基本原理
通过referer来进行判断和限制,因为HTTP Referer是header的一部分,假设浏览器访问某网页上的一张图片资源但是该资源来自其它站点,那么浏览器的请求的referer部分也会带着原网站的信息去请求这种图片资源,如果这个站点设置了防盗链规则,就可以起到一定的访问控制功能。
ngx_http_referer_module模块
语法: valid_referers none | blocked | server_names | string ...;
可用于: server, location
none: 检测请求头中不带Referer字段,Referer字段为空。
blocked: 检测Referer字段出现在请求头中,但是值已经被防火墙或者代理服务器删除的情况。
server_names: 域名,检测Referer头中的值是否在这些域名中。
配置使用
location ~* \.(?:jpg|jpeg|png)$ {
expires 1M;
add_header Cache-Control "public";
valid_referers none blocked *.baidu.com;
if ($invalid_referer) {
return 403;}
}
先用location匹配出资源文件类型,然后用valid_referer指令设置白名单也就是允许的域名,其它域名没有在valid_referers列表中,$valid_referer变量返回的值为1,
补充说明
使用curl自定义请求头测试某云CDN防盗链相关的功能
1.将referer设置错误。
[root@iZ2zej4i2jdf3mpednw9vrZ ~]# curl -I https://su1105.kivensu.club/001.jpg -H 'Referer:http://sby1105.kivensu.club/'
HTTP/1.1 403 Forbidden
Server: Tengine
Date: Thu, 07 Nov 2019 06:17:10 GMT
Content-Type: text/html
Content-Length: 254
Connection: keep-alive
Strict-Transport-Security: max-age=5184000
X-Tengine-Error: denied by Referer ACL
Via: kunlun8.cn1474[,403003]
Timing-Allow-Origin: *
EagleId: dede581c15731074305801803e
2.将referer设置为空。
[root@iZ2zej4i2jdf3mpednw9vrZ ~]# curl -I https://su1105.kivensu.club/001.jpg
HTTP/1.1 403 Forbidden
Server: Tengine
Date: Thu, 07 Nov 2019 06:17:30 GMT
Content-Type: text/html
Content-Length: 254
Connection: keep-alive
Strict-Transport-Security: max-age=5184000
X-Tengine-Error: denied by Referer ACL
Via: kunlun8.cn1474[,403003]
Timing-Allow-Origin: *
EagleId: dede581c15731074506567942e
3.将referer设置正确。
[root@iZ2zej4i2jdf3mpednw9vrZ ~]# curl -I https://su1105.kivensu.club/001.jpg -H 'Referer:https://www.baidu.com'
HTTP/1.1 200 OK
Server: Tengine
Content-Type: image/jpeg
Content-Length: 79033
Connection: keep-alive
Strict-Transport-Security: max-age=5184000
Date: Thu, 07 Nov 2019 06:10:49 GMT
Last-Modified: Mon, 04 Nov 2019 06:15:49 GMT
ETag: "5dbfc215-134b9"
Expires: Sat, 07 Dec 2019 06:10:49 GMT
Cache-Control: max-age=2592000
Cache-Control: public
Accept-Ranges: bytes
Ali-Swift-Global-Savetime: 1573107049
Via: cache17.l2cm9-5[23,200-0,M], cache4.l2cm9-5[25,0], kunlun10.cn1474[0,200-0,H], kunlun8.cn1474[2,0]
Age: 434
X-Cache: HIT TCP_HIT dirn:10:539000673
X-Swift-SaveTime: Thu, 07 Nov 2019 06:10:49 GMT
X-Swift-CacheTime: 2592000
Timing-Allow-Origin: *
EagleId: dede581c15731074830701514e
4.将referer设置正确,useragent设置为黑名单。
[root@iZ2zej4i2jdf3mpednw9vrZ ~]# curl -I https://su1105.kivensu.club/001.jpg -H 'Referer:https://www.baidu.com UserAgent:edge'
HTTP/1.1 403 Forbidden
Server: Tengine
Date: Thu, 07 Nov 2019 06:28:13 GMT
Content-Type: text/html
Content-Length: 254
Connection: keep-alive
Strict-Transport-Security: max-age=5184000
X-Tengine-Error: denied by Referer ACL
Via: kunlun6.cn1474[,403003]
Timing-Allow-Origin: *
EagleId: dede581a15731080932208007e
5.设置URL鉴权和正确的referer。
[root@iZ2zej4i2jdf3mpednw9vrZ ~]# curl -I https://su1105.kivensu.club/001.jpg?auth_key=1573117732-0-0-0e32e263bb8c64bb43f224d82f794ae2 -H 'Referer:https://www.baidu.com'
HTTP/1.1 200 OK
Server: Tengine
Content-Type: image/jpeg
Content-Length: 79033
Connection: keep-alive
Strict-Transport-Security: max-age=5184000
Date: Thu, 07 Nov 2019 06:10:49 GMT
Last-Modified: Mon, 04 Nov 2019 06:15:49 GMT
ETag: "5dbfc215-134b9"
Expires: Sat, 07 Dec 2019 06:10:49 GMT
Cache-Control: max-age=2592000
Cache-Control: public
Accept-Ranges: bytes
Ali-Swift-Global-Savetime: 1573107049
Via: cache17.l2cm9-5[23,200-0,M], cache4.l2cm9-5[25,0], kunlun10.cn1474[0,200-0,H], kunlun2.cn1474[194,0]
Age: 7146
X-Cache: HIT TCP_HIT dirn:10:539000673
X-Swift-SaveTime: Thu, 07 Nov 2019 06:10:49 GMT
X-Swift-CacheTime: 2592000
Timing-Allow-Origin: *
EagleId: dede581615731141953898826e
网友评论