Nginx sets referer to configure the anti-leech function of personal picture bed

Original link: https://hellodk.cn/post/1139

I have seen several public welfare picture beds go from being used for free to closing the site, which is a bit embarrassing. There are several articles on this blog that used other people’s picture beds before, and it was related to the site. I forgot to back up the pictures at that time, which caused the pictures in the article to be 404 forever. It’s a pity. Since 2022-06-09 22:58:51 , I have used the Lsky Pro program to build my own image bed and run it on the pve-debian11 machine at home. For this reason, I have also made two versions of the image bed v1 and v2 The PicGo upload plug-in, also made a docker image, which can start an lsky pro image bed container with one click.

The domain name of my picture bed on the public network is image.940304.xyz , which is currently only used by my two blogs, the domain names are hellodk.cn and blog.hellodk.com .

A lot of object storage, if you store image resources, most of them have web gui to set referer to prevent hotlinking. My personal image bed can also use nginx to easily realize this requirement.

Introduce the operating structure of my picture bed

  • Intranet service at http://10.10.10.5:7791
  • frpc is deployed on the intranet
  • The public network server A deploys frps, and a certain port of frps is reverse-proxyed through nginx

So the function I want to achieve can be done on the nginx configuration of the public network server A.

View nginx official documentation http://nginx.org/en/docs/http/ngx_http_referer_module.html

See the example configuration given by the official

 valid_referers none blocked server_names *.example.com example.* www.example.org/galleries/ ~\.google\.; if ($invalid_referer) { return 403; }

Please read the above link for details, I will post my configuration here, I hope that if someone quotes my picture in the blog, instead of getting 403, they will get a picture I made, then I will make this picture after I finish it Hosting on another image bed is ok.

Do not steal my picture bed picture

 server { listen 80; server_name image.940304.xyz; return 301 https://$host$request_uri; # 强制重定向从HTTP 到HTTPS server_tokens off; } server { listen 443 ssl; server_name image.940304.xyz; server_tokens off; ssl_certificate /etc/letsencrypt/live/940304.xyz/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/940304.xyz/privkey.pem; # HSTS 用于防止中间人攻击add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; ssl_prefer_server_ciphers on; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; proxy_max_temp_file_size 0; location / { proxy_pass http://127.0.0.1:81; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Proto https; proxy_set_header Host $host; proxy_read_timeout 1200s; client_max_body_size 0; # 跨域允许设置,允许所有跨域add_header 'Access-Control-Allow-Origin' *; add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; add_header 'Access-Control-Allow-Headers' 'DNT,web-token,app-token,Authorization,Accept,Origin,Keep-Alive,User-Agent,X-Mx-ReqToken,X-Data-Type,X-Auth-Token,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range'; if ($request_method = 'OPTIONS') {# 处理OPTIONS请求return 204; } # 跨域允许设置结束# 防盗链设置,因为上述跨域是允许所有的,这里就要设置防盗链从而进行域名的白名单设置valid_referers none blocked image.940304.xyz hellodk.cn *.hellodk.cn hellodk.com *.hellodk.com; if ($invalid_referer) { #返回一个盗链图片,或直接返回403 rewrite ^/ https://img.gejiba.com/images/cb17f018cbc523e6d75427203976da27.jpg; #return 403; } # 如果要将禁止特定后缀文件的盗链,则可将上述代码放在下面里面# location ~* \.(js|css|gif|jpg|png|jpeg)$ { #} } }

some notes

  • The none in valid_referers generally needs to be added, because there may be no referer field in the http request headers when the user accesses the image
  • The blocked in valid_referers is generally added. The “Referer” field is in the request header, but its value has been removed by a firewall or proxy server; these values ​​are strings that do not start with “http://” or “https://”.
  • For a valid server domain name, just fill in the domain name you recognize. like mine
    • image.940304.xyz
    • hellodk.cn
    • *.hellodk.cn
    • hellodk.com
    • *.hellodk.com

The final effect is as follows, if I delete *.hellodk.com from valid_referers (remember to execute nginx -s reload after deletion), and then try to access https://blog.hellodk.com/blog/post/dk11/%E6%89%93%E5%8D%A1%E5%8D%97%E4%BA%AC%E5%B8%82%E5%8C%BA%E4%BA%BA%E9%98%B2%E5%B7%A5%E7%A8%8B%E7%BA%B3%E5%87%89%E7%82%B9 can see the following page

Air defense engineering enjoy the cool.jpg

Ok, so basically you don’t have to worry about the pictures being stolen. Sometimes it’s really stolen in one night, and a few w’s are gone… so many people’s painful memories.

This article is transferred from: https://hellodk.cn/post/1139
This site is only for collection, and the copyright belongs to the original author.