HowToFightDeepLinking » History » Revision 1
Revision 1/14
| Next »
dg, 2005-05-23 18:18
Moved from old wiki
If you use lighttpd 1.3.8 and above you can use a conditional to protect your images.
{{{- deny access for all image stealers
$HTTP["referer"] !~ "^($|http://www\.example\.org)" {
url.access-deny = ( ".jpg", ".jpeg", ".png" )
}
}}}
Let's assume that you have very unique gallery at your page and you don't want someone else you link the images directly.
A well-known way to handle this is checking if the referrer matches your site or if it is still empty. But is the referrer trustable ?
Lighttpd's [http://www.lighttpd.net/documentation/secdownload.html mod_secdownload] module can generate URLs with an admin-definable timeout.
!http://www.example.org/gallery/<md5>/<timestamp>/image.jpg
The URLs gets invalid after about 30 seconds (you can configure this) and if it is deep-linked from another site, the link would only work for a very short time.
All you have to do is to generate the links for the images with a very simple script:
{{{
#!php
$secret = "verysecret";
$uri_prefix = "/dl/";
- filename
$f = "/secret-file.txt";
- current timestamp
$t = time();
$t_hex = sprintf("%08x", $t);
$m = md5($secret.$f.$t_hex);
- generate link
printf('<a href="%s%s/%s%s">%s</a>',
$uri_prefix, $m, $t_hex, $f, $f);
?>
}}}
and to set up the config on the side of lighttpd:
{{{
secdownload.secret = "verysecret"
secdownload.document-root = "/home/www/servers/download-area/"
secdownload.uri-prefix = "/gallery/"
}}}
As the document-root of the secured files is outside of the web-directory the files can't be accessed directly. As long URL itself is valid (MD5 + timestamp) file is sent from the secure directory, otherwise the request is denied.
Updated by dg almost 19 years ago · 1 revisions