Project

General

Profile

HowToFightDeepLinking » History » Revision 4

Revision 3 (Anonymous, 2005-09-17 19:02) → Revision 4/14 (Anonymous, 2005-09-17 19:03)

== The simple way == 

 If you use lighttpd 1.3.8 and above you can use a conditional to protect your images. 

 {{{ 
 # deny access for all image stealers 
 $HTTP["referer"] !~ "^($|http://www\.example\.org)" { 
   url.access-deny = ( ".jpg", ".jpeg", ".png" ) 
 } 
 }}} 

 == Remembering their IPs == 

 [http://www.lighttpd.net/documentation/trigger_b4_dl.html mod_trigger_b4_dl] might match your needs more directly.  

 As long as the user didn't acccesses your main-site he will get redirected to another URL. After he checked that URL, he will get access to the files. 

 IP or the IP behind the Proxy is stored in a database (gdbm or memcached) and will timeout after it is not used anymore: 

 {{{ 
 $HTTP["host"] == "www.example.org" { 
   #trigger-before-download.gdbm-filename = "/var/www/servers/www.example.org/trigger.db" 
   trigger-before-download.memcache-hosts = ( "127.0.0.1:11212" ) 
   trigger-before-download.debug = "disable" 

   trigger-before-download.deny-url = "http://www.example.org/" 
   trigger-before-download.trigger-timeout = 10 
   trigger-before-download.trigger-url = "(/$|\.php)" 
   trigger-before-download.download-url = "(\.mpe?g|\.wmv)" 
 } 
 }}} 

 == Using links that timeout == 

 Let's assume that you have very unique gallery at your page and you don't want someone else you link the images directly. 

 A well-known way to handle this is checking if the referrer matches your site or if it is still empty. But is the referrer trustable ? 

 Lighttpd's [http://www.lighttpd.net/documentation/secdownload.html mod_secdownload] module can generate URLs with an admin-definable timeout.  

 !http://www.example.org/gallery/<md5>/<timestamp>/image.jpg 

 The URLs gets invalid after about 30 seconds (you can configure this) and if it is deep-linked from another site, the link would only work for a very short time.  

 All you have to do is to generate the links for the images with a very simple script: 

 {{{ 
 #!php 
 <?php 

 $secret = "verysecret"; 
 $uri_prefix = "/dl/"; 

 # filename 
 $f = "/secret-file.txt"; 

 # current timestamp 
 $t = time(); 

 $t_hex = sprintf("%08x", $t); 
 $m = md5($secret.$f.$t_hex); 

 # generate link 
 printf('<a href="%s%s/%s%s">%s</a>', 
        $uri_prefix, $m, $t_hex, $f, $f); 
 ?> 
 }}} 

 and to set up the config on the side of lighttpd: 

 {{{ 
 secdownload.secret            = "verysecret" 
 secdownload.document-root     = "/home/www/servers/download-area/" 
 secdownload.uri-prefix        = "/gallery/" 
 }}} 

 As the document-root of the secured files is outside of the web-directory the files can't be accessed directly. As long URL itself is valid (MD5 + timestamp) file is sent from the secure directory, otherwise the request is denied. 

 == Comments == 

 Should this page be called "hot linking" instead of "deep linking"? "Deep linking" is supposed to mean linking to a specific HTML (not image) page on your website instead of the front page, and that can be *good* - see http://www.useit.com/alertbox/20020303.html . <http://www.useit.com/alertbox/20020303.html>. -Philip Mak <pmak@aaanime.net>