Skip to content

Latest commit

 

History

History
58 lines (40 loc) · 1.64 KB

hotlink-protection.md

File metadata and controls

58 lines (40 loc) · 1.64 KB

Nginx Server Configs homepage | Documentation table of contents

Hotlink Protection

Depending on how sensitive assets are, nginx offers a few options for protecting assets.

valid_referers

the simplest way to protect assets from hotlinking is to use valid_referers. It's easy to use, this would be included in a relevant location block:

valid_referers none blocked example.com *.example.com;
if ($invalid_referer) {
	return 403;
}

secure_link

The secure_link module provides a flexible, more robust means of protecting assets from being hotlinked or downloaded outside from outside the web itself.

It is more involved to setup and use but, for example, permits time limited and IP-restricted (or restricted on any other parameter desired) links to assets.

Example nginx config:

secure_link $arg_md5,$arg_expires;
secure_link_md5 "$secure_link_expires$uri$remote_addr secret";

if ($secure_link = "") {
	# No get args, or invalid hash
	return 403;
}

if ($secure_link = "0") {
	# valid hash, but the link is now expired
	return 410;
}

if ($secure_link = "1") {
	# valid hash, and link is still fresh
	...
}

This requires implementing server-side logic to generate links of the form:

http://example.com/protected/url.ext?md5=hash&expires=timestamp

where:

hash = md5({timestamp}/protected/url.ext{clientip} secret)

"secret" should be application-specific and needs to match in the nginx config, and the function used to generate these secure urls