Get the most out of your Centmin Mod LEMP stack
Become a Member

Nginx Disable hotlinking

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by pamamolf, Jul 21, 2014.

  1. pamamolf

    pamamolf Well-Known Member

    3,111
    295
    83
    May 31, 2014
    Ratings:
    +530
    Local Time:
    5:45 PM
    Nginx-1.13.x
    MariaDB 10.1.x
    Hi

    How can i disable hotlinking on Centminmod server?

    Thanks
     
  2. eva2000

    eva2000 Administrator Staff Member

    35,124
    7,753
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,956
    Local Time:
    12:45 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  3. Afterward

    Afterward Member

    94
    29
    18
    Jul 20, 2014
    Ratings:
    +29
    Local Time:
    3:45 PM
    1.7.5
    5.5
    THis goes in nginx.conf right? also im kinda confused where to pasthe code exactly a the very bottom?
    Can i return an image instead of 403?
     
  4. rdan

    rdan Premium Member Premium Member

    4,230
    1,030
    113
    May 25, 2014
    Ratings:
    +1,471
    Local Time:
    10:45 PM
    Mainline
    10.2
  5. Afterward

    Afterward Member

    94
    29
    18
    Jul 20, 2014
    Ratings:
    +29
    Local Time:
    3:45 PM
    1.7.5
    5.5
    So config should be like this? idk if added the code in the correct place tho
    Code:
    user              nginx nginx;
    worker_processes 3;
    worker_priority -10;
    
    worker_rlimit_nofile 260000;
    timer_resolution 100ms;
    
    error_log         logs/error.log;
    
    pid               logs/nginx.pid;
    pcre_jit on;
    
    events {
        worker_connections  2048;
        accept_mutex on;
        accept_mutex_delay 100ms;
        use epoll;
        #multi_accept on;
    }
    
    http {
    include /usr/local/nginx/conf/pagespeedadmin.conf;
    include /usr/local/nginx/conf/fastcgi_param_https_map.conf;
    
    log_format      main    '$remote_addr - $remote_user [$time_local] $request '
                    '"$status" $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"'
                    ' "$connection" "$connection_requests" "$request_time"';
    
    access_log logs/access.log combined buffer=32k;
    
        index  index.php index.html index.htm;
        include       mime.types;
        default_type  application/octet-stream;
        charset utf-8;
    
            sendfile on;
            #sendfile_max_chunk 1m;
            tcp_nopush  on;
            tcp_nodelay off;
            server_tokens off;
            server_name_in_redirect off;
          
            keepalive_timeout  10;
            keepalive_requests 100;
            lingering_time 20s;
            lingering_timeout 5s;
            keepalive_disable msie6;
    
        gzip on;
        gzip_vary   on;
        gzip_disable "MSIE [1-6]\.";
            gzip_static on;
            gzip_min_length   1400;
            gzip_buffers      32 8k;
            gzip_http_version 1.0;
            gzip_comp_level 5;
            gzip_proxied    any;
            gzip_types text/plain text/css text/xml application/javascript application/x-javascript application/xml application/xml+rss application/ecmascript application/json image/svg+xml;
    
    client_body_buffer_size 256k;
    client_body_in_file_only off;
    client_body_timeout 60s;
    client_header_buffer_size 64k;
    ## how long a connection has to complete sending
    ## it's headers for request to be processed
    client_header_timeout  20s;
    client_max_body_size 10m;
    connection_pool_size  512;
    directio  4m;
    ignore_invalid_headers on;     
    large_client_header_buffers 8 64k;
    output_buffers   8 256k;
    postpone_output  1460;
    proxy_temp_path  /tmp/nginx_proxy/;
    request_pool_size  32k;
    reset_timedout_connection on;
    send_timeout     60s;
    types_hash_max_size 2048;
    server_names_hash_bucket_size 64;
    
    # for nginx proxy backends to prevent redirects to backend port
    # port_in_redirect off;
    
    open_file_cache max=10000 inactive=30s;
    open_file_cache_valid 120s;
    open_file_cache_min_uses 2;
    open_file_cache_errors off;
    open_log_file_cache max=4096 inactive=30s min_uses=2;
    
    location ~ .(gif|png|jpe?g)$ {
         valid_referers none blocked mywebsite.com *.mywebsite.com;
         if ($invalid_referer) {
            return   403;
        }
    }
    
    ## limit number of concurrency connections per ip to 16
    ## add to your server {} section the next line
    ## limit_conn limit_per_ip 16;
    ## uncomment below line allows 500K sessions
    # limit_conn_log_level error;
    #######################################
    # use limit_zone for Nginx <v1.1.7 and lower
    # limit_zone $binary_remote_addr zone=limit_per_ip:16m;
    #######################################
    # use limit_conn_zone for Nginx >v1.1.8 and higher
    # limit_conn_zone $binary_remote_addr zone=limit_per_ip:16m;
    #######################################
    
    include /usr/local/nginx/conf/conf.d/*.conf;
    }
    
     
  6. rdan

    rdan Premium Member Premium Member

    4,230
    1,030
    113
    May 25, 2014
    Ratings:
    +1,471
    Local Time:
    10:45 PM
    Mainline
    10.2
    Why did you dd it on nginx.conf?
    I think it should be in your domain config.
     
  7. eva2000

    eva2000 Administrator Staff Member

    35,124
    7,753
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,956
    Local Time:
    12:45 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    not in nginx.conf but yourdomain.conf

    @RoldanLT google will index fine.. hotlink protection just prevents other domains other than yours to serve the image to visitors
     
    • Like Like x 1
  8. Afterward

    Afterward Member

    94
    29
    18
    Jul 20, 2014
    Ratings:
    +29
    Local Time:
    3:45 PM
    1.7.5
    5.5
    Can i add it right below this
    Code:
    include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      include /usr/local/nginx/conf/errorpage.conf;
    }
    
    Wich will result in this:
    Code:
     include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      include /usr/local/nginx/conf/errorpage.conf;
    }
    
    location ~ .(gif|png|jpe?g)$ {
         valid_referers none blocked mywebsite.com *.mywebsite.com;
         if ($invalid_referer) {
            return   403;
        }
    }
    Is this method correct? :)
     
  9. rdan

    rdan Premium Member Premium Member

    4,230
    1,030
    113
    May 25, 2014
    Ratings:
    +1,471
    Local Time:
    10:45 PM
    Mainline
    10.2
    So I want to block this entire directory:
    /data/
    /styles/

    How can I combine them into one declaration without creating another set of location?
    :)
    Combining this:
    Code:
    location /data/ {
    valid_referers none blocked *.phcorner.net;
    if ($invalid_referer) {
    return 403;
    }
    }
    
    location /styles/ {
    valid_referers none blocked *.phcorner.net;
    if ($invalid_referer) {
    return 403;
    }
    }
    
     
  10. Afterward

    Afterward Member

    94
    29
    18
    Jul 20, 2014
    Ratings:
    +29
    Local Time:
    3:45 PM
    1.7.5
    5.5
    Did it worked for you? because i tried it no results.
    I even tried:
    Code:
    location ~ \.(gif|png|jpg|jpeg|JPG|GIF|JPEG|PNG)$ {
        valid_referers none blocked domain.com *.domain.com;
            if ($invalid_referer) {
                rewrite \.(gif|png|jpg|jpeg|JPG|GIF|JPEG|PNG)$ http://bla bla/stop_stealing_hotlinking.png redirect;
            }
    }
    Same thing :/
     
  11. eva2000

    eva2000 Administrator Staff Member

    35,124
    7,753
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,956
    Local Time:
    12:45 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    you might need to comment out this include file first as it also has location context matches for static file extensions

    Code:
    #include /usr/local/nginx/conf/staticfiles.conf;
     
    • Like Like x 1
  12. Afterward

    Afterward Member

    94
    29
    18
    Jul 20, 2014
    Ratings:
    +29
    Local Time:
    3:45 PM
    1.7.5
    5.5
    Thanks i will give it a try later and report back, haven't slept since 54 hours.
     
  13. Sunka

    Sunka Well-Known Member

    993
    270
    63
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +445
    Local Time:
    4:45 PM
    Nginx 1.15.0
    MariaDB 10.2.15
    Regarding this hotlinking prevention.
    This code is valid?

    Code:
    location ~ .(gif|png|jpe?g)$ {
         valid_referers none blocked mywebsite.com *.mywebsite.com;
         if ($invalid_referer) {
            return   403;
        }
    }
    Where exactly should I put it into mydomain.conf?
    I want all images from my domain are protected, not just from one folder.

    Code:
    # Centmin Mod Getting Started Guide
    # must read http://centminmod.com/getstarted.html
    # For SPDY SSL Setup
    # read http://centminmod.com/nginx_configure_https_ssl_spdy.html
    
    # redirect from www to non-www  forced SSL
    # uncomment, save file and restart Nginx to enable
    # if unsure use return 302 before using return 301
     server {
       server_name pijanitvor.com www.pijanitvor.com;
        return 301 https://www.$server_name$request_uri;
     }
    
    server {
      listen 443 ssl http2;
      server_name pijanitvor.com www.pijanitvor.com;
    
      ##  redirect https non-www to https www
          if ($host = 'pijanitvor.com' ) {
             return 301 https://www.pijanitvor.com$request_uri;
          }
     
      ssl_dhparam /usr/local/nginx/conf/ssl/pijanitvor.com/dhparam.pem;
      ssl_certificate      /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-unified.crt;
      ssl_certificate_key  /usr/local/nginx/conf/ssl/pijanitvor.com/pijanitvor.com.key;
      include /usr/local/nginx/conf/ssl_include.conf;
    
      # mozilla recommended
      ssl_ciphers EECDH+CHACHA20-draft:EECDH+CHACHA20:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!CAMELLIA:!DES-CBC3-SHA;
      ssl_prefer_server_ciphers   on;
      #######################add_header Alternate-Protocol  443:npn-spdy/3;
      #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
      #add_header  X-Content-Type-Options "nosniff";
      #add_header X-Frame-Options DENY;
      #######################spdy_headers_comp 5;
      ssl_buffer_size 1400;
      ssl_session_tickets on;
     
      #enable ocsp stapling
      resolver 8.8.8.8 8.8.4.4 valid=10m;
      resolver_timeout 10s;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /usr/local/nginx/conf/ssl/pijanitvor.com/ssl-trusted.crt; 
    
    # ngx_pagespeed & ngx_pagespeed handler
    #include /usr/local/nginx/conf/pagespeed.conf;
    #include /usr/local/nginx/conf/pagespeedhandler.conf;
    #include /usr/local/nginx/conf/pagespeedstatslog.conf;
    
      # limit_conn limit_per_ip 16;
      # ssi  on;
    
      access_log /home/nginx/domains/pijanitvor.com/log/access.log combined buffer=256k flush=60m;
      error_log /home/nginx/domains/pijanitvor.com/log/error.log;
    
      root /home/nginx/domains/pijanitvor.com/public;
    
      location / {
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$uri&$args;
           include /usr/local/nginx/conf/blockbots.conf;
        }
    
        location /internal_data/ {
            internal;
            allow 127.0.0.1;
            allow 94.237.29.18;
            deny all;
        }
        
        location /library/ {
            internal;
            allow 127.0.0.1;
            allow 94.237.29.18;
            deny all;
        }
     
      # prevent access to ./directories and files
            location ~ (?:^|/)\. {
       deny all;
            } 
    
    
      include /usr/local/nginx/conf/staticfiles.conf;
      include /usr/local/nginx/conf/php.conf;
      include /usr/local/nginx/conf/drop.conf;
      #include /usr/local/nginx/conf/errorpage.conf;
      include /usr/local/nginx/conf/vts_server.conf;
    }
    

    Also, any chance to put image in return against 403?

    All this question are asked in this thread before, but there is not clear answer or solution.
     
  14. Sunka

    Sunka Well-Known Member

    993
    270
    63
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +445
    Local Time:
    4:45 PM
    Nginx 1.15.0
    MariaDB 10.2.15
    Anyone?
     
  15. eva2000

    eva2000 Administrator Staff Member

    35,124
    7,753
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,956
    Local Time:
    12:45 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
  16. Sunka

    Sunka Well-Known Member

    993
    270
    63
    Oct 31, 2015
    Rijeka, Croatia
    Ratings:
    +445
    Local Time:
    4:45 PM
    Nginx 1.15.0
    MariaDB 10.2.15
    attachments (images in post with "upload a file") can not be hotlinked?
     
  17. eva2000

    eva2000 Administrator Staff Member

    35,124
    7,753
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +11,956
    Local Time:
    12:45 AM
    Nginx 1.15.x
    MariaDB 5.5/10.x
    not for normal Xenforo I don't think.. try it and see
     
    • Agree Agree x 1
..