关于Referer防盗链关于Referer防盗链

基本原理 ? 通过referer来进行判断和限制，因为HTTP Referer是header的一部分，假设浏览器访问某网页上的一张图片资源但是该资源来自其它站点，那么浏览器的请求的referer部分也会带着原网站的信息去请求这种图片资源，如果这个站点设置了防盗链规则，就可以起到一定的访问控制功能。
ngx_http_referer_module模块 【关于Referer防盗链】语法： valid_referers none | blocked | server_names | string ...;
可用于： server, location
none: 检测请求头中不带Referer字段，Referer字段为空。
blocked：检测Referer字段出现在请求头中，但是值已经被防火墙或者代理服务器删除的情况。
server_names: 域名，检测Referer头中的值是否在这些域名中。
配置使用

location ~* \.(?:jpg|jpeg|png)$ { expires 1M; add_header Cache-Control "public"; valid_referers none blocked *.baidu.com; if ($invalid_referer) { return 403; } }

先用location匹配出资源文件类型，然后用valid_referer指令设置白名单也就是允许的域名，其它域名没有在valid_referers列表中，$valid_referer变量返回的值为1，
补充说明使用curl自定义请求头测试某云CDN防盗链相关的功能

1.将referer设置错误。 [root@iZ2zej4i2jdf3mpednw9vrZ ~]# curl -I https://su1105.kivensu.club/001.jpg -H 'Referer:http://sby1105.kivensu.club/' HTTP/1.1 403 Forbidden Server: Tengine Date: Thu, 07 Nov 2019 06:17:10 GMT Content-Type: text/html Content-Length: 254 Connection: keep-alive Strict-Transport-Security: max-age=5184000 X-Tengine-Error: denied by Referer ACL Via: kunlun8.cn1474[,403003] Timing-Allow-Origin: * EagleId: dede581c15731074305801803e2.将referer设置为空。 [root@iZ2zej4i2jdf3mpednw9vrZ ~]# curl -I https://su1105.kivensu.club/001.jpg HTTP/1.1 403 Forbidden Server: Tengine Date: Thu, 07 Nov 2019 06:17:30 GMT Content-Type: text/html Content-Length: 254 Connection: keep-alive Strict-Transport-Security: max-age=5184000 X-Tengine-Error: denied by Referer ACL Via: kunlun8.cn1474[,403003] Timing-Allow-Origin: * EagleId: dede581c15731074506567942e3.将referer设置正确。 [root@iZ2zej4i2jdf3mpednw9vrZ ~]# curl -I https://su1105.kivensu.club/001.jpg -H 'Referer:https://www.baidu.com' HTTP/1.1 200 OK Server: Tengine Content-Type: image/jpeg Content-Length: 79033 Connection: keep-alive Strict-Transport-Security: max-age=5184000 Date: Thu, 07 Nov 2019 06:10:49 GMT Last-Modified: Mon, 04 Nov 2019 06:15:49 GMT ETag: "5dbfc215-134b9" Expires: Sat, 07 Dec 2019 06:10:49 GMT Cache-Control: max-age=2592000 Cache-Control: public Accept-Ranges: bytes Ali-Swift-Global-Savetime: 1573107049 Via: cache17.l2cm9-5[23,200-0,M], cache4.l2cm9-5[25,0], kunlun10.cn1474[0,200-0,H], kunlun8.cn1474[2,0] Age: 434 X-Cache: HIT TCP_HIT dirn:10:539000673 X-Swift-SaveTime: Thu, 07 Nov 2019 06:10:49 GMT X-Swift-CacheTime: 2592000 Timing-Allow-Origin: * EagleId: dede581c15731074830701514e4.将referer设置正确，useragent设置为黑名单。 [root@iZ2zej4i2jdf3mpednw9vrZ ~]# curl -I https://su1105.kivensu.club/001.jpg -H 'Referer:https://www.baidu.com UserAgent:edge' HTTP/1.1 403 Forbidden Server: Tengine Date: Thu, 07 Nov 2019 06:28:13 GMT Content-Type: text/html Content-Length: 254 Connection: keep-alive Strict-Transport-Security: max-age=5184000 X-Tengine-Error: denied by Referer ACL Via: kunlun6.cn1474[,403003] Timing-Allow-Origin: * EagleId: dede581a15731080932208007e5.设置URL鉴权和正确的referer。 [root@iZ2zej4i2jdf3mpednw9vrZ ~]# curl -I https://su1105.kivensu.club/001.jpg?auth_key=1573117732-0-0-0e32e263bb8c64bb43f224d82f794ae2 -H 'Referer:https://www.baidu.com' HTTP/1.1 200 OK Server: Tengine Content-Type: image/jpeg Content-Length: 79033 Connection: keep-alive Strict-Transport-Security: max-age=5184000 Date: Thu, 07 Nov 2019 06:10:49 GMT Last-Modified: Mon, 04 Nov 2019 06:15:49 GMT ETag: "5dbfc215-134b9" Expires: Sat, 07 Dec 2019 06:10:49 GMT Cache-Control: max-age=2592000 Cache-Control: public Accept-Ranges: bytes Ali-Swift-Global-Savetime: 1573107049 Via: cache17.l2cm9-5[23,200-0,M], cache4.l2cm9-5[25,0], kunlun10.cn1474[0,200-0,H], kunlun2.cn1474[194,0] Age: 7146 X-Cache: HIT TCP_HIT dirn:10:539000673 X-Swift-SaveTime: Thu, 07 Nov 2019 06:10:49 GMT X-Swift-CacheTime: 2592000 Timing-Allow-Origin: * EagleId: dede581615731141953898826e