51工具盒子所谓的图片防盗链就是防止他人将我们自己网站上的图片拿去直接引用,这样就会消耗我们自己网站的资源和流量。
防盗链的原理是通过HTTP请求中的Referer头部,对访问的来源进行识别判断,当访问者通过浏览器向我们网站发起请求时,请求头部里可能就会包含一个referer。
我这里举个例子,使大家更容易理解什么是referer,从百度搜索吴昊博客进行访问时,通过谷歌浏览器F12,即可看到Headers请求头中有个referer,referer来路地址就是百度。
反之同理,当我从吴昊博客网站上的链接,点击到其他网站时,其他网站的请求头中就会包含一个referer: https://blog.whsir.com/
如果我只允许我自己的网站可以访问图片,那么就可以通过referer: https://blog.whsir.com/来判断,如果不是https://blog.whsir.com/域名则进行拦截,这样就实现了防盗链功能。
正所谓魔高一尺道高一丈,即使通过referer也不能彻底的杜绝此问题,因为伪装referer请求头也是很容易的事,并且有些合法的请求头是不会带referer的,所以也不能拒绝请求头referer为空,比如我通过浏览器直接访问https://blog.whsir.com/,此时在请求头中就看不到referer内容。
好了开始进入正题,Nginx是通过ngx_http_referer_module模块来阻挡非法来源的请求,要确保你的nginx是否已经编译了此模块,nginx添加未编译的模块可参考:https://blog.whsir.com/post-2212.html,另外可以使用wlnmp一键包(https://blog.whsir.com/post-3647.html)已经集成了此模块。
nginx图片防盗链配置方法如下:
server { listen 80; server_name _; index index.html index.htm index.php; root /data/www; location ~* \.(gif|jpg|jepg|png|bmp)$ { expires 30d; valid_referers none blocked server_names *.whsir.com whsir.com ~\.google\. ~\.baidu\.; if ($invalid_referer) { return 403; } } }
|-------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 | server { listen 80; server_name _; index index.html index.htm index.php; root /data/www; location ~* \.(gif|jpg|jepg|png|bmp)$ { expires 30d; valid_referers none blocked server_names *.whsir.com whsir.com ~\.google\. ~\.baidu\.; if ($invalid_referer) { return 403; } } } |
指令参数说明:
valid_referers none | blocked | server_names | string ...
none:请求头缺少Referer字段,即空Referer
blocked:请求头Referer字段不为空(即存在Referer),但是值被代理或者防火墙删除了,这些值不以"http://"或"https://"开头,通俗点说就是允许"http://"或"https//"以外的请求。(是不是还是不明白,文中下方会更详细的解释)
server_names:Referer请求头白名单。
arbitrary string:任意字符串,定义服务器名称或可选的URI前缀,主机名可以使用*号开头或结尾,Referer字段中的服务器端口将被忽略掉。
regular expression:正则表达式,以"~"开头,在"http://"或"https://"之后的文本匹配。
针对blocked参数的补充说明:
我觉得大部分人看到blocked的说明还是不明白,我这里以一个实验解释。
我这里在本地192.168.1.140上配置了一个防盗链,只设置了一个google白名单,我们在当前服务器用curl进行测试。
nginx配置如下
server { listen 80; server_name 192.168.1.140; index index.html index.htm index.php; root /data/www; location ~* \.(gif|jpg|jepg|png|bmp)$ { valid_referers none blocked server_names ~\.google\..; if ($invalid_referer) { return 403; } } }
|----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 | server { listen 80; server_name 192.168.1.140; index index.html index.htm index.php; root /data/www; location ~* \.(gif|jpg|jepg|png|bmp)$ { valid_referers none blocked server_names ~\.google\..; if ($invalid_referer) { return 403; } } } |
第一次实验,referer为https://www.whsir.com时,返回403,防盗链生效
curl -e 'https://www.whsir.com' http://192.168.1.140/1.png -I HTTP/1.1 403 Forbidden Server: nginx Date: Wed, 17 Jul 2019 01:26:27 GMT Content-Type: text/html Content-Length: 146 Connection: keep-alive
|-----------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 | curl -e 'https://www.whsir.com' http://192.168.1.140/1.png -I HTTP/1.1 403 Forbidden Server: nginx Date: Wed, 17 Jul 2019 01:26:27 GMT Content-Type: text/html Content-Length: 146 Connection: keep-alive |
第二次实验,referer为http://www.whsir.com时,返回403,防盗链生效
curl -e 'http://www.whsir.com' http://192.168.1.140/1.png -I HTTP/1.1 403 Forbidden Server: nginx Date: Wed, 17 Jul 2019 01:27:47 GMT Content-Type: text/html Content-Length: 146 Connection: keep-alive
|-----------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 | curl -e 'http://www.whsir.com' http://192.168.1.140/1.png -I HTTP/1.1 403 Forbidden Server: nginx Date: Wed, 17 Jul 2019 01:27:47 GMT Content-Type: text/html Content-Length: 146 Connection: keep-alive |
第三次实验,referer为www.whsir.com时,返回200,防盗链失效
curl -e 'www.whsir.com' http://192.168.1.140/1.png -I HTTP/1.1 200 OK Server: nginx Date: Wed, 17 Jul 2019 01:28:08 GMT Content-Type: image/png Content-Length: 38497 Last-Modified: Wed, 12 Jun 2019 03:12:15 GMT Connection: keep-alive ETag: "5d006d8f-9661" Accept-Ranges: bytes
|-------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 | curl -e 'www.whsir.com' http://192.168.1.140/1.png -I HTTP/1.1 200 OK Server: nginx Date: Wed, 17 Jul 2019 01:28:08 GMT Content-Type: image/png Content-Length: 38497 Last-Modified: Wed, 12 Jun 2019 03:12:15 GMT Connection: keep-alive ETag: "5d006d8f-9661" Accept-Ranges: bytes |
第四次实验,referer为wss://www.whsir.com时,返回200,防盗链失效
curl -e 'wss://www.whsir.com' http://192.168.1.140/1.png -I HTTP/1.1 200 OK Server: nginx Date: Wed, 17 Jul 2019 01:28:32 GMT Content-Type: image/png Content-Length: 38497 Last-Modified: Wed, 12 Jun 2019 03:12:15 GMT Connection: keep-alive ETag: "5d006d8f-9661" Accept-Ranges: bytes
|-------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 | curl -e 'wss://www.whsir.com' http://192.168.1.140/1.png -I HTTP/1.1 200 OK Server: nginx Date: Wed, 17 Jul 2019 01:28:32 GMT Content-Type: image/png Content-Length: 38497 Last-Modified: Wed, 12 Jun 2019 03:12:15 GMT Connection: keep-alive ETag: "5d006d8f-9661" Accept-Ranges: bytes |
通过上面四个实验可以发现,不以"http://"或"https://"开头的请求都被允许了,然后我们在nginx配置中取消blocked参数,再进行实验。
curl -e 'https://www.whsir.com' http://192.168.1.140/1.png -I HTTP/1.1 403 Forbidden Server: nginx Date: Wed, 17 Jul 2019 01:38:15 GMT Content-Type: text/html Content-Length: 146 Connection: keep-alive curl -e 'http://www.whsir.com' http://192.168.1.140/1.png -I HTTP/1.1 403 Forbidden Server: nginx Date: Wed, 17 Jul 2019 01:41:51 GMT Content-Type: text/html Content-Length: 146 Connection: keep-alive curl -e 'www.whsir.com' http://192.168.1.140/1.png -I HTTP/1.1 403 Forbidden Server: nginx Date: Wed, 17 Jul 2019 01:42:07 GMT Content-Type: text/html Content-Length: 146 Connection: keep-alive curl -e 'wss://www.whsir.com' http://192.168.1.140/1.png -I HTTP/1.1 403 Forbidden Server: nginx Date: Wed, 17 Jul 2019 01:42:20 GMT Content-Type: text/html Content-Length: 146 Connection: keep-alive
|-------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | curl -e 'https://www.whsir.com' http://192.168.1.140/1.png -I HTTP/1.1 403 Forbidden Server: nginx Date: Wed, 17 Jul 2019 01:38:15 GMT Content-Type: text/html Content-Length: 146 Connection: keep-alive curl -e 'http://www.whsir.com' http://192.168.1.140/1.png -I HTTP/1.1 403 Forbidden Server: nginx Date: Wed, 17 Jul 2019 01:41:51 GMT Content-Type: text/html Content-Length: 146 Connection: keep-alive curl -e 'www.whsir.com' http://192.168.1.140/1.png -I HTTP/1.1 403 Forbidden Server: nginx Date: Wed, 17 Jul 2019 01:42:07 GMT Content-Type: text/html Content-Length: 146 Connection: keep-alive curl -e 'wss://www.whsir.com' http://192.168.1.140/1.png -I HTTP/1.1 403 Forbidden Server: nginx Date: Wed, 17 Jul 2019 01:42:20 GMT Content-Type: text/html Content-Length: 146 Connection: keep-alive |
执行后发现,返回均为403,防盗链生效,如果你看完这个实验,相信你已经可以理解blocked参数的作用了。
