What is anti-theft chain
Anti-theft links are meant to prevent other websites from directly referring to your resources (such as pictures, audio and video files, documents, etc.) without permission. This will not only effectively save bandwidth, but also prevent unauthorized content from being abused. The most common anti-theft link technology is to check the requestRefererHeader, determine whether the source of the request is legal.
The basic principles of Nginx anti-theft chain
The principle of anti-theft chain is usually based on requestHTTP Referer headerTo determine whether the request comes from an authorized domain name. If the request is initiated from an unauthorized domain name, Nginx can reject the request. There are many specific ways to implement anti-theft chains, and the common ones are restricted based on Referer and IP addresses.
Anti-theft chain based on Referer head
The Referer header is a field that the browser automatically adds when initiating an HTTP request, indicating which page the current request jumped from. The basic practice of anti-theft links is that only requests sent from your own website or authorized domain names can access resources normally, and requests from other sources will be denied.
Basic configuration
Here is a simple anti-theft link configuration based on the Referer header:
server {
listen 80;
server_name ;
location ~* \.(jpg|jpeg|png|gif|bmp|webp|mp4)$ {
valid_referers none blocked *.;
if ($invalid_referer) {
return 403; # Unauthorized Referer, return 403 error }
}
}
Configuration explanation:
-
valid_referers: Specifies the Referer domain name or IP address that allows access to the resource.none: Indicates a request without a Referer field (for example, accessed directly via bookmarks).blocked: Indicates that the Referer field is empty or contains illegal characters.: Indicates that it is allowed fromRequest.*.: Indicates that it is allowed fromSubdomain request.
if ($invalid_referer): If the requested Referer does not comply with the above rules, Nginx will return a 403 error and the request will be rejected.
Case: Protecting Image Resources
Assume your image resources are stored in/var/www//images/In the directory, you hope only from your own website (such as) requests to access these images. Other domain names (such as third-party websites that steal links) will return a 403 error when accessed.
server {
listen 80;
server_name ;
location /images/ {
valid_referers none blocked *.;
if ($invalid_referer) {
return 403; # Reject link stealing }
root /var/www/;
}
}
In this way, only access/images/And Referer isThe request for its subdomain will be successful, and other sites will be rejected when links are stolen.
Anti-theft chain based on IP address
In addition to using the Referer header, you can also prevent link theft on external sites by restricting IP addresses. Although this approach is not as direct as the Referer-based approach, in some cases it is safer to use in combination.
Basic configuration
server {
listen 80;
server_name ;
location /images/ {
allow 192.168.1.0/24; # Allow specific IP range access deny all; # Denied other IP access root /var/www/;
}
}
Configuration explanation:
-
allow: Allows a specific IP or IP range to access resources. -
deny: Access to other IPs is denied.
This configuration can be used to restrict access to specific resources only by internal IP addresses in the company.
Enhanced measures for anti-theft chain
In order to further enhance the effect of anti-theft chain, the following measures can be combined:
Restrict HTTP methods
Reduce the risk of external abuse by limiting unnecessary HTTP methods.
server {
listen 80;
server_name ;
location /images/ {
valid_referers none blocked *.;
if ($invalid_referer) {
return 403;
}
limit_except GET POST {
deny all; # Only GET and POST methods are allowed }
}
}
Verify using Token
You can verify that the request is legitimate by using an encrypted token in the request URL. Only legitimate requests can access resources through Nginx. This method is usually used for anti-theft links of media resources such as video and audio.
Set cache time
Set a reasonable cache time for infrequently changed resources (such as pictures, videos, etc.) to reduce bandwidth consumption caused by link theft.
location ~* \.(jpg|jpeg|png|gif|bmp)$ {
expires 30d; #Cache for 30 days}
Actual scene
Prevent pictures from being stolen
A common practical scenario is to prevent other websites from stealing images from your website. If your image resources are large, being stolen by other sites will lead to waste of bandwidth, and may also affect your website's loading speed and SEO ranking. You can configure Referer anti-theft link through Nginx to allow only your own site to load images.
Protect the download file
For some files that require a paid or specific users can download (such as e-books, software packages, etc.), you can use the anti-theft link strategy to ensure that only users who purchase or register can access these resources.
server {
listen 80;
server_name ;
location /downloads/ {
valid_referers none blocked ;
if ($invalid_referer) {
return 403;
}
root /var/www/;
}
}
Video link theft protection
In the scenario of video streaming, anti-theft links are particularly important, especially in video websites or educational platforms, to prevent other websites from stealing video resources through direct URL requests. You can use Referer anti-theft chain and IP restrictions to protect.
This is the end of this article about various ways to implement anti-theft links in Nginx. For more related content on implementing anti-theft links in Nginx, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!