模块:ngx_http_referer_module
语法:
Syntax: valid_referers none | blocked | server_names | string ...;
Default: —
Context: server, location
原理:
日志格式中的http_referer是记录,访问点引用的URL。也就是超链接的上一级地址。 通过这段地址,可以发现一种网络行为——盗链。非法盗链会影响站点的正常访问。 通过http_referer模块可以控制这一点。防止非法盗链现象。
未启动防盗链
a.com网站
vim /etc/nginx/conf.d/a.conf
server {
access_log /var/log/nginx/a.com.log main;
#分离日志文件
listen 80;
server_name a.com;
location / {
root /a;
index index.html;
}}
vim /a/index.html
<img src='1.jpg' />
b.com网站
vim /etc/nginx/conf.d/b.conf
server {
access_log /var/log/nginx/b.com.log main;
#分离日志文件
listen 80;
server_name b.com;
location / {
root /b;
index index.html;
}}
vim /b/index.html
<img src='http://a.com/1.jpg' />
盗用链接
访问两个网站页面。均能正常显示图片
日志文件
b.com
192.168.19.100 - - [06/Jun/2022:22:40:48 +0800] "GET / HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" "-"
日志正常
a.com
192.168.19.100 - - [06/Jun/2022:22:40:47 +0800] "GET /1.jpg HTTP/1.1" 304 0 "http://a.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" "-"
192.168.19.102 - - [06/Jun/2022:22:40:48 +0800] "GET /1.jpg HTTP/1.1" 304 0 "http://b.com/" "Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0" "-"
观察referer字段,发现被盗链了
启动防盗链
location / {
root /a;
index index.html;
valid_referers none blocked *.a.com;
if ($invalid_referer) {
return 403;
}
}
重启服务
再次访问b.com网站,盗链失败
白名单功能
location / {
root /a.com;
index index.html index.htm;
valid_referers none blocked *.a.com server_name 192.168.19.* ~tianyun ~\.google\. ~\.baidu\. .com;
if ($invalid_referer) {
return 403;
}
}
