关于Referer防盗链

基本原理

​ 通过referer来进行判断和限制，因为HTTP Referer是header的一部分，假设浏览器访问某网页上的一张图片资源但是该资源来自其它站点，那么浏览器的请求的referer部分也会带着原网站的信息去请求这种图片资源，如果这个站点设置了防盗链规则，就可以起到一定的访问控制功能。

ngx_http_referer_module模块

语法： valid_referers none | blocked | server_names | string ...;
可用于： server, location

none: 检测请求头中不带Referer字段，Referer字段为空。
blocked： 检测Referer字段出现在请求头中，但是值已经被防火墙或者代理服务器删除的情况。
server_names: 域名，检测Referer头中的值是否在这些域名中。

配置使用

 location ~* \.(?:jpg|jpeg|png)$ {
        expires 1M;
        add_header Cache-Control "public";
        valid_referers none blocked *.baidu.com;
    if ($invalid_referer) {
        return 403;}
        }

先用location匹配出资源文件类型，然后用valid_referer指令设置白名单也就是允许的域名，其它域名没有在valid_referers列表中，$valid_referer变量返回的值为1，

补充说明

使用curl自定义请求头测试某云CDN防盗链相关的功能

1.将referer设置错误。
[root@iZ2zej4i2jdf3mpednw9vrZ ~]# curl -I https://su1105.kivensu.club/001.jpg -H 'Referer:http://sby1105.kivensu.club/'
HTTP/1.1 403 Forbidden
Server: Tengine
Date: Thu, 07 Nov 2019 06:17:10 GMT
Content-Type: text/html
Content-Length: 254
Connection: keep-alive
Strict-Transport-Security: max-age=5184000
X-Tengine-Error: denied by Referer ACL
Via: kunlun8.cn1474[,403003]
Timing-Allow-Origin: *
EagleId: dede581c15731074305801803e

2.将referer设置为空。
[root@iZ2zej4i2jdf3mpednw9vrZ ~]# curl -I https://su1105.kivensu.club/001.jpg 
HTTP/1.1 403 Forbidden
Server: Tengine
Date: Thu, 07 Nov 2019 06:17:30 GMT
Content-Type: text/html
Content-Length: 254
Connection: keep-alive
Strict-Transport-Security: max-age=5184000
X-Tengine-Error: denied by Referer ACL
Via: kunlun8.cn1474[,403003]
Timing-Allow-Origin: *
EagleId: dede581c15731074506567942e

3.将referer设置正确。
[root@iZ2zej4i2jdf3mpednw9vrZ ~]# curl -I https://su1105.kivensu.club/001.jpg -H 'Referer:https://www.baidu.com'
HTTP/1.1 200 OK
Server: Tengine
Content-Type: image/jpeg
Content-Length: 79033
Connection: keep-alive
Strict-Transport-Security: max-age=5184000
Date: Thu, 07 Nov 2019 06:10:49 GMT
Last-Modified: Mon, 04 Nov 2019 06:15:49 GMT
ETag: "5dbfc215-134b9"
Expires: Sat, 07 Dec 2019 06:10:49 GMT
Cache-Control: max-age=2592000
Cache-Control: public
Accept-Ranges: bytes
Ali-Swift-Global-Savetime: 1573107049
Via: cache17.l2cm9-5[23,200-0,M], cache4.l2cm9-5[25,0], kunlun10.cn1474[0,200-0,H], kunlun8.cn1474[2,0]
Age: 434
X-Cache: HIT TCP_HIT dirn:10:539000673
X-Swift-SaveTime: Thu, 07 Nov 2019 06:10:49 GMT
X-Swift-CacheTime: 2592000
Timing-Allow-Origin: *
EagleId: dede581c15731074830701514e

4.将referer设置正确，useragent设置为黑名单。
[root@iZ2zej4i2jdf3mpednw9vrZ ~]# curl -I https://su1105.kivensu.club/001.jpg -H 'Referer:https://www.baidu.com UserAgent:edge'
HTTP/1.1 403 Forbidden
Server: Tengine
Date: Thu, 07 Nov 2019 06:28:13 GMT
Content-Type: text/html
Content-Length: 254
Connection: keep-alive
Strict-Transport-Security: max-age=5184000
X-Tengine-Error: denied by Referer ACL
Via: kunlun6.cn1474[,403003]
Timing-Allow-Origin: *
EagleId: dede581a15731080932208007e

5.设置URL鉴权和正确的referer。
[root@iZ2zej4i2jdf3mpednw9vrZ ~]# curl -I https://su1105.kivensu.club/001.jpg?auth_key=1573117732-0-0-0e32e263bb8c64bb43f224d82f794ae2 -H 'Referer:https://www.baidu.com'
HTTP/1.1 200 OK
Server: Tengine
Content-Type: image/jpeg
Content-Length: 79033
Connection: keep-alive
Strict-Transport-Security: max-age=5184000
Date: Thu, 07 Nov 2019 06:10:49 GMT
Last-Modified: Mon, 04 Nov 2019 06:15:49 GMT
ETag: "5dbfc215-134b9"
Expires: Sat, 07 Dec 2019 06:10:49 GMT
Cache-Control: max-age=2592000
Cache-Control: public
Accept-Ranges: bytes
Ali-Swift-Global-Savetime: 1573107049
Via: cache17.l2cm9-5[23,200-0,M], cache4.l2cm9-5[25,0], kunlun10.cn1474[0,200-0,H], kunlun2.cn1474[194,0]
Age: 7146
X-Cache: HIT TCP_HIT dirn:10:539000673
X-Swift-SaveTime: Thu, 07 Nov 2019 06:10:49 GMT
X-Swift-CacheTime: 2592000
Timing-Allow-Origin: *
EagleId: dede581615731141953898826e