HowToFightDeepLinking » History » Revision 5
« Previous |
Revision 5/14
(diff)
| Next »
Anonymous, 2005-10-06 22:27
Minor text changes.
If you use lighttpd 1.3.8 and above, you can use a conditional to protect your images.
{{{- deny access for all image stealers
$HTTP["referer"] !~ "^($|http://www\.example\.org)" {
url.access-deny = ( ".jpg", ".jpeg", ".png" )
}
}}}
[http://www.lighttpd.net/documentation/trigger_b4_dl.html mod_trigger_b4_dl] might match your needs more directly.
As long as the user didn't acccesses your main site, he will get redirected to another URL. After he checks that URL, he will get access to the files.
IP or the IP behind the Proxy is stored in a database (gdbm or memcached) and will timeout after it is no longer used anymore:
{{{
$HTTP["host"] == "www.example.org" {
#trigger-before-download.gdbm-filename = "/var/www/servers/www.example.org/trigger.db"
trigger-before-download.memcache-hosts = ( "127.0.0.1:11212" )
trigger-before-download.debug = "disable"
trigger-before-download.deny-url = "http://www.example.org/"
trigger-before-download.trigger-timeout = 10
trigger-before-download.trigger-url = "(/$|\.php)"
trigger-before-download.download-url = "(\.mpe?g|\.wmv)"
}
}}}
Using links that timeout
Let's assume that you have very unique gallery at your page and that you don't want someone else to link to the images directly.
A well known way to handle this is to check if the referrer matches your site or is still empty. But is the referrer trustable?
Lighttpd's [http://www.lighttpd.net/documentation/secdownload.html mod_secdownload] module can generate URLs with an admin-definable timeout.
!http://www.example.org/gallery/<md5>/<timestamp>/image.jpg
The URLs becomes invalid after about 30 seconds (admin configurable) and if the link is deep-linked from another site, the link would only work for a very short time.
All you have to do is to generate the links for the images is use a very simple script:
{{{
#!php
$secret = "verysecret";
$uri_prefix = "/dl/";
- filename
$f = "/secret-file.txt";
- current timestamp
$t = time();
$t_hex = sprintf("%08x", $t);
$m = md5($secret.$f.$t_hex);
- generate link
printf('<a href="%s%s/%s%s">%s</a>',
$uri_prefix, $m, $t_hex, $f, $f);
?>
}}}
and to set up the config on the side of lighttpd:
{{{
secdownload.secret = "verysecret"
secdownload.document-root = "/home/www/servers/download-area/"
secdownload.uri-prefix = "/gallery/"
}}}
Since the document root of secured files are outside of the web directory, the files can't be accessed directly. As long as the URL itself is valid (MD5 + timestamp), the file is sent from the secure directory, otherwise the request is denied.
CommentsShould this page be called "hot linking" instead of "deep linking"? "Deep linking" is supposed to mean linking to a specific HTML (not image) page on your website instead of the front page, and that can be good - see http://www.useit.com/alertbox/20020303.html . -Philip Mak <pmak@aaanime.net>
It appears he is trying to protect a limited set of a particular kind of file (e.g., a photo album) from being deep linked linked, not the whole site. -wls, <wls@wwco.com>
Updated by Anonymous about 19 years ago · 5 revisions