Project

General

Profile

Actions

HowToFightDeepLinking » History » Revision 2

« Previous | Revision 2/14 (diff) | Next »
jan, 2005-08-24 07:28
added trigger_b4_dl


The simple way

If you use lighttpd 1.3.8 and above you can use a conditional to protect your images.

{{{
  1. deny access for all image stealers
    $HTTP["referer"] !~ "^($|http://www\.example\.org)" {
    url.access-deny = ( ".jpg", ".jpeg", ".png" )
    }
    }}}
Remembering their IPs

[http://www.lighttpd.net/documentation/trigger_b4_dl.html mod_trigger_b4_dl] might match your needs more directly.

As long as the user didn't acccesses your main-site he will get redirected to another URL. After he checked that URL, he will get access to the files.

IP or the IP behind the Proxy is stored in a database (gdbm or memcached) and will timeout after it is not used anymore:

{{{
$HTTP["host"] == "www.example.org" {
#trigger-before-download.gdbm-filename = "/var/www/servers/www.example.org/trigger.db"
trigger-before-download.memcache-hosts = ( "127.0.0.1:11212" )
trigger-before-download.debug = "disable"

trigger-before-download.deny-url = "http://www.example.org/" 
trigger-before-download.trigger-timeout = 10
trigger-before-download.trigger-url = "(/$|\.php)"
trigger-before-download.download-url = "(\.mpe?g|\.wmv)"
}
}}}
Using links that timeout

Let's assume that you have very unique gallery at your page and you don't want someone else you link the images directly.

A well-known way to handle this is checking if the referrer matches your site or if it is still empty. But is the referrer trustable ?

Lighttpd's [http://www.lighttpd.net/documentation/secdownload.html mod_secdownload] module can generate URLs with an admin-definable timeout.

!http://www.example.org/gallery/<md5>/<timestamp>/image.jpg

The URLs gets invalid after about 30 seconds (you can configure this) and if it is deep-linked from another site, the link would only work for a very short time.

All you have to do is to generate the links for the images with a very simple script:

{{{
#!php

$secret = "verysecret";
$uri_prefix = "/dl/";

  1. filename
    $f = "/secret-file.txt";
  1. current timestamp
    $t = time();

$t_hex = sprintf("%08x", $t);
$m = md5($secret.$f.$t_hex);

  1. generate link
    printf('<a href="%s%s/%s%s">%s</a>',
    $uri_prefix, $m, $t_hex, $f, $f);
    ?>
    }}}

and to set up the config on the side of lighttpd:

{{{
secdownload.secret = "verysecret"
secdownload.document-root = "/home/www/servers/download-area/"
secdownload.uri-prefix = "/gallery/"
}}}

As the document-root of the secured files is outside of the web-directory the files can't be accessed directly. As long URL itself is valid (MD5 + timestamp) file is sent from the secure directory, otherwise the request is denied.

Updated by jan over 19 years ago · 2 revisions