personal site, you may encounter the situation of others stealing links to their own site resources, which is called hotlink. When it comes to hotlink theft, you have to say the header of a HTTP protocol, the referer header. When other websites quote your page through URL, when the user clicks URL in the browser, the header of the HTTP request will bring the URL of the current page of the site through the referer header, telling the server who initiated the request.

For example, search Google for Nginx and click the link:

If you look at the request header in the new page that opens, you will find that the request header contains the referer header and the value is https://www.google.com/.

We are allowed like Google, but some other websites need to do some control when they want to quote the resources of our own site, otherwise not everyone can get the link.

Purpose

The purpose here is actually very clear, which is to refuse abnormal websites to visit the resources of our site.

Train of thought

Invalid_referer variable

Referer provides this variable to configure which referer headers are legal, that is, which sites you allow to reference your resources.

Referer module

To achieve the above purpose, the referer module can be counted as the first number, let's take a look at how the referer module works.

Compiled into Nginx by default and disabled by-- without-http_referer_module

The referer module has three instructions, so let's take a look.

Syntax: valid_referers none | blocked | server_names | string...; Default:-Context: server, location Syntax: referer_hash_bucket_size size; Default: referer_hash_bucket_size 64; Context: server, location Syntax: referer_hash_max_size size; Default: referer_hash_max_size 2048; Context: server, locationvalid_referers referer_hash_bucket_size referer_hash_max_size

The most important of these is the valid_referers instruction, which needs to be highlighted.

Valid_referers instruction

You can carry multiple parameters at the same time, which means that multiple referer headers are valid.

Parameter value

None

Allow request access with missing referer headers

Block: allows request access for which the referer header has no corresponding value. For example, it may have gone through a reverse proxy or a firewall.

Server_names: if the site domain name in referer matches the native domain name in server_name, the request is allowed to access

String: a string that represents a domain name and URL. For a domain name, you can include a * wildcard in the prefix or suffix. If the value of the referer header matches the string, access is allowed.

Regular expression: if the value of the referer header matches regular, access is allowed

Invalid_referer variable

The value of the time variable allowed to access is empty.

Access is not allowed when the value of the variable is 1

Actual combat

Let's look at a configuration file.

Server {server_name referer.ziyang.com; listen 80; error_log logs/myerror.log debug; root html; location / {valid_referers none blocked server_names *. Ziyang.com www.ziyang.org.cn/nginx/ ~\ .Google\; if ($invalid_referer) {return 403 } return 20000 'valid\ n';}}

So which of the following requests will be denied for this profile?

Curl-H'referer: http://www.ziyang.org.cn/ttt' referer.ziyang.com/ curl-H'referer: http://www.ziyang.com/ttt' referer.ziyang.com/ curl-H 'referer:' referer.ziyang.com/ curl referer.ziyang.com/ curl-H 'referer: http://www.ziyang.com' referer.ziyang.com/ curl-H' referer: http://referer.ziyang.com' referer.ziyang.com/ curl-H 'referer : http://image.baidu.com/search/detail' referer.ziyang.com/ curl-H'referer: http://image.google.com/search/detail' referer.ziyang.com/

We need to parse the configuration file first. What values are configured in the valid_referers directive?

Valid_referers none blocked server_names * .ziyang.com www.ziyang.org.cn/nginx/ ~\ .Google.

None: indicates that no referer can be accessed

Blocked: indicates that referer with no value can be accessed

Server_names: indicates that native server_name, that is, referer.ziyang.com, can be accessed

* .ziyang.com: can be accessed if the match is regular

Www.ziyang.org.cn/nginx/: requests initiated by this page can be accessed

~\ .Google\. There is a regular match before and after google

Let's actually take a look at the response:

# return 403 No rules ➜~ curl-H 'referer: http://www.ziyang.org.cn/ttt' referer.ziyang.com/ 403 Forbidden 403 Forbidden nginx/1.17.8➜ ~ curl-H' referer: http://image.baidu.com/search/detail' referer.ziyang.com/ 403 Forbidden 403 Forbidden nginx/1.17.8 # matched to * .ziyang.com ➜~ curl-H 'referer: http://www .ziyang.com / ttt' referer.ziyang.com/ valid ➜~ curl-H'referer: http://www.ziyang.com' referer.ziyang.com/ valid # matches server name➜ ~ curl-H 'referer: http://referer.ziyang.com' referer.ziyang.com/ valid # matches blocked ➜~ curl-H' referer: 'referer.ziyang.com/ valid # matches none➜ ~ curl referer.ziyang.com/ valid # matches ~\ .Google\. ➜~ curl-H 'referer: http://image.google.com/search/detail' referer.ziyang.com/ valid hotlink protection another solution: secure_link module

The referer module is a simple means of hotlink protection that must rely on the browser to initiate a request to be effective, which is invalid if the attacker forges the referer header.

The secure_link module is another solution.

Its main principle is hotlink protection by verifying the hash value in URL.

The basic process looks like this:

An encrypted secure link URL is generated by the server (either Nginx or other Web server) and returned to the client

The client accesses Nginx using secure URL, which is verified by the secure_link variable of Nginx.

The principle is as follows:

Hash algorithm is irreversible.

The client can only get the URL that has executed the hash algorithm.

Only the server that generates the URL and verifies whether the URL is secure Nginx, both of which save the original string

The original string usually consists of the following parts in order:

Resource location. For example, the URI of a specified resource in HTTP prevents an attacker from accessing any resource after obtaining a secure URI

User information. Such as the user's IP address, restrict other users from embezzling URL.

Time stamp. Enable security URL to expire in time

Key. Owned only on the server side, making it more difficult for an attacker to guess the original string

Module:

Ngx_http_secure_link_module

It is not compiled into Nginx and needs to be added through-- with-http_secure_link_module.

Variable

Secure_link

Secure_link_expires

Syntax: secure_link expression; Default:-Context: http, server, location Syntax: secure_link_md5 expression; Default:-Context: http, server, location Syntax: secure_link_secret word; Default:-Context: location variable value and configuration example with expiration time

Secure_link

Value is an empty string: validation failed

The value is 0:URL expiration

Value is 1: verify passed

Secure_link_expires

Value of the timestamp

The command line generates a secure link

Generate md5

Echo-n 'timestamp URL client IP key' | openssl md5-binary | openssl base64 | tr + /-| tr-d =

Construction request URL

/ test1.txt?md5=md5 generated value & expires= timestamp (such as 2147483647) Nginx configuration

Secure_link & dollar;arg_md5,$arg_expires

Secure_link must be followed by two values, one is the md5 in the parameter, and the other is a timestamp

Secure_link_md5\ "& dollar;secure_link_expires$uri$remote_addr secret"

In what order do you construct the original string

Actual combat

The following is an actual configuration file, I will not do the demonstration here, those who are interested can do their own experiments.

Server {server_name securelink.ziyang.com; listen 80; error_log logs/myerror.log info; default_type text/plain; location / {secure_link $arg_md5,$arg_expires; secure_link_md5 "$secure_link_expires$uri$remote_addr secret"; if ($secure_link = "") {return 403 } if ($secure_link = "0") {return 410;} return 200'$secure_link:$secure_link_expires\ nkeeper;} location / p / {secure_link_secret mysecret2; if ($secure_link = "") {return 403;} rewrite ^ / secure/$secure_link } location / secure/ {alias html/; internal;}} A simple way to hash only URI

In addition to the relatively complex method of hotlink protection above, there is a relatively simple way of hotlink protection, that is, only hash URI, so that when URI passes

The secure_link_secret secret; command line generates a secure link

Original request

Link

Generated security request

/ prefix/md5/link

Generate md5

Echo-n 'linksecret' | openssl md5-hex

Nginx configuration

Secure_link_secret secret

This method of hotlink protection is relatively simple, so how to use it specifically? Everyone has downloaded resources on the Internet, right? whether it's e-books or software, when you click to download on many websites, you will often pop up another page to download. This new page is actually the security URL generated by the requested Nginx. If the URL is obtained, it can actually be used, so the key needs to be updated frequently to ensure that the URL will not be stolen.

At this point, the study on "how to protect Nginx from hotlink protection" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.