Project

General

Profile

Actions

HowToFightDeepLinking » History » Revision 1

Revision 1/14 | Next »
dg, 2005-05-23 18:18
Moved from old wiki


The simple way

If you use lighttpd 1.3.8 and above you can use a conditional to protect your images.

{{{
  1. deny access for all image stealers
    $HTTP["referer"] !~ "^($|http://www\.example\.org)" {
    url.access-deny = ( ".jpg", ".jpeg", ".png" )
    }
    }}}
The hard way

Let's assume that you have very unique gallery at your page and you don't want someone else you link the images directly.

A well-known way to handle this is checking if the referrer matches your site or if it is still empty. But is the referrer trustable ?

Lighttpd's [http://www.lighttpd.net/documentation/secdownload.html mod_secdownload] module can generate URLs with an admin-definable timeout.

!http://www.example.org/gallery/<md5>/<timestamp>/image.jpg

The URLs gets invalid after about 30 seconds (you can configure this) and if it is deep-linked from another site, the link would only work for a very short time.

All you have to do is to generate the links for the images with a very simple script:

{{{
#!php

$secret = "verysecret";
$uri_prefix = "/dl/";

  1. filename
    $f = "/secret-file.txt";
  1. current timestamp
    $t = time();

$t_hex = sprintf("%08x", $t);
$m = md5($secret.$f.$t_hex);

  1. generate link
    printf('<a href="%s%s/%s%s">%s</a>',
    $uri_prefix, $m, $t_hex, $f, $f);
    ?>
    }}}

and to set up the config on the side of lighttpd:

{{{
secdownload.secret = "verysecret"
secdownload.document-root = "/home/www/servers/download-area/"
secdownload.uri-prefix = "/gallery/"
}}}

As the document-root of the secured files is outside of the web-directory the files can't be accessed directly. As long URL itself is valid (MD5 + timestamp) file is sent from the secure directory, otherwise the request is denied.

Updated by dg over 19 years ago · 1 revisions