Bug #223
closedbasic HTTP referer deep-linking protection not working
Description
I downloaded and compiled lighttpd 1.4.0 on Red Hat Enterprise Linux 4 and am unable to get it to deny access to anything for deeplinking protection. I made sure to install the pcre libs first and the configure script found the libs properly and everything compiled OK. I have only mod_access, mod_accesslog, and mod_simple_vhost enabled.
If I put an invalid pcre into my config lighttpd won't start and dies complaining of said invalid pcre. I have tried every variation I could think of on the pcre itself and nothing works.
Example URL's follow. Be warned we're an adult site so you probably don't want to poke around much. Or perhaps you do.
Here's my config:
# deny access for all image stealers
$HTTP["referer"] !~ "hothouse" {
url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif", ".mov", ".wmv", ".rm", ".psd", ".tif", ".tiff" )
}
but I have tried the following from the Wiki example:
# deny access for all image stealers
$HTTP["referer"] !~ "^($|http://www\.hothouse\.com)" {
url.access-deny = ( ".jpg", ".jpeg", ".png" )
}
and even:
# deny access for all image stealers
$HTTP["referer"] !~ "*" {
url.access-deny = ( ".jpg", ".jpeg", ".png" )
}
also to no avail. An image that should be denied is here:
http://mediaqa.hothouse.com/store/products/hh021/catalog.jpg
The access logs also clearly show "-" for the Referer.
-- nick
Updated by jan over 19 years ago
- Status changed from New to Assigned
$HTTP["referer"] !~ "*" {
url.access-deny = ( ".jpg", ".jpeg", ".png" )
}
The asterisk is not a valid regex, the second version should work.
I added test cases to verify that this kind of protection works as planed and it does.
Enable debug.log-request-handling = "enable" and check that the Referer header is set as planed.
Updated by Anonymous over 19 years ago
67.164.88.92 - - [24/Aug/2005:00:02:16 -0700] "GET /store/products/hh021/catalog.jpg HTTP/1.1" 304 0 "-" "Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.9) Gecko/20050713 Firefox/1.0.5 (PowerBook)" 84.141.53.168 - - [24/Aug/2005:00:11:23 -0700] "GET /store/products/hh021/catalog.jpg HTTP/1.1" 200 4282 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc4 Firefox/1.0.6"
That's the access_log... the referer is "-"
and here's an error_log with all debugging enabled:
2005-08-24 00:11:23: (response.c.175) -- splitting Request-URI 2005-08-24 00:11:23: (response.c.176) Request-URI : /store/products/hh021/catalog.jpg 2005-08-24 00:11:23: (response.c.177) URI-scheme : http 2005-08-24 00:11:23: (response.c.178) URI-authority: mediaqa.hothouse.com 2005-08-24 00:11:23: (response.c.179) URI-path : /store/products/hh021/catalog.jpg 2005-08-24 00:11:23: (response.c.180) URI-query : 2005-08-24 00:11:23: (response.c.230) -- sanatising URI 2005-08-24 00:11:23: (response.c.231) URI-path : /store/products/hh021/catalog.jpg 2005-08-24 00:11:23: (response.c.303) -- before doc_root 2005-08-24 00:11:23: (response.c.304) Doc-Root : /var/docroot/goes/here 2005-08-24 00:11:23: (response.c.305) Rel-Path : /store/products/hh021/catalog.jpg 2005-08-24 00:11:23: (response.c.306) Path : 2005-08-24 00:11:23: (response.c.353) -- after doc_root 2005-08-24 00:11:23: (response.c.354) Doc-Root : /var/docroot/goes/here/mediaqa.hothouse.com/htdocs/ 2005-08-24 00:11:23: (response.c.355) Rel-Path : /store/products/hh021/catalog.jpg 2005-08-24 00:11:23: (response.c.356) Path : /var/docroot/goes/here/mediaqa.hothouse.com/htdocs/store/products/hh021/catalog.jpg 2005-08-24 00:11:23: (response.c.373) -- logical -> physical 2005-08-24 00:11:23: (response.c.374) Doc-Root : /var/docroot/goes/here/mediaqa.hothouse.com/htdocs/ 2005-08-24 00:11:23: (response.c.375) Rel-Path : /store/products/hh021/catalog.jpg 2005-08-24 00:11:23: (response.c.376) Path : /var/docroot/goes/here/mediaqa.hothouse.com/htdocs/store/products/hh021/catalog.jpg 2005-08-24 00:11:23: (response.c.393) -- handling physical path 2005-08-24 00:11:23: (response.c.394) Path : /var/docroot/goes/here/mediaqa.hothouse.com/htdocs/store/products/hh021/catalog.jpg 2005-08-24 00:11:23: (response.c.401) -- file found 2005-08-24 00:11:23: (response.c.402) Path : /var/docroot/goes/here/mediaqa.hothouse.com/htdocs/store/products/hh021/catalog.jpg 2005-08-24 00:11:23: (response.c.510) -- handling subrequest 2005-08-24 00:11:23: (response.c.511) Path : /var/docroot/goes/here/mediaqa.hothouse.com/htdocs/store/products/hh021/catalog.jpg 2005-08-24 00:11:23: (mod_staticfile.c.392) -- handling file as static file 2005-08-24 00:11:23: (response.c.522) -- subrequest finished 2005-08-24 00:11:23: (response.c.102) Response-Header: HTTP/1.1 200 OK Date: Wed, 24 Aug 2005 07:11:23 GMT Content-Type: image/jpeg ETag: "-1700820186" Accept-Ranges: bytes Last-Modified: Tue, 23 Aug 2005 20:44:09 GMT Content-Length: 4282 Server: lighttpd
-- nick
Updated by Anonymous over 19 years ago
In an attempt to see if it was just the version I compiled I also just uninstalled that version and installed the new 1.4.1 RPM for Fedora Core 4, which incidentally installed without a hitch on RHEL4. The problem still exists.
-- nick
Updated by jan over 19 years ago
Updated by Anonymous over 19 years ago
I have that enabled already... do I have to add another option to it, or is just having it enabled enough? (I'm on IRC now...)
-- nick
Updated by jan over 19 years ago
- Status changed from Assigned to Fixed
- Resolution set to invalid
after discussion on IRC: configuration problem.
Also available in: Atom