server-configs-nginx/docs/hotlink-protection.md

58 lines
1.6 KiB
Markdown

[Nginx Server Configs homepage](https://github.com/h5bp/server-configs-nginx)
# Hotlink Protection
Depending on how sensitive assets are, nginx offers a few options for protecting
assets.
## valid_referers
the simplest way to protect assets from hotlinking is to use
[valid_referers](https://nginx.org/en/docs/http/ngx_http_referer_module.html).
It's easy to use, this would be included in a relevant location block:
valid_referers none blocked example.com *.example.com;
if ($invalid_referer) {
return 403;
}
## secure_link
The [secure_link module](https://nginx.org/en/docs/http/ngx_http_secure_link_module.html)
provides a flexible, more robust means of protecting assets from being hotlinked or
downloaded outside from outside the web itself.
It is more involved to setup and use but, for example, permits time limited and
IP-restricted (or restricted on any other parameter desired) links to assets.
Example nginx config:
secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri$remote_addr secret";
if ($secure_link = "") {
# No get args, or invalid hash
return 403;
}
if ($secure_link = "0") {
# valid hash, but the link is now expired
return 410;
}
if ($secure_link = "1") {
# valid hash, and link is still fresh
...
}
This requires implementing server-side logic to generate links of the form:
https://example.com/protected/url.ext?md5=hash&expires=timestamp
where:
hash = md5({timestamp}/protected/url.ext{clientip} secret)
"secret" should be application-specific and needs to match in the nginx config,
and the function used to generate these secure urls