防盗链配置
html来引用盗链其他网站内容
<html>
<head>
<meta charset="utf-8">
<title>chenleilei.net</title>
</head>
<body sytle="backgroud-coler:red;">
<img src="http://www.chenleilei.net/image/1.jpg"
</html>
测试访问,检查nginx日志
防盗链配置方法
1. 基于http头来禁止,直接返回403
语法:
可用项:
Syntax: valid_referers none | blocked |server_names |string ...;
----------
valid_referers none; ## referer 来源的头部为空的情况
valid_referers blocked; ## referer 来源的头部 "不" 为空的情况,不匹配https http 只匹配来源
valid_referers server_names; ## 来源头包含 "server_names" 这个域名的情况,可以用正则匹配,只要匹配设置的域名,都会允许调用,否则禁止调用
作用区块: server location
示例 :
location ~.*\.(jpg|jpeg|gif|png)$ {
##指定合法的头,合法为0 不合法为1
valid_referers none blocked *.baidu.com;
if ($invalid_referer) {
return 403;
}
}
表示所有来自 *.baidu.com 都可以访问到当前站点的图片,如果来源不在这个列表中,那么 $invalid_referer 就会等于1 因为他不合法. 在if判断中,不匹配合法域名就会返回 403 给用户 valid_referers none blocked *.baidu.com; 相当于白名单,在白名单的都可以调用,然后加上if判断,如果值匹配了就是0,如果是0就会正常响应,如果不匹配,值就是1,如果匹配了值就会变成0 0值会被允许.
反向代理配置防盗链1, 直接返回403
经常nginx会作为反向代理服务器,反向代理服务器配置防盗链如下
#防盗链配置1:
#防盗链配置
location ~ .*\.(jpg|gif|bmp|png)$ {
valid_referers none blocked ~\.chenleilei\. ~chenleilei.net\. server_names ~\.google\. ~google\. ~baidu\. ~\.baidu\. ~\.bing.com\. ~bing.com\. ~\.sougou\. ~sougou\.;
if ($invalid_referer) {
return 403;
# rewrite ^/ https://www.chenleilei.net/daolian.jpg;
}
proxy_pass http://127.0.0.1:8080;
}
#这种方式是只允许包含 chenleilei baidu google bing sougou的可以使用资源,非指定域名的返回403错误
反向代理配置防盗链2, 返回图片
#防盗链配置2:
#防盗链配置
location ~ .*\.(jpg|gif|bmp|png)$ {
valid_referers none blocked ~\.chenleilei\. ~chenleilei.net\. server_names ~\.google\. ~google\. ~baidu\. ~\.baidu\. ~\.bing.com\. ~bing.com\. ~\.sougou\. ~sougou\.;
if ($invalid_referer) {
# return 403;
rewrite ^/ https://www.chenleilei.net/daolian.jpg;
}
proxy_pass http://127.0.0.1:8080;
}
#这种方式是只允许包含 chenleilei baidu google bing sougou的可以使用资源,非指定域名的返回403错误
验证 防盗链配置1:
百度访问测试:
[root@node3_docker ~]# curl -e "https://www.baidu.com" -I https://www.chenleilei.net/attachment/20191026/4284cd7dac62427ab08534d4e84ddec4.png
HTTP/1.1 200
Server: nginx
Date: Sat, 26 Oct 2019 11:32:04 GMT
Content-Type: image/png
Content-Length: 62165
Connection: keep-alive
Vary: Accept-Encoding
Accept-Ranges: bytes
ETag: W/"62165-1572076731000"
Last-Modified: Sat, 26 Oct 2019 07:58:51 GMT
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
非法访问:
[root@node3_docker ~]# curl -e "https://110.com" -I https://www.chenleilei.net/attachment/20191026/4284cd7dac62427ab08534d4e84ddec4.png
HTTP/1.1 403 Forbidden
Server: nginx
Date: Sat, 26 Oct 2019 11:39:56 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive
验证防盗链配置2:
百度访问测试:
[root@node3_docker ~]# curl -e "https://www.baidu.com" -I https://www.chenleilei.net/attachment/20191026/4284cd7dac62427ab08534d4e84ddec4.png
HTTP/1.1 200
Server: nginx
Date: Sat, 26 Oct 2019 11:18:15 GMT
Content-Type: image/png
Content-Length: 62165
Connection: keep-alive
Vary: Accept-Encoding
Accept-Ranges: bytes
ETag: W/"62165-1572076731000"
Last-Modified: Sat, 26 Oct 2019 07:58:51 GMT
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
自己的域名访问测试:
[root@node3_docker ~]# curl -e "https://www.chenleilei.net" -I https://www.chenleilei.net/attachment/20190604/833997087b12474b9c539154294c11ee.jpg
HTTP/1.1 200
Server: nginx
Date: Sat, 26 Oct 2019 11:19:01 GMT
Content-Type: image/jpeg
Content-Length: 40609
Connection: keep-alive
Vary: Accept-Encoding
Accept-Ranges: bytes
ETag: W/"40609-1559655899000"
Last-Modified: Tue, 04 Jun 2019 13:44:59 GMT
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
#非百度和自己的来源访问测试:
[root@node3_docker ~]# curl -e "http://www.aliyun.com" -I https://www.chenleilei.net/attachment/20191026/4284cd7dac62427ab08534d4e84ddec4.png
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Sat, 26 Oct 2019 11:20:09 GMT
Content-Type: text/html
Content-Length: 138
Connection: keep-alive
Location: https://www.chenleilei.net/daolian.jpg #<-----这里重定向到了一张图片
Strict-Transport-Security: max-age=63072000; includeSubdomains; preload
2. 基于http头来禁止,返回图片
示例:
location ~.*\.(jpg|jpeg|gif|png)$ {
##指定合法的头,合法为0 不合法为1
valid_referers none blocked *.baidu.com;
if ($invalid_referer) {
##不合法后返回图片
rewite ^(.*)$ /img/error.jpg break;
}
}
3. 通过篡改信息,来反制破解防盗链,伪造协议头信息
通过伪造头部信息来绕过防盗链
curl -e "https://www.baidu.com" -I http://10.0.0.10/test.jpg
这样服务器会认为是 https://www.baidu.com 来请求这张图,此时服务器就认为是正确的,并返回正常图片
你可以通过测试多个域名来请求,会发现只有匹配的域名请求 才会 返回 200 状态码,否则就会是403 此时配置已经成功
4. 百度 谷歌可以允许访问,信任谷歌百度获取
location ~.*\.(jpg|jpeg|gif|png)$ {
##指定合法的头,合法为0 不合法为1
valid_referers none blocked *.baidu.com server_names ~\.google\. ~\.badu\.;
if ($invalid_referer) {
##不合法后返回图片,免费打广告机会不能错过.
rewite ^(.*)$ /img/error.jpg break;
## 也可以直接返回错误代码403
return 403;
}
}
location ~ .*\.(jpg|gif|bmp|png)$ {
valid_referers none blocked ~\.chenleilei\. ~chenleilei.net\. server_names ~\.google\. ~google\. ~baidu\. ~\.baidu\. ~\.bing.com\. ~bing.com\. ~\.sougou\. ~sougou\.;
if ($invalid_referer) {
return 403;
# rewrite ^/ https://www.chenleilei.net/daolian.jpg;
}
proxy_pass http://127.0.0.1:8080;
}
可以选择直接返回403, 或返回 广告图片
5. 多域名跨域互相访问配置防盗链同时允许互相访问
跨域访问需要有请求头认证才可以进行跨域访问,所以先需要配置被调用方nginx配置文件中的返回头.
返回头配置:
location ~.*\.(html|htm)$ {
add_header Access-Control-Allow-Origin http://down.chenleilei.net;
add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS;
}
注意,这是需要在被调用的服务器上,添加这个返回头.这个办法,淘宝也在使用.
意思是: 如果访问文件以html htm结尾会添加这个头部信息.
如果配置让所有都可以访问
location ~.*\.(html|htm)$ {
add_header Access-Control-Allow-Origin *; ## 这表示谁都可以调用访问
add_header Access-Control-Allow-Methods GET,POST,PUT,DELETE,OPTIONS;
}

最后修改:2020-03-06 22:19:28
© 著作权归作者所有
如果觉得我的文章对你有用,请随意赞赏
扫一扫支付

发表评论