nginx 防盗链配置

防盗链配置

配置要点：

[root@nginx-server ~]# vim /etc/nginx/nginx.conf
# 日志格式添加"$http_referer"
log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                         '$status $body_bytes_sent "$http_referer" '
                         '"$http_user_agent" "$http_x_forwarded_for"';
# valid_referers 使用方式                         
Syntax: 	valid_referers none | blocked | server_names | string ...;
Default: 	—
Context: server, location

• none : 允许没有http_refer的请求访问资源；

• blocked : 允许不是http://开头的，不带协议的请求访问资源—被防火墙过滤掉的；

• server_names : 只允许指定ip/域名来的请求访问资源（白名单）；

  准备两台机器,一张图片

  图片网站服务器：上传图片192.168.1.9
  [root@nginx-server ~]# cp test.jpg /usr/share/nginx/html/
  [root@nginx-server ~]# cd /etc/nginx/conf.d/
  [root@nginx-server conf.d]# cp default.conf default.conf.bak
  [root@nginx-server conf.d]# mv default.conf nginx.conf
  [root@nginx-server conf.d]# vim nginx.conf
  server {
      listen       80;
      server_name  localhost;
      location / {
          root   /usr/share/nginx/html;
          index  index.html index.htm;
      }
  }
  [root@nginx-server conf.d]# nginx -t
  [root@nginx-server conf.d]# systemctl restart nginx
  

  访问：

Referer：这个匹配的连接为空 “-”

盗链机器配置:192.168.1.10
[root@nginx-client ~]# cd /usr/share/nginx/html/
[root@nginx-client html]# cp index.html index.html.bak
[root@nginx-client html]# vim index.html
<html>
<head>
    <meta charset="utf-8">
    <title>qf.com</title>
</head>
<body style="background-color:red;">
    <img src="http://192.168.1.9/test.jpg"/>
</body>
</html>
[root@nginx-client html]# systemctl restart nginx

查看图片服务器的日志：

Referer记录了：连接是1.10这台机器。

在图片服务器操作
[root@nginx-server conf.d]# vim nginx.conf
server {
    listen       80;
    server_name  localhost;
    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;

        valid_referers none blocked www.jd.com;  #允许这些访问
                if ($invalid_referer) {
                   return 403;
                }
        }
}
[root@nginx-server conf.d]# systemctl restart nginx

测试访问:

图片服务器查看日志:

上面配置并没有允许192.168.1.10这台机器访问。

实例二，继续在图片服务器上面操作
[root@nginx-server html]# vim /etc/nginx/conf.d/nginx.conf #将原来的删除掉
server {
    listen       80;
    server_name  localhost;
    location ~  .*\.(gif|jpg|png|jpeg)$ {
        root  /usr/share/nginx/html;

        valid_referers none blocked *.wc.com 192.168.1.10;
                if ($invalid_referer) {
                        return 403;
                }
        }

}
重载nginx服务
[root@nginx-server ~]# nginx -s reload

在其中一台机器测试:
测试不带http_refer：
[root@nginx-server conf.d]# curl -I "http://192.168.1.9/test.jpg"
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Mon, 02 Sep 2019 14:02:56 GMT
Content-Type: image/jpeg
Content-Length: 27961
Last-Modified: Mon, 02 Sep 2019 13:23:12 GMT
Connection: keep-alive
ETag: "5d6d17c0-6d39"
Accept-Ranges: bytes

测试带非法http_refer:
[root@nginx-server conf.d]# curl -e http://www.baidu.com -I "http://192.168.1.9/test.jpg"
HTTP/1.1 403 Forbidden
Server: nginx/1.16.1
Date: Mon, 02 Sep 2019 14:03:48 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

测试带合法的http_refer:
[root@nginx-server conf.d]# curl -e http://www.wc.com -I "http://192.168.1.9/test.jpg"
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Mon, 02 Sep 2019 14:04:52 GMT
Content-Type: image/jpeg
Content-Length: 27961
Last-Modified: Mon, 02 Sep 2019 13:23:12 GMT
Connection: keep-alive
ETag: "5d6d17c0-6d39"
Accept-Ranges: bytes

[root@ansible-server conf.d]# curl -e http://192.168.1.10 -I "http://192.168.1.9/test.jpg"
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Mon, 02 Sep 2019 14:05:36 GMT
Content-Type: image/jpeg
Content-Length: 27961
Last-Modified: Mon, 02 Sep 2019 13:23:12 GMT
Connection: keep-alive
ETag: "5d6d17c0-6d39"
Accept-Ranges: bytes

如果用户直接在浏览器输入你的图片地址，那么图片显示正常，因为它符合none这个规则。

在图片服务器查看日志：