1. 常见的防盗链策略

一般的网站中的素材,如图片、音乐、视频等都会添加防盗链措施,避免被其它网站直接盗用或者被爬取。根据需求不同采用不同的防盗链的策略,常见的有:

  • 基于来源地址的防盗链
  • 基于用户登陆验证的防盗链
  • 基于cookie验证的防盗链
  • 基于验证码验证的防盗链

……
一般的网站的图片等资源都会采用基于来源地址的防盗链,这种方式可以在nginx中配置。

2. http_referer_module

2.1. 指令

  1. Syntax: valid_referers none|blocked|server_names|strings ... ;
  2. Default: Close
  3. Context: server,location

2.2. 说明

  • valid_referers 用于指定合法的referer,当请求的referer合法时,$invalid_referer 返回空,否则返回1
  • none 表示请求中的referer 为空
  • blocked 表示请求中的referer 代理或者防火墙剔除
  • server_names 表示当前虚拟主机的server_name中的任意一个

  • strings 表示匹配的referer的字符串:

    • arbitray string : 表示匹配的referer中主机名或者URI前缀,其中*可以用在主机名的开头或者结尾,端口会被忽略

    • regular expression : 已正则的方式匹配,必须以 ~ 开头,匹配http:// 或者 https:// 之后的部分。

      2.3. 案例

      2.3.1. 配置文件

      [root@centos-81 ~]# cat /etc/nginx/conf.d/localhost.conf 

      1. server {
      2. listen       80;
      3. server_name  localhost *.heyang.com;
      5. valid_referers none block server_names 
      6.               *.jsmlr.gov.cn  192.168.* 172.16.* 10.1.*
      7.               ~\.baidu\. ~\.google\. ~\.sogou\. ~\.so\. ~\.bing\. ~\.sm\. ;
      8. if ($invalid_referer) {
      9.    return 403 ;
      10. }
      11. ......

      2.3.2. 测试

  • referer 为none时

[root@centos-50 ~]# curl -s -v —compress -A “User-Agent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0” 192.168.1.81 >/dev/null

  1. > GET / HTTP/1.1
  2. > User-Agent: User-Agent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0
  3. > Host: 192.168.1.81
  4. > Accept: */*
  5. > Accept-Encoding: deflate, gzip
  6. >
  7. < HTTP/1.1 200 OK
  8. < Server: nginx/1.14.2
  9. < Date: Mon, 31 Dec 2018 08:17:34 GMT
  10. < Content-Type: text/html
  11. ......

  • referer 为当前虚拟主机的server_name 时 [root@centos-50 ~]# curl -s -v —compress -A “User-Agent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0” -e “http://www.heyang.com“ 192.168.1.81 >/dev/null

    1. > GET / HTTP/1.1
    2. > User-Agent: User-Agent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0
    3. > Host: 192.168.1.81
    4. > Accept: */*
    5. > Accept-Encoding: deflate, gzip
    6. > Referer: http://www.heyang.com
    7. >
    8. < HTTP/1.1 200 OK
    9. < Server: nginx/1.14.2
    10. < Date: Mon, 31 Dec 2018 08:23:20 GMT
    11. < Content-Type: text/html
    12. ......

  • referer 为指定的主机名时(神马搜索)

[root@centos-50 ~]# curl -s -v —compress -A “User-Agent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0” -e “http://so.sm.com/“ 192.168.1.81 >/dev/null

  1. > GET / HTTP/1.1
  2. > User-Agent: User-Agent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0
  3. > Host: 192.168.1.81
  4. > Accept: */*
  5. > Accept-Encoding: deflate, gzip
  6. > Referer: http://so.sm.com/
  7. > 
  8. < HTTP/1.1 200 OK
  9. < Server: nginx/1.14.2
  10. < Date: Mon, 31 Dec 2018 08:24:52 GMT
  11. < Content-Type: text/html
  • referer 为其它类型时

[root@centos-50 ~]# curl -s -v —compress -A “User-Agent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0” -e “http://www.dmzj.com“ 192.168.1.81 >/dev/null

  1. > GET / HTTP/1.1
  2. > User-Agent: User-Agent:Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0
  3. > Host: 192.168.1.81
  4. > Accept: */*
  5. > Accept-Encoding: deflate, gzip
  6. > Referer: http://www.dmzj.com
  7. > 
  8. < HTTP/1.1 403 Forbidden
  9. < Server: nginx/1.14.2
  10. < Date: Mon, 31 Dec 2018 08:26:33 GMT
  11. < Content-Type: text/html