HowToFightDeepLinking » History » Revision 2
Revision 1 (dg, 2005-05-23 18:18) → Revision 2/14 (jan, 2005-08-24 07:28)
== The simple way ==
If you use lighttpd 1.3.8 and above you can use a conditional to protect your images.
{{{
# deny access for all image stealers
$HTTP["referer"] !~ "^($|http://www\.example\.org)" {
url.access-deny = ( ".jpg", ".jpeg", ".png" )
}
}}}
== Remembering their IPs ==
[http://www.lighttpd.net/documentation/trigger_b4_dl.html mod_trigger_b4_dl] might match your needs more directly.
As long as the user didn't acccesses your main-site he will get redirected to another URL. After he checked that URL, he will get access to the files.
IP or the IP behind the Proxy is stored in a database (gdbm or memcached) and will timeout after it is not used anymore:
{{{
$HTTP["host"] == "www.example.org" {
#trigger-before-download.gdbm-filename = "/var/www/servers/www.example.org/trigger.db"
trigger-before-download.memcache-hosts = ( "127.0.0.1:11212" )
trigger-before-download.debug = "disable"
trigger-before-download.deny-url = "http://www.example.org/"
trigger-before-download.trigger-timeout = 10
trigger-before-download.trigger-url = "(/$|\.php)"
trigger-before-download.download-url = "(\.mpe?g|\.wmv)"
}
}}}
== Using links that timeout The hard way ==
Let's assume that you have very unique gallery at your page and you don't want someone else you link the images directly.
A well-known way to handle this is checking if the referrer matches your site or if it is still empty. But is the referrer trustable ?
Lighttpd's [http://www.lighttpd.net/documentation/secdownload.html mod_secdownload] module can generate URLs with an admin-definable timeout.
!http://www.example.org/gallery/<md5>/<timestamp>/image.jpg
The URLs gets invalid after about 30 seconds (you can configure this) and if it is deep-linked from another site, the link would only work for a very short time.
All you have to do is to generate the links for the images with a very simple script:
{{{
#!php
<?php
$secret = "verysecret";
$uri_prefix = "/dl/";
# filename
$f = "/secret-file.txt";
# current timestamp
$t = time();
$t_hex = sprintf("%08x", $t);
$m = md5($secret.$f.$t_hex);
# generate link
printf('<a href="%s%s/%s%s">%s</a>',
$uri_prefix, $m, $t_hex, $f, $f);
?>
}}}
and to set up the config on the side of lighttpd:
{{{
secdownload.secret = "verysecret"
secdownload.document-root = "/home/www/servers/download-area/"
secdownload.uri-prefix = "/gallery/"
}}}
As the document-root of the secured files is outside of the web-directory the files can't be accessed directly. As long URL itself is valid (MD5 + timestamp) file is sent from the secure directory, otherwise the request is denied.