How can I prevent hotlinking? (nginx)

Question

I use nginx and I have no access to server conf.

May be with .htaccess analogue?..

score 7 · Answer 1 · 2010-02-14T15:38:07.283

7

location ~* (\.jpg|\.png|\.gif|\.jpeg)$ {
 valid_referers blocked www.domain.com domain.com;
 if ($invalid_referer) {
    return 403;
 }
  root   /srv/www/domain.com/public_html;
}

edited Feb 14 '10 at 15:38

answered Feb 14 '10 at 13:56

is that for the nginx config file? – blndcat Feb 26 '10 at 02:22
Yep, ask your server administrator. – Feb 27 '10 at 14:18
it should be 'not blocked' in the second line. – alfish Nov 18 '11 at 18:03
@alfish Are you sure? Wouldn't setting `not blocked` disable the script, allowing all referrers through? – unixman83 Mar 26 '12 at 00:00

score 3 · Accepted Answer · answered Dec 06 '09 at 20:07

3

Without access to the server configuration, you cannot change any settings. There is no equivalent to Apache httpd's .htaccess in nginx.

answered Dec 06 '09 at 20:07

joschi

20,747
3
46
50

-1 Downvoting. This answer does not match the question title. – unixman83 Mar 29 '12 at 05:48
@unixman83 how is this not relative to the question? besides, you're bringing a question that's 4 years old - things usually change for that amount of time. – tftd Dec 12 '13 at 00:01

score 2 · Answer 3 · answered Nov 18 '11 at 18:04

2

Just in case you HAVE access to the webserver:

location ~* (\.jpg|\.png|\.gif|\.jpeg|\.png)$ {
 valid_referers none blocked www.example.com example.com;
 if ($invalid_referer) {
    return 403;
 }
}

answered Nov 18 '11 at 18:04

alfish

3,027
15
45
68

How is this really different from [Gionn's answer](http://serverfault.com/questions/91502/how-can-i-prevent-hotlinking-nginx/112710#112710) from 1.5 years ago? – Chris S Nov 18 '11 at 18:13
How is `none` different from `blocked`? What is it's purpose of being added? i.e. How is a `no referrer` different from a `blocked` referrer? – unixman83 Mar 29 '12 at 05:49
1

In the `valid_referers` directive, `blocked` allows referrers that have been blocked by a firewall, `none` allows requests with no referrer. From docs "`none` means the absence of "Referer" header. `blocked` means masked Referer header by firewall, for example, "Referer: XXXXXXX". – Dylan Valade Apr 24 '12 at 19:41
some browsers do not send a referrer header, so `none` is required to allow those. apparently Firefox releases have been in this group – Dylan Valade Apr 24 '12 at 19:49

score 0 · Answer 4 · answered Dec 06 '09 at 23:46

0

joschi is right: nginx is driven by a single configuration file you can't edit. Your only possibility is to use a redirector script which says '403 Access Denied' for hotlinks and '301 Moved Permanently' for normal links.

answered Dec 06 '09 at 23:46

kolypto

10,738
12
51
66

score 0 · Answer 5 · answered Dec 07 '09 at 00:43

One solution is to generate all your pages & content dynamically, and with different URLs every time, which expire after a while. That makes hotlinking impossible.

If that is not practical, you can also check referrer. If you cannot reconfigure nginx, you'll probably have to do it in a scripting language which generates the pages dynamically.

How can I prevent hotlinking? (nginx)

5 Answers5

Linked