Forum: NGINX Prevent hotlinking

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Max (Guest)
on 2009-04-12 19:56
(Received via mailing list)
Hello all,

I tried to use the following code to prevent hotlinking. But it blockes
myself as well, anyone got any idea?

location ~* (\.jpg|\.png|\.css)$ {
    valid_referers blocked domain.com *.domain.com;
if ($invalid_referer) {
return 404;
}
}

Thanks.

Max
Michael S. (Guest)
on 2009-04-12 20:51
(Received via mailing list)
Try

"valid_referers none blocked *.etc.com etc"

perhaps you're not sending a referrer header. Some "internet security
suites" do that for "privacy" and I hate them. or malfunctioning
browsers or some browsers include that option now.

that's the only thing I see wrong there.
Max (Guest)
on 2009-04-12 21:49
(Received via mailing list)
Hello,

Thanks. I tried that. But it's still not working. I am using wordpress.
Don't know what referrer header wordpress send.

Max
Michael S. (Guest)
on 2009-04-12 22:41
(Received via mailing list)
Its not Wordpress sending the header it's your browser sending the
header (unless this is wordpress fetching images using some plugin and
then youll have to modify the script to send a referer header (I
believe it is spelled wrong, technically)
Gabriel R. (Guest)
on 2009-04-12 22:42
(Received via mailing list)
Your browser will almost always send referrers. As mentioned,
sometimes a security suite will block referrers. Sometimes flash won't
send referrers when it makes requests (sometimes it will). You just
want to also allow blank referrers in addition to the "correct"
referrers.
Michael S. (Guest)
on 2009-04-12 22:54
(Received via mailing list)
And video embedding is infamous for not sending info. At least windows
media player type embedding. Not sure if flash players are better.
Gabriel R. (Guest)
on 2009-04-12 23:08
(Received via mailing list)
Flash players may or may not send referrers. It seems to vary based on
the web browser used. Documentation for flash would lead me to believe
that it never sends referrers, but practical experience shows that
this is not true, it does sometimes send headers, and sometimes not,
in a mostly unpredictable way.
Michael S. (Guest)
on 2009-04-12 23:12
(Received via mailing list)
Possibly could be based on the player. I'm sure you can code in the
headers.
Gabriel R. (Guest)
on 2009-04-13 00:15
(Received via mailing list)
Flash has surprisingly little flexibility with determining what
headers are sent to the server when you request files. It does what it
does and if you don't like it, tough. That's the conclusion I came to
in researching to design a couple flash applications, as well as to
lock down video files for a project I was working on.

Sometimes this is for security purposes. You aren't supposed to be
able to request files from a different domain than the SWF was sourced
from (unless a crossdomain.xml file on that domain specifically allows
it). I've noticed that although this is supposed to be a hard and fast
rule, some video players are able to source their video files (.flv)
from sites other than where the SWF was sourced, even if
crossdomain.xml doesn't allow it. This is probably a bug or the result
of some arcane Flash behaviour, rather than something the designer of
the SWF can decide upon.

Either way, you need to be prepared, in flash, for the likelihood that
it will either send the proper referrers, or no referrers whatsoever,
and you really have no control over which will be the case.
This topic is locked and can not be replied to.