Lighttpd

The simple way

If you use lighttpd 1.3.8 and above you can use a conditional to protect your images.

{{{

1. deny access for all image stealers
   $HTTP["referer"] !~ "^($|http://www\.example\.org)" {
   url.access-deny = ( ".jpg", ".jpeg", ".png" )
   }
   }}}

Remembering their IPs

[http://www.lighttpd.net/documentation/trigger_b4_dl.html mod_trigger_b4_dl] might match your needs more directly.

As long as the user didn't acccesses your main-site he will get redirected to another URL. After he checked that URL, he will get access to the files.

IP or the IP behind the Proxy is stored in a database (gdbm or memcached) and will timeout after it is not used anymore:

{{{
$HTTP["host"] == "www.example.org" {
#trigger-before-download.gdbm-filename = "/var/www/servers/www.example.org/trigger.db"
trigger-before-download.memcache-hosts = ( "127.0.0.1:11212" )
trigger-before-download.debug = "disable"

trigger-before-download.deny-url = "http://www.example.org/" 
  trigger-before-download.trigger-timeout = 10
  trigger-before-download.trigger-url = "(/$|\.php)" 
  trigger-before-download.download-url = "(\.mpe?g|\.wmv)" 
}
}}}

Using links that timeout

Let's assume that you have very unique gallery at your page and you don't want someone else you link the images directly.

A well-known way to handle this is checking if the referrer matches your site or if it is still empty. But is the referrer trustable ?

Lighttpd's [http://www.lighttpd.net/documentation/secdownload.html mod_secdownload] module can generate URLs with an admin-definable timeout.

!http://www.example.org/gallery/<md5>/<timestamp>/image.jpg

The URLs gets invalid after about 30 seconds (you can configure this) and if it is deep-linked from another site, the link would only work for a very short time.

All you have to do is to generate the links for the images with a very simple script:

{{{
#!php

$secret = "verysecret";
$uri_prefix = "/dl/";

1. filename
   $f = "/secret-file.txt";

1. current timestamp
   $t = time();

$t_hex = sprintf("%08x", $t);
$m = md5($secret.$f.$t_hex);

1. generate link
   printf('<a href="%s%s/%s%s">%s</a>',
   $uri_prefix, $m, $t_hex, $f, $f);
   ?>
   }}}

and to set up the config on the side of lighttpd:

{{{
secdownload.secret = "verysecret"
secdownload.document-root = "/home/www/servers/download-area/"
secdownload.uri-prefix = "/gallery/"
}}}

As the document-root of the secured files is outside of the web-directory the files can't be accessed directly. As long URL itself is valid (MD5 + timestamp) file is sent from the secure directory, otherwise the request is denied.

Comments

Should this page be called "hot linking" instead of "deep linking"? "Deep linking" is supposed to mean linking to a specific HTML (not image) page on your website instead of the front page, and that can be good - see http://www.useit.com/alertbox/20020303.html . -Philip Mak <pmak@aaanime.net>