Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NGINX hotlinc protection configuring #81

Open
KornDevbr opened this issue May 19, 2023 · 0 comments
Open

NGINX hotlinc protection configuring #81

KornDevbr opened this issue May 19, 2023 · 0 comments

Comments

@KornDevbr
Copy link

KornDevbr commented May 19, 2023
edited
Loading

Hi. I'm trying to configure the hotlinking protection for the Drupal website on my local environment, but for some reason, it doesn't work. NGXIN just outputs the 200 responses to every image request.

Here is my hotlinking protection config:

#Prevent hotlinking
location ~* ^.+\.(gif|png|jpe?g|webp)$ {
    valid_referers none blocked server_names website.localhost;
    if ($invalid_referer) {
        return 403;
    }
}

Here is my full NGINX config:

/var/www/html$ sudo nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# configuration file /etc/nginx/nginx.conf:
user                            nginx;
daemon                          off;
worker_processes                auto;
error_log                       /proc/self/fd/2 debug;

events {
    worker_connections          1024;
    multi_accept                on;
}

http {

    include                     /etc/nginx/mime.types;
    default_type                application/octet-stream;
    access_log                  /proc/self/fd/1 combined;

    send_timeout                60s;
    sendfile                    on;
    client_body_timeout         60s;
    client_header_timeout       60s;
    client_max_body_size        64m;
    client_body_buffer_size     16k;
    client_header_buffer_size   4k;
    large_client_header_buffers 8 16K;
    keepalive_timeout           75s;
    keepalive_requests          100;
    reset_timedout_connection   off;
    tcp_nodelay                 on;
    tcp_nopush                  on;
    server_tokens               off;
    underscores_in_headers      off;

    upload_progress             uploads 1m;

    brotli                      on;
    brotli_static               on;
    brotli_comp_level           1;
    brotli_types                application/atom+xml
                                application/geo+json
                                application/javascript
                                application/json
                                application/ld+json
                                application/manifest+json
                                application/rdf+xml
                                application/rss+xml
                                application/vnd.ms-fontobject
                                application/wasm
                                application/x-font-opentype
                                application/x-font-truetype
                                application/x-font-ttf
                                font/eot
                                font/opentype
                                font/otf
                                image/bmp
                                image/svg+xml
                                image/vnd.microsoft.icon
                                image/x-icon
                                image/x-win-bitmap
                                text/cache-manifest
                                text/css
                                text/javascript
                                text/markdown
                                text/plain
                                text/x-component
                                text/x-cross-domain-policy
                                text/xml
                                application/x-javascript
                                application/x-web-app-manifest+json
                                application/xhtml+xml
                                application/xml
                                application/xml+rss;

    gzip                        on;
    gzip_buffers                16 8k;
    gzip_comp_level             1;
    gzip_http_version           1.1;
    gzip_min_length             20;
    gzip_vary                   on;
    gzip_proxied                any;
    gzip_disable                msie6;
    gzip_types                  application/atom+xml
                                application/geo+json
                                application/javascript
                                application/json
                                application/ld+json
                                application/manifest+json
                                application/rdf+xml
                                application/rss+xml
                                application/vnd.ms-fontobject
                                application/wasm
                                application/x-web-app-manifest+json
                                application/xhtml+xml
                                application/xml
                                font/otf
                                image/bmp
                                image/svg+xml
                                text/cache-manifest
                                text/calendar
                                text/css
                                text/javascript
                                text/markdown
                                text/plain
                                text/vcard
                                text/vnd.rim.location.xloc
                                text/vtt
                                text/x-component
                                text/x-cross-domain-policy;

    real_ip_header X-Real-IP;
    real_ip_recursive off;

    map $uri $no_slash_uri {
        ~^/(?<no_slash>.*)$ $no_slash;
    }

    include conf.d/*.conf;
}

# configuration file /etc/nginx/mime.types:

types {
    text/html                                        html htm shtml;
    text/css                                         css;
    text/xml                                         xml;
    image/gif                                        gif;
    image/jpeg                                       jpeg jpg;
    application/javascript                           js;
    application/atom+xml                             atom;
    application/rss+xml                              rss;

    text/mathml                                      mml;
    text/plain                                       txt;
    text/vnd.sun.j2me.app-descriptor                 jad;
    text/vnd.wap.wml                                 wml;
    text/x-component                                 htc;

    image/avif                                       avif;
    image/png                                        png;
    image/svg+xml                                    svg svgz;
    image/tiff                                       tif tiff;
    image/vnd.wap.wbmp                               wbmp;
    image/webp                                       webp;
    image/x-icon                                     ico;
    image/x-jng                                      jng;
    image/x-ms-bmp                                   bmp;

    font/woff                                        woff;
    font/woff2                                       woff2;

    application/java-archive                         jar war ear;
    application/json                                 json;
    application/mac-binhex40                         hqx;
    application/msword                               doc;
    application/pdf                                  pdf;
    application/postscript                           ps eps ai;
    application/rtf                                  rtf;
    application/vnd.apple.mpegurl                    m3u8;
    application/vnd.google-earth.kml+xml             kml;
    application/vnd.google-earth.kmz                 kmz;
    application/vnd.ms-excel                         xls;
    application/vnd.ms-fontobject                    eot;
    application/vnd.ms-powerpoint                    ppt;
    application/vnd.oasis.opendocument.graphics      odg;
    application/vnd.oasis.opendocument.presentation  odp;
    application/vnd.oasis.opendocument.spreadsheet   ods;
    application/vnd.oasis.opendocument.text          odt;
    application/vnd.openxmlformats-officedocument.presentationml.presentation
                                                     pptx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
                                                     xlsx;
    application/vnd.openxmlformats-officedocument.wordprocessingml.document
                                                     docx;
    application/vnd.wap.wmlc                         wmlc;
    application/wasm                                 wasm;
    application/x-7z-compressed                      7z;
    application/x-cocoa                              cco;
    application/x-java-archive-diff                  jardiff;
    application/x-java-jnlp-file                     jnlp;
    application/x-makeself                           run;
    application/x-perl                               pl pm;
    application/x-pilot                              prc pdb;
    application/x-rar-compressed                     rar;
    application/x-redhat-package-manager             rpm;
    application/x-sea                                sea;
    application/x-shockwave-flash                    swf;
    application/x-stuffit                            sit;
    application/x-tcl                                tcl tk;
    application/x-x509-ca-cert                       der pem crt;
    application/x-xpinstall                          xpi;
    application/xhtml+xml                            xhtml;
    application/xspf+xml                             xspf;
    application/zip                                  zip;

    application/octet-stream                         bin exe dll;
    application/octet-stream                         deb;
    application/octet-stream                         dmg;
    application/octet-stream                         iso img;
    application/octet-stream                         msi msp msm;

    audio/midi                                       mid midi kar;
    audio/mpeg                                       mp3;
    audio/ogg                                        ogg;
    audio/x-m4a                                      m4a;
    audio/x-realaudio                                ra;

    video/3gpp                                       3gpp 3gp;
    video/mp2t                                       ts;
    video/mp4                                        mp4;
    video/mpeg                                       mpeg mpg;
    video/quicktime                                  mov;
    video/webm                                       webm;
    video/x-flv                                      flv;
    video/x-m4v                                      m4v;
    video/x-mng                                      mng;
    video/x-ms-asf                                   asx asf;
    video/x-ms-wmv                                   wmv;
    video/x-msvideo                                  avi;
}

# configuration file /etc/nginx/conf.d/vhost.conf:
include upstream.conf;

server {
    listen       80 default_server;
    server_name  default;

    root /var/www/html/web;
    include preset.conf;
    include defaults.conf;
    include /var/www/html/environments/website.com/nginx/watermark.conf;
}

# configuration file /etc/nginx/upstream.conf:
upstream php {
    server php:9000 fail_timeout=0;
}

map $http_x_forwarded_proto $fastcgi_https {
    default $https;
    http '';
    https on;
}

# configuration file /etc/nginx/preset.conf:




index index.php index.html;

include fastcgi.conf;

location = /robots.txt {
    try_files $uri @drupal-no-args;
    access_log off;
    log_not_found off;
}

location = /humans.txt {
    try_files $uri @drupal-no-args;
    access_log off;
    log_not_found off;
}

location = /ads.txt {
    try_files $uri @drupal-no-args;
    access_log off;
    log_not_found off;
}

location / {
    location ~* /system/files/ {
        include fastcgi.conf;
        fastcgi_param QUERY_STRING $query_string;
        fastcgi_param SCRIPT_NAME /index.php;
        fastcgi_param SCRIPT_FILENAME $document_root/index.php;
        fastcgi_pass php;
        log_not_found off;
    }

    location ~* /sites/.+/files/private/ {
        internal;
    }

    location ~* /files/styles/ {
        access_log off;
        expires 1y;
        try_files $uri @drupal;
    }

    location ~* /sites/.+/files/.+\.(?:txt) {
        access_log off;
        expires 1y;
        tcp_nodelay off;
        open_file_cache off;
        open_file_cache_valid 30s;
        open_file_cache_min_uses 2;
        open_file_cache_errors off;
    }

    location ~* /sites/.+/files/advagg_css/ {
        expires max;
        add_header ETag '';
        add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
        add_header Accept-Ranges '';
        location ~* /sites/.*/files/advagg_css/.+\.css$ {
            access_log off;
            add_header Cache-Control "public, max-age=31536000, no-transform, immutable";
            try_files $uri @drupal;
        }
    }

    location ~* /sites/.+/files/advagg_js/ {
        expires max;
        add_header ETag '';
        add_header Last-Modified 'Wed, 20 Jan 1988 04:20:42 GMT';
        add_header Accept-Ranges '';
        location ~* /sites/.*/files/advagg_js/.+\.js$ {
            access_log off;
            add_header Cache-Control "public, max-age=31536000, no-transform, immutable";
            try_files $uri @drupal;
        }
    }

    location ~* /admin/reports/hacked/.+/diff/ {
        try_files $uri @drupal;
    }
    location ~* /rss.xml {
        try_files $uri @drupal-no-args;
    }

    location ~* /sitemap.xml {
        try_files $uri @drupal;
    }

    location ~* \.(engine|txt|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|yaml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|(package|package-lock)\.json|yarn\.lock)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$ {
        return 404;
    }

    location ~* ^.+\.(?:css|cur|js|jpe?g|gif|htc|ico|png|xml|otf|ttf|eot|woff|woff2|svg|mp4|svgz|ogg|ogv|pdf|pptx?|zip|tgz|gz|rar|bz2|doc|xls|exe|tar|mid|midi|wav|bmp|rtf|txt|map|webp)$ {
        #access_log off;
        tcp_nodelay off;
        expires 1y;

        add_header Pragma "cache";
        add_header Cache-Control "public";

        open_file_cache off;
        open_file_cache_valid 30s;
        open_file_cache_min_uses 2;
        open_file_cache_errors off;
    }

    try_files $uri @drupal;
}

location @drupal {
    include fastcgi.conf;
    fastcgi_param QUERY_STRING $query_string;
    fastcgi_param SCRIPT_NAME /index.php;
    fastcgi_param SCRIPT_FILENAME $document_root/index.php;
    fastcgi_pass php;
    track_uploads uploads 60s;
}

location @drupal-no-args {
    include fastcgi.conf;
    fastcgi_param QUERY_STRING q=$uri;
    fastcgi_param SCRIPT_NAME /index.php;
    fastcgi_param SCRIPT_FILENAME $document_root/index.php;
    fastcgi_pass php;
}

location = /index.php {
    fastcgi_pass php;
}

location = /core/install.php {
    fastcgi_pass php;
}

location = /core/rebuild.php {
    fastcgi_pass php;
}

location ~* ^/core/authorize.php {
    include fastcgi.conf;
    fastcgi_param QUERY_STRING $args;
    fastcgi_param SCRIPT_NAME /core/authorize.php;
    fastcgi_param SCRIPT_FILENAME $document_root/core/authorize.php;
    fastcgi_pass php;
}

location = /core/modules/statistics/statistics.php {
    fastcgi_pass php;
}

location = /cron {
    include fastcgi.conf;
    fastcgi_param QUERY_STRING $args;
    fastcgi_param SCRIPT_NAME /index.php;
    fastcgi_param SCRIPT_FILENAME $document_root/index.php;
    fastcgi_pass php;
}

location ~* ^/update.php {
    include fastcgi.conf;
    fastcgi_param QUERY_STRING $args;
    fastcgi_param SCRIPT_NAME /update.php;
    fastcgi_param SCRIPT_FILENAME $document_root/update.php;
    fastcgi_pass php;
}

location ^~ /patches {
    return 404;
}

location ^~ /backup {
    return 404;
}

location ~* ^.+\.php$ {
    return 404;
}

location ~ /web.config {
    return 404;
}

location ~ (?<upload_form_uri>.*)/x-progress-id:(?<upload_id>\d*) {
    rewrite ^ $upload_form_uri?X-Progress-ID=$upload_id;
}

location ~ ^/progress$ {
    upload_progress_json_output;
    report_uploads uploads;
}
# configuration file /etc/nginx/fastcgi.conf:
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type if_not_empty;
fastcgi_param CONTENT_LENGTH $content_length;

fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;

fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;

fastcgi_param REDIRECT_STATUS 200;

fastcgi_param HTTPS $fastcgi_https if_not_empty;

fastcgi_param HTTP_MOD_REWRITE On;

fastcgi_param QUERY_STRING $query_string;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

## Fix HTTPoxy vulnerability https://httpoxy.org/#mitigate-nginx.
fastcgi_param HTTP_PROXY '';

fastcgi_buffers 16 32k;
fastcgi_buffer_size 32k;
fastcgi_intercept_errors on;
fastcgi_read_timeout 900;
fastcgi_keep_conn on;
fastcgi_index index.php;
# configuration file /etc/nginx/defaults.conf:

add_header  X-XSS-Protection '1; mode=block';
add_header  X-Frame-Options SAMEORIGIN;
add_header  X-Content-Type-Options nosniff;
add_header  Content-Security-Policy "frame-ancestors 'self'";

location = /favicon.ico {
    expires 1y;
    try_files /favicon.ico @empty;
    log_not_found off;
    access_log off;
}

location ^~ /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
}

location ^~ /humans.txt {
    allow all;
    log_not_found off;
    access_log off;
}

location ^~ /ads.txt {
    allow all;
    log_not_found off;
    access_log off;
}

location @empty {
    expires 1y;
    empty_gif;
}

location ~* \.flv$ {
    flv;
}

location ~* ^.+\.(?:m4a|mp4|mov)$ {
    mp4;
    mp4_buffer_size 1M;
    mp4_max_buffer_size 5M;
}

location ~ ^/\.healthz$ {
    access_log off;
    return 204;
}

location ^~ /.well-known/ {
    allow all;
}
location ~ /\. {
    deny all;
}

location ~ /wodby\.yml {
    deny all;
}

location ~ /Makefile {
    deny all;
}

# configuration file /var/www/html/environments/website.com/nginx/watermark.conf:
#Prevent hotlinking
location ~* ^.+\.(gif|png|jpe?g|webp)$ {
    valid_referers none blocked server_names website.localhost;
    if ($invalid_referer) {
        return 403;
    }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@KornDevbr