Want more timely Centmin Mod News Updates?
Become a Member

Nginx Disable hotlinking

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by pamamolf, Jul 21, 2014.

  1. pamamolf

    pamamolf Premium Member Premium Member

    4,084
    428
    83
    May 31, 2014
    Ratings:
    +834
    Local Time:
    6:18 AM
    Nginx-1.25.x
    MariaDB 10.3.x
    Hi

    How can i disable hotlinking on Centminmod server?


    Thanks
     
  2. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    2:18 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  3. Afterward

    Afterward Member

    94
    29
    18
    Jul 20, 2014
    Ratings:
    +29
    Local Time:
    5:18 AM
    1.7.5
    5.5
    THis goes in nginx.conf right? also im kinda confused where to pasthe code exactly a the very bottom?
    Can i return an image instead of 403?
     
  4. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    12:18 PM
    Mainline
    10.2
  5. Afterward

    Afterward Member

    94
    29
    18
    Jul 20, 2014
    Ratings:
    +29
    Local Time:
    5:18 AM
    1.7.5
    5.5
    So config should be like this? idk if added the code in the correct place tho
    Code:
    user              nginx nginx;
    worker_processes 3;
    worker_priority -10;
    
    worker_rlimit_nofile 260000;
    timer_resolution 100ms;
    
    error_log         logs/error.log;
    
    pid               logs/nginx.pid;
    pcre_jit on;
    
    events {
        worker_connections  2048;
        accept_mutex on;
        accept_mutex_delay 100ms;
        use epoll;
        #multi_accept on;
    }
    
    http {
    include /usr/local/nginx/conf/pagespeedadmin.conf;
    include /usr/local/nginx/conf/fastcgi_param_https_map.conf;
    
    log_format      main    '$remote_addr - $remote_user [$time_local] $request '
                    '"$status" $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"'
                    ' "$connection" "$connection_requests" "$request_time"';
    
    access_log logs/access.log combined buffer=32k;
    
        index  index.php index.html index.htm;
        include       mime.types;
        default_type  application/octet-stream;
        charset utf-8;
    
            sendfile on;
            #sendfile_max_chunk 1m;
            tcp_nopush  on;
            tcp_nodelay off;
            server_tokens off;
            server_name_in_redirect off;
          
            keepalive_timeout  10;
            keepalive_requests 100;
            lingering_time 20s;
            lingering_timeout 5s;
            keepalive_disable msie6;
    
        gzip on;
        gzip_vary   on;
        gzip_disable "MSIE [1-6]\.";
            gzip_static on;
            gzip_min_length   1400;
            gzip_buffers      32 8k;
            gzip_http_version 1.0;
            gzip_comp_level 5;
            gzip_proxied    any;
            gzip_types text/plain text/css text/xml application/javascript application/x-javascript application/xml application/xml+rss application/ecmascript application/json image/svg+xml;
    
    client_body_buffer_size 256k;
    client_body_in_file_only off;
    client_body_timeout 60s;
    client_header_buffer_size 64k;
    ## how long a connection has to complete sending
    ## it's headers for request to be processed
    client_header_timeout  20s;
    client_max_body_size 10m;
    connection_pool_size  512;
    directio  4m;
    ignore_invalid_headers on;     
    large_client_header_buffers 8 64k;
    output_buffers   8 256k;
    postpone_output  1460;
    proxy_temp_path  /tmp/nginx_proxy/;
    request_pool_size  32k;
    reset_timedout_connection on;
    send_timeout     60s;
    types_hash_max_size 2048;
    server_names_hash_bucket_size 64;
    
    # for nginx proxy backends to prevent redirects to backend port
    # port_in_redirect off;
    
    open_file_cache max=10000 inactive=30s;
    open_file_cache_valid 120s;
    open_file_cache_min_uses 2;
    open_file_cache_errors off;
    open_log_file_cache max=4096 inactive=30s min_uses=2;
    
    location ~ .(gif|png|jpe?g)$ {
         valid_referers none blocked mywebsite.com *.mywebsite.com;
         if ($invalid_referer) {
            return   403;
        }
    }
    
    ## limit number of concurrency connections per ip to 16
    ## add to your server {} section the next line
    ## limit_conn limit_per_ip 16;
    ## uncomment below line allows 500K sessions
    # limit_conn_log_level error;
    #######################################
    # use limit_zone for Nginx <v1.1.7 and lower
    # limit_zone $binary_remote_addr zone=limit_per_ip:16m;
    #######################################
    # use limit_conn_zone for Nginx >v1.1.8 and higher
    # limit_conn_zone $binary_remote_addr zone=limit_per_ip:16m;
    #######################################
    
    include /usr/local/nginx/conf/conf.d/*.conf;
    }
    
     
  6. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    12:18 PM
    Mainline
    10.2
    Why did you dd it on nginx.conf?
    I think it should be in your domain config.
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    2:18 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    not in nginx.conf but yourdomain.conf

    @RoldanLT google will index fine.. hotlink protection just prevents other domains other than yours to serve the image to visitors
     
  8. Afterward

    Afterward Member

    94
    29
    18
    Jul 20, 2014
    Ratings:
    +29
    Local Time:
    5:18 AM
    1.7.5
    5.5
    Can i add it right below this
    Code:
    include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      include /usr/local/nginx/conf/errorpage.conf;
    }
    
    Wich will result in this:
    Code:
     include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      include /usr/local/nginx/conf/errorpage.conf;
    }
    
    location ~ .(gif|png|jpe?g)$ {
         valid_referers none blocked mywebsite.com *.mywebsite.com;
         if ($invalid_referer) {
            return   403;
        }
    }
    Is this method correct? :)
     
  9. rdan

    rdan Well-Known Member

    5,446
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    12:18 PM
    Mainline
    10.2
    So I want to block this entire directory:
    /data/
    /styles/

    How can I combine them into one declaration without creating another set of location?
    :)
    Combining this:
    Code:
    location /data/ {
    valid_referers none blocked *.domain.com;
    if ($invalid_referer) {
    return 403;
    }
    }
    
    location /styles/ {
    valid_referers none blocked *.domain.com;
    if ($invalid_referer) {
    return 403;
    }
    }
    
     
  10. Afterward

    Afterward Member

    94
    29
    18
    Jul 20, 2014
    Ratings:
    +29
    Local Time:
    5:18 AM
    1.7.5
    5.5
    Did it worked for you? because i tried it no results.
    I even tried:
    Code:
    location ~ \.(gif|png|jpg|jpeg|JPG|GIF|JPEG|PNG)$ {
        valid_referers none blocked domain.com *.domain.com;
            if ($invalid_referer) {
                rewrite \.(gif|png|jpg|jpeg|JPG|GIF|JPEG|PNG)$ http://bla bla/stop_stealing_hotlinking.png redirect;
            }
    }
    Same thing :/
     
  11. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    2:18 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    you might need to comment out this include file first as it also has location context matches for static file extensions

    Code:
    #include /usr/local/nginx/conf/staticfiles.conf;
     
  12. Afterward

    Afterward Member

    94
    29
    18
    Jul 20, 2014
    Ratings:
    +29
    Local Time:
    5:18 AM
    1.7.5
    5.5
    Thanks i will give it a try later and report back, haven't slept since 54 hours.
     
  13. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    5:18 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Regarding this hotlinking prevention.
    This code is valid?

    Code:
    location ~ .(gif|png|jpe?g)$ {
         valid_referers none blocked mywebsite.com *.mywebsite.com;
         if ($invalid_referer) {
            return   403;
        }
    }
    Where exactly should I put it into mydomain.conf?
    I want all images from my domain are protected, not just from one folder.

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
     server {
       server_name pijanitvor.com www.pijanitvor.com;
        return 301 https://www.$server_name$request_uri;
     }
    
    server {
      listen 443 ssl http2;
      server_name pijanitvor.com www.pijanitvor.com;
    
      ##  redirect https non-www to https www
          if ($host = 'pijanitvor.com' ) {
             return 301 https://www.pijanitvor.com$request_uri;
          }
     
      ssl_dhparam /usr/local/nginx/conf/ssl/pijanitvor.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-unified.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20-draft:EECDH+CHACHA20:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
      ssl_prefer_server_ciphers   on;
      #######################add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      #######################spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
     
      #enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-trusted.crt; 
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/pijanitvor.com/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/pijanitvor.com/log/error.log;
    
      root /home/nginx/domains/pijanitvor.com/public;
    
      location / {
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
           include /usr/local/nginx/conf/blockbots.conf;
        }
    
        location /internal_data/ {
            internal;
            allow 127.0.0.1;
            allow 94.237.29.18;
            deny all;
        }
        
        location /library/ {
            internal;
            allow 127.0.0.1;
            allow 94.237.29.18;
            deny all;
        }
     
      # prevent access to ./directories and files
            location ~ (?:^|/)\. {
       deny all;
            } 
    
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    

    Also, any chance to put image in return against 403?

    All this question are asked in this thread before, but there is not clear answer or solution.
     
  14. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    5:18 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    Anyone?
     
  15. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    2:18 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  16. Sunka

    Sunka Well-Known Member

    1,150
    325
    83
    Oct 31, 2015
    Pula, Croatia
    Ratings:
    +525
    Local Time:
    5:18 AM
    Nginx 1.17.9
    MariaDB 10.3.22
    attachments (images in post with "upload a file") can not be hotlinked?
     
  17. eva2000

    eva2000 Administrator Staff Member

    54,546
    12,221
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,790
    Local Time:
    2:18 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    not for normal Xenforo I don't think.. try it and see