当前位置：首页 > 扩展阅读 > 正文

Nginx作为静态资源web服务，如何做防盗链的

12-15 扩展阅读博客中心

目的：防止资源被盗用
思路：区别哪些请求是非正常的用户请求

1. 基于http_refer防盗链配置模块
ngx_http_referer_module
语法

Syntax:    valid_referers none | blocked | server_names | string ...;
Default:    —
Context:    server, location

none：请求头中没有 Referer 字段
blocked：请求头中虽然存在“Referer”字段，但是它的值已经被防火墙或代理服务器删除；这些值是不以“http://”或“https://”开头的字符串;
server_names：“Referer”请求头字段包含该服务器名称
任意字符串：定义一个服务器名称和一个可选的URI前缀。服务器名开始或结尾可以有 “*” 。检查时，“Referer”字段中的服务器端口会被忽略。
正则表达式：字符串必须以 ~ 开头，值得注意的是，正则表达式匹配的是在“http://”或“https://”之后的内容。
示例

valid_referers none blocked server_names *.example.com example.* www.example.org/galleries/ ~.google.;

2. 应用实例
1. vim conf.d/static.conf

server {
    location ~ .*.(txt|xml)$ {
         
        # 配置防盗链规则
        valid_referers none blocked 192.168.1.110 *.example.com example.* ~.google.;
 
        # 如果不符合防盗链规则，则返回403
        if ($invalid_referer) {
            return 403;
        }
 
        root /vagrant/doc;
    }
}

2. nginx -s reload 重新载入nginx配置文件
3. 创建 /vagrant/doc/hello.txt 文件
vim /vagrant/a/a.txt

Hello world!

4. 使用 curl进行访问测试
不带referer，可以正常访问

[root~]# curl -I http://127.0.0.1/hello.txt
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Fri, 03 Aug 2018 01:34:12 GMT
Content-Type: text/plain
Content-Length: 12
Last-Modified: Tue, 17 Jul 2018 07:07:22 GMT
Connection: keep-alive
ETag: "5b4d95aa-c"
Accept-Ranges: bytes

referer为 http://www.baidu.com，返回403

[root~]# curl -e "http://www.baidu.com" -I http://127.0.0.1/hello.txt
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0
Date: Fri, 03 Aug 2018 01:34:34 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

referer为 http://192.168.1.110，可以正常访问

[root~]# curl -e "http://192.168.1.110" -I http://127.0.0.1/hello.txt
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 02 Aug 2018 11:31:51 GMT
Content-Type: text/plain
Content-Length: 12
Last-Modified: Tue, 17 Jul 2018 07:07:22 GMT
Connection: keep-alive
ETag: "5b4d95aa-c"
Accept-Ranges: bytes

referer以 example.开头或 .example.com 结尾，可以正常访问

[root~]# curl -e "http://www.example.com" -I http://127.0.0.1/hello.txt
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 02 Aug 2018 11:33:47 GMT
Content-Type: text/plain
Content-Length: 12
Last-Modified: Tue, 17 Jul 2018 07:07:22 GMT
Connection: keep-alive
ETag: "5b4d95aa-c"
Accept-Ranges: bytes
 
[root~]# curl -e "http://example.baidu.com" -I http://127.0.0.1/hello.txt
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 02 Aug 2018 11:33:53 GMT
Content-Type: text/plain
Content-Length: 12
Last-Modified: Tue, 17 Jul 2018 07:07:22 GMT
Connection: keep-alive
ETag: "5b4d95aa-c"
Accept-Ranges: bytes

referer为 http://192.168.1.110，可以正常访问

[root~]# curl -e "http://192.168.1.110" -I http://127.0.0.1/hello.txt
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 02 Aug 2018 11:31:51 GMT
Content-Type: text/plain
Content-Length: 12
Last-Modified: Tue, 17 Jul 2018 07:07:22 GMT
Connection: keep-alive
ETag: "5b4d95aa-c"
Accept-Ranges: bytes

referer为 http://google.com，返回403

[root~]# curl -e "http://google.com" -I http://127.0.0.1/hello.txt
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0
Date: Thu, 02 Aug 2018 11:37:43 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive

referer为 http://www.google.com，可以正常访问

[root~]# curl -e "http://www.google.com" -I http://127.0.0.1/hello.txt
HTTP/1.1 200 OK
Server: nginx/1.14.0
Date: Thu, 02 Aug 2018 11:37:50 GMT
Content-Type: text/plain
Content-Length: 12
Last-Modified: Tue, 17 Jul 2018 07:07:22 GMT
Connection: keep-alive
ETag: "5b4d95aa-c"
Accept-Ranges: bytes