Nginx 设置防盗链

一、防盗链

防盗链，就是指资源被其他网站恶意盗用

基础防盗链设置思路：主要是针对客户端请求过程中所携带的一些Header信息来验证请求的合法性，比如客户端在请求的过程中都会携带referer信息。优点是规则简单，配置和使用都很方便，缺点是防盗链所依赖的Referer验证信息是可以伪造的，所以通过referer信息防盗链并非100%可靠，但是他能够限制大部分的盗链情况。

二、配置防盗链

1.防盗链配置语法

Syntax: valid_referers none | blocked | server_name | string ...;
Default: -;
Context: server, location

none: referer来源头部为空的情况
blocked: referer来源头部不为空，这些都不以http://或者https://开头
server_name: 来源头部信息包含当前域名，可以正则匹配

配置使用：

valid_referers none blocked server_names
               *.example.com example.* www.example.org/galleries/
               ~\.google\.;

if ($invalid_referer) {
    return 403;
}

2.配置被盗连的机器

1）配置nginx

[root@web02 conf.d]# vim beidl.conf 
server {
	listen 80;
    server_name beidl.test.com;

    location / {
        root /code;
        index index.html;
    }
}

2）上传两张图片

[root@web02 code]# ll
total 123748
-rw-r--r--  1 www www   657306 Mar 21  2019 1.jpg
-rw-r--r--  1 www www   475653 Jul 17  2019 2.jpg

3）重启nginx

3.配置盗链的机器

1）配置nginx

[root@web01 conf.d]# vim dl.conf
server {
    listen 80;
    server_name dl.test.com;

    location / {
        root /code/dl;
        index index.html;
    }
}

2）配置盗链的页面

[root@web01 conf.d]# vim dl.conf
server {
    listen 80;
    server_name dl.test.com;

    location / {
        root /code/dl;
        index index.html;
    }
}

3）配置hosts

4.配置防盗链机器

[root@web02 conf.d]# vim beidl.conf
server {
    listen 80;
    server_name beidl.test.com;
    root /code;

    location / {
        index index.html;
    }

    location ~* \.(jpg|png|gif)$ {
        valid_referers none blocked beidl.test.com;
        if ($invalid_referer) {
            return 500;			#直接返回错误
            #rewrite (.*) /2.jpg;	#跳转到另一张图片
        }
    }
}

5.允许匹配多个域名访问

server {
    listen 80;
    server_name beidl.test.com;
    root /code;

    location / {
        index index.html;
    }

    location ~* \.(jpg|png|gif)$ {
        valid_referers none blocked beidl.test.com server_name *.example.com;
        if ($invalid_referer) {
            return 500;
            #rewrite (.*) /2.jpg break;
        }
    }
}

6.伪造refere信息访问

[root@web01 conf.d]# curl -e "https://www.example.com" -I beidl.test.com/1.jpg
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Thu, 12 Mar 2020 03:10:32 GMT
Content-Type: image/jpeg
Content-Length: 657306
Last-Modified: Thu, 21 Mar 2019 05:54:55 GMT
Connection: keep-alive
ETag: "5c93272f-a079a"
Accept-Ranges: bytes

[root@web01 conf.d]# curl -e "https://www.google.com" -I beidl.test.com/1.jpg
HTTP/1.1 500 Internal Server Error
Server: nginx/1.16.1
Date: Thu, 12 Mar 2020 03:10:41 GMT
Content-Type: text/html
Content-Length: 177
Connection: close