防止别人盗取引用自己的内部资源链接!
实例解析:
维护一个A论坛(论坛成员可以免费上传图片或其它资源到服务器),突然发现这个月的流量比前几个月的流量要大的多,经过排查,发现这些流量均来自一些图片,这些图片被其他一个B网站调用。其实和我用的七牛云也是也是一个道理,图片均放在七牛云存储,没有直接放在我的站点,所以加载图片也不需要耗费我站内的流量。这样肯定是不可以的。我们要做出一些限制!
我们需要做的限制是,我们仍然可以免费让你上传图片,但是仅限于在咱们域名内使用调用!引用到其它站点就会失效报错Forbidden!
其核心就是referer,什么是referer? 假如我和一些同类型站点做了些友链,网友从B网站访问到了我的站点。其referer就是B站。来路IP或站点
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/haha.com"
ServerName www.haha.com
<Directory /data/wwwroot/haha.com>
SetEnvIfNoCase Referer "http://haha.com" local_ref
SetEnvIfNoCase Referer "http://haha.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref
<filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif)">
Order Allow,Deny
Allow from env=local_ref
</filesmatch>
</Directory>
ErrorLog "logs/haha.com-error_log"
SetEnvIf Request_URI ".*\.gif$" img
SetEnvIf Request_URI ".*\.jpg$" img
SetEnvIf Request_URI ".*\.png$" img
SetEnvIf Request_URI ".*\.bmp$" img
SetEnvIf Request_URI ".*\.swf$" img
SetEnvIf Request_URI ".*\.js$" img
SetEnvIf Request_URI ".*\.css$" img
CustomLog "|/usr/local/apache2.4/bin/rotatelogs -l logs/haha.com-access_%Y%m%d.log 86400" combined env=!img
</VirtualHost>
<Directory /data/wwwroot/haha.com>
SetEnvIfNoCase Referer "http://haha.com" local_ref //用来定义referer的白名单
SetEnvIfNoCase Referer "http://test.com" local_ref
SetEnvIfNoCase Referer "^$" local_ref //此段的意思是,我们可以直接复制图片或其它资源的地址在浏览器中查看。空referer
<filesmatch "\.(txt|doc|mp3|zip|rar|jpg|gif)"> //匹配资源做防盗链。
Order Allow,Deny //order制定顺序,先允许在拒绝
Allow from env=local_ref
</filesmatch>
</Directory>
如上,把haha.com以及test.com两个站点可以随便引用咱们的资源,其它的站点均拒绝!
[[email protected]02 haha.com]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[[email protected]02 haha.com]# /usr/local/apache2.4/bin/apachectl graceful
[[email protected]02 ~]# curl -e "http://test.com/123.php" -x127.0.0.1:80 www.haha.com/13_avatar_small.jpg -I
HTTP/1.1 200 OK
Date: Wed, 02 Aug 2017 08:46:37 GMT
Server: Apache/2.4.27 (Unix) PHP/5.6.30
Last-Modified: Wed, 07 Jun 2017 09:38:32 GMT
ETag: "97d4-5515b7fd39600"
Accept-Ranges: bytes
Content-Length: 38868
Content-Type: image/jpeg
[[email protected]02 ~]# curl -e "http://qq.com/" -x127.0.0.1:80 www.haha.com/13_avatar_small.jpg -I
HTTP/1.1 403 Forbidden
Date: Wed, 02 Aug 2017 08:46:52 GMT
Server: Apache/2.4.27 (Unix) PHP/5.6.30
Content-Type: text/html; charset=iso-8859-1
-e: 指定referer
当我们使用白名单内的网址去引用查看这个图片是可以的!
但是第二条我们使用一个陌生的站点去加载图片显示403 Forbidden
通过日志文件也可以很清晰的去查看到具体的referer
[[email protected] ~]# tail /usr/local/apache2.4/logs/haha.com-access_20170801.log
127.0.0.1 - - [01/Aug/2017:17:51:29 +0800] "HEAD HTTP://www.haha.com/smalljpg22 HTTP/1.1" 404 - "-" "curl/7.29.0"
127.0.0.1 - - [01/Aug/2017:17:51:41 +0800] "HEAD HTTP://www.haha.com/index.php HTTP/1.1" 200 - "-" "curl/7.29.0"
127.0.0.1 - - [01/Aug/2017:18:25:10 +0800] "HEAD HTTP://www.haha.com/index.php HTTP/1.1" 200 - "-" "curl/7.29.0"
[[email protected] ~]# tail /usr/local/apache2.4/logs/haha.com-access_20170802.log
127.0.0.1 - - [02/Aug/2017:16:51:16 +0800] "HEAD HTTP://www.haha.com/13_avatar_small.jpgXX HTTP/1.1" 403 - "http://qq.com/" "curl/7.29.0"
127.0.0.1 - - [02/Aug/2017:16:52:37 +0800] "HEAD HTTP://www.haha.com/13_avatar_small.jpgXX HTTP/1.1" 403 - "http://qq.com/" "curl/7.29.0"
因为我设置了图片不添加到日志记录,所以我更改了名字为.jpgXX