Lighttpd

Hey there, I have a few questions that all center around developing a content delivery server. I am really impressed with some of the benchmarks I have seen with lighttpd and so we are seriously considering switching from Apache for this server. I do have a couple of concerns regarding security and overhead.

Our first issue is regarding hot-linking and mass content theft...

My original idea to squash hot-linking was to use .htaccess filtering to limit the domains that are allowed to access the content on a client by client basis. I am told however that this may have some performance hits on our server. I am aware that I can do some access filtering (at least with Apache) via the config file... however, I need to be able to dynamically modify the valid domains without having to restart the server.... back to this in a moment...

For preventing mass content theft, I was thinking to attach a unique 5-10 alpha num. string that would be embedded in the url then matched to a database entry that could then be cached preventing the need for constant db lookups (i.e. one valid image URL might be http://fs.mysite.com/sf3lkn58s/img_183.png and the next image might be http://fs.mysite.com/sdn482n/img_184.png...). All requests in this scenario would then need to be passed to a single handler PHP file that could take care of access validation and caching.

On that note, I could easily handle domain filtering with my handler PHP file if the refering Url is still intact.

So I guess my main question is: Is lighttpd able to handle URL parsing to be able to pass all requests to a single file without the use of your equiv. of the .htaccess?

Secondly, is this the best approach to this level of security?

Thoughts?