diff --git a/README.md b/README.md index 9dfbf4b8..9bb8655f 100644 --- a/README.md +++ b/README.md @@ -177,30 +177,34 @@ This is strictly a **drupal 6** issue. 10. Support for **private file** serving in drupal. - 11. Use of UNIX sockets in `/tmp/` subdirectory with permissions - **700**, i.e., accessible only to the user running the process. - You may consider the + 11. Support for + [hot link protection](https://simple.wikipedia.org/wiki/Hot-linking) + imagecache generated images. + + 12. If using `php-cgi` with UNIX sockets in `/tmp/` subdirectory + with permissions **700**, i.e., accessible only to the user + running the process. You may consider the [init script](github.com/perusio/php-fastcgi-debian-script) that I make available here on github that launches the PHP FastCGI daemon and spawns new instances as required. This is not needed if you're using php-fpm. - 12. End of the [expensive 404s](http://drupal.org/node/76824 + 13. End of the [expensive 404s](http://drupal.org/node/76824 "Expensive 404s issue") that Drupal usually handles when using Apache with the default `.htaccess`. - 13. Possibility of using **Apache** as a backend for dealing with + 14. Possibility of using **Apache** as a backend for dealing with PHP. Meaning using Nginx as [reverse proxy](http://wiki.nginx.org/HttpProxyModule "Nginx Proxy Module"). - 14. [Advanced Help](http://drupal.org/project/advanced_help) + 15. [Advanced Help](http://drupal.org/project/advanced_help) support. - 15. [Advanced Aggregation](http://drupal.org/project/advagg) + 16. [Advanced Aggregation](http://drupal.org/project/advagg) support. - 16. [Microcaching](http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n) + 17. [Microcaching](http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n) support for both **anonymous** and **authenticated** users. ## Secure HTTP aka SSL/TLS support @@ -391,7 +395,6 @@ This is strictly a **drupal 6** issue. module tailored for Nginx: [nginx\_accel\_redirect](http://drupal.org/project/nginx_accel_redirect "Module for Drupal providing fast private file transfer"). - ## Connections per client and DoS Mitigation The **connection zone** defined, called `arbeit` allows for **16** @@ -410,6 +413,22 @@ This is strictly a **drupal 6** issue. a working setup. This number must be as small as possible as a way to mitigate the potential for DoS attacks. +## Image hotlinking protection + + Imagecache generated images can be **expensive** to generate. In + those cases providing protection against + [hotlinking](https://simple.wikipedia.org/wiki/Hot-linking) is a + must. + + To make use of that uncomment the proper line on the `/imagecache/` + location that includes the + `sites-available/hotlinking_protection.conf` file. + + The protection is based on the + [Nginx referer module](http://nginx.org/en/docs/http/ngx_http_referer_module.html). You + must specify the hosts that are allowed to access the images. The + hostnames can use wildcards or use regexes. + ## Nginx as a Reverse Proxy: Proxying to Apache for PHP If you **absolutely need** to use the rather _bad habit_ of diff --git a/sites-available/drupal.conf b/sites-available/drupal.conf index 2e71a60c..38a78c7b 100644 --- a/sites-available/drupal.conf +++ b/sites-available/drupal.conf @@ -47,6 +47,10 @@ location / { ## available, if not relay the request to Drupal to (re)generate the ## image. location ~* /imagecache/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include sites-available/hotlinking_protection.conf; + access_log off; expires 30d; try_files $uri @drupal; diff --git a/sites-available/drupal6.conf b/sites-available/drupal6.conf index bcbc2461..a0612a41 100644 --- a/sites-available/drupal6.conf +++ b/sites-available/drupal6.conf @@ -52,6 +52,10 @@ location / { ## available, if not relay the request to Drupal to (re)generate the ## image. location ~* /imagecache/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include sites-available/hotlinking_protection.conf; + access_log off; expires 30d; try_files $uri /index.php?q=$no_slash_uri&$args; diff --git a/sites-available/drupal_boost.conf b/sites-available/drupal_boost.conf index fde3dc8c..b84501e8 100644 --- a/sites-available/drupal_boost.conf +++ b/sites-available/drupal_boost.conf @@ -48,6 +48,10 @@ location / { ## available, if not relay the request to Drupal to (re)generate the ## image. location ~* /imagecache/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include sites-available/hotlinking_protection.conf; + access_log off; expires 30d; try_files $uri @drupal; diff --git a/sites-available/drupal_boost6.conf b/sites-available/drupal_boost6.conf index cfbe6ca1..7cbdad6a 100644 --- a/sites-available/drupal_boost6.conf +++ b/sites-available/drupal_boost6.conf @@ -70,6 +70,10 @@ location / { ## available, if not relay the request to Drupal to (re)generate the ## image. location ~* /imagecache/ { + ## Image hotlinking protection. If you want hotlinking + ## protection for your images uncomment the following line. + #include sites-available/hotlinking_protection.conf; + access_log off; expires 30d; try_files $uri /index.php?q=$no_slash_uri&$args; diff --git a/sites-available/hotlinking_protection.conf b/sites-available/hotlinking_protection.conf new file mode 100644 index 00000000..ebffd47d --- /dev/null +++ b/sites-available/hotlinking_protection.conf @@ -0,0 +1,10 @@ +# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*- + +### Hotlinking protection for images. Include it in any context you +### want. Adjust the list of allowed referers to your liking. + +valid_referers none blocked *.example.* *.google.* my.site.com; + +if ($invalid_referer) { + return 200 "No image hotlinking allowed!\n"; +}