Problem with Direct-Linking-Prevention

dubstep · August 23, 2011, 11:01am

Hello!

Yesterday I’ve switched from Apache2 to Nginx - and ran into some
problems with the rewrite Rules.

I tried to do something like:

SetEnvIf Referer mydomain.com localreferer
<FilesMatch .(rar|zip)$>
Order deny,allow
Deny from all
Allow from env=localreferer

(Which worked on Apache.)

And I came up with this:

     ## Stop Download Hijacking
     location ~* (\.rar|\.zip)$ {
             if ($http_referer !~

^(http://www.mydomain.com|http://mydomain.com) ) {
return 444;
}
}

Whole config for this server is:

server {
root /home/mydomain/files;
index index.php index.html;
server_name download.mydomain.com;

     ## Stop Download Hijacking
     location ~* (\.rar|\.zip)$ {
             if ($http_referer !~

^(http://www.mydomain.com|http://mydomain.com) ) {
return 444;
}
}
location / {
try_files $uri $uri/ /index.php;
}

     include /etc/nginx/php;

}

Problem is - it seems to do nothing at all … I can type a download
link into my browser and it loads (should block that unless it was
refered from mydomain).

Has anyone any ideas?

Thanks in advance!
Alexander

Tamashii · August 24, 2011, 3:29pm

I’m wondering why don’t you try http://wiki.nginx.org/HttpRefererModule?

Posted at Nginx Forum:

Tamashii · August 24, 2011, 8:30pm

On 23 Ago 2011 10h00 WEST, [email protected] wrote:

Deny from all
^(http://www.mydomain.com|http://mydomain.com) ) {
return 444;
}
}

Cf. http://wiki.nginx.org/NginxHttpRefererModule

Try:

No download hijacking.

location ~* .(?:rar|zip)$ {

valid_referers none blocked www.mydomain.com mydomain.com {
    if ($invalid_referer) {
      return 444;
    }
}

}

— appa