The principle of

Note: There is a very interesting story about Referrer and Referer. If you are interested, go to know it by yourself

In HTTP, if you jump from one page to another, there is a Referer in the header field. The image server checks whether the Referer comes from a specified domain name to prevent theft.

If the stolen website is HTTPS protocol, and the image link is HTTP, the request from HTTPS to HTTP will not have the referer because of security regulations, so as to realize the bypass of anti-theft chain. When the official output image, the source (Referer) is judged, that is, from which website to visit the image, if it is your website to load the image, then Referer is: your website address; Your URL is definitely not in the official whitelist, (of course, as a highly operable browser referer can easily fake an official URL and thus bypass the restrictions on 🚫) so you can’t see the image.

Therefore, if the Referer is not sent, there is no source. So the official side of the story is that it’s accessed directly from the browser, so it can load normal images.

purpose

To leech is to display something on your own page that is not on your own server. The usual approach is to obtain the resource address on the server of others by technical means, bypass the resource display page of others, and directly provide this content to the end user on their own page. More common is some small station embezzle the resources of big station (picture, music, video), for these small stations, through the method of leakey can reduce the burden of their servers, because the real space and flow are from the server of others. The impact on the big site does increase the pressure on the server, users are not their own 😅

So anti-leech is to prevent the generation of this behavior, the implementation of anti-leech system, because of the shielding of the indirect resource request of the leech, which can greatly reduce the pressure of the server and bandwidth, and so, more and more sites are beginning to implement anti-leech technology.


implementation

nginx 

location ~* \.(gif|jpg|png|bmp)$ {    
    valid_referers none blocked *.ttlsa.com server_names ~\.google\. ~\.baidu\.;    
    if ($invalid_referer) {        
        return 403;        
        #rewrite ^/ http://www.xxx.com/403.jpg;    }}Copy the code

All of the above sites from xxx.com and domain names that include Google and Baidu can access the image of the current site if the source domain name (whitelist list) is not in this list.

$invalid_referer = 1, return a 403 to the user in the if statement, so the user should see a page with a 403. If you use rewrite below, all linked images will show 403.jpg.

apache

Create an. Htaccess file in the root directory


RewriteEngine On RewriteCond %{HTTP_REFERER} ! ^$ [NC] RewriteCond %{HTTP_REFERER} ! phpddt.com [NC] RewriteCond %{HTTP_REFERER} ! google.com [NC] RewriteCond %{HTTP_REFERER} ! baidu.com.com [NC] RewriteCond %{HTTP_REFERER} ! feedburner.com [NC] RewriteCond %{HTTP_REFERER} ! feedsky.com [NC] RewriteRule .*\.(rar|zip)$ http://www.xxx.com/ [R,NC,L]Copy the code


This can also be included in the Apache configuration file

The.htaccess file affects the directory in which it resides and its subdirectories. You can put it in the root directory or a subdirectory of the project

The above code is also easy to understand:

RewriteCond %{HTTP_REFERER} ! ^$ [NC]Copy the code

Allow empty sources that the user’s browser manually belongs to to allow access to the file.

RewriteCond %{HTTP_REFERER} ! phpddt.com [NC]Copy the code

Allow the site itself to access, and also later allow Baidu, Google, and some subscription sources to access.

RewriteRule .*\.(rar|zip)$ http://www.xxx.com/ [R,NC,L]Copy the code

Here can be set to prevent the type of the chain, if the chain can jump to the website home page, this site did not do the picture anti-chain, if you do the picture anti-chain can be set to be the alternative picture of the chain:

RewriteRule .*\.(gif|jpg|png)$ http://xxx.com/logo.png [R,NC,L]Copy the code

crack

😄 Road high one foot devil high one zhang since know the principle then come to see some commonly used crack scheme if you have a better remember to leave a message to me.

1. If the stolen image resource is HTTP protocol, the stolen website can use HTTPS to request it without the referer because of the provisions of security, so as to realize the bypass of anti-theft chain.


3.  <img referrer="no-referrer|origin|unsafe-url" src="{item.src}"/>

4. https://images.weserv.nl/? Url = ‘${your image address}’

Because the url is a little bit slow and the effect is ok, the purpose is to return an unlimited image, but GIF format will return JPG meaning no animation effect.

5. Use iframe to forge the request referer

function showImg( url ) {
        var frameid = 'frameimg' + Math.random();
        window.img = '<img id="img" src=\''+url+'?'+Math.random()+'\' /> '+frameid+'\').height = document.getElementById(\'img\').height +\'px\'; } < '+'/script>';
        document.write('<iframe id="'+frameid+'" src="javascript:parent.img; " frameBorder="0" scrolling="no" width="100%">');
}Copy the code


6. As mentioned above, the server can forge the request header in different languages to search for corresponding solutions, which is not listed here.


The crack

Since there is cracking of course there are commonly used defense mechanisms 😄

1. The referer is not allowed to be empty (not recommended, as it is empty in some browsers with privacy mode enabled or HTTPS page references) 2. Address change (lighttpd is based on valid time, nginx is based on MD5, IP address change) 3. Login verification (if you must log in to the website account before accessing it)

The following is to prevent websites from being mirrored by iframe

1. Prevent sites from being mirrored (maliciously parsed and forwarded, etc.)

Symptom: Other domain name access to my website is resolved to my IP address

Solutions:

You can write this in http.ini

"RewriteCond Host: ! ^www.web\.cn$ RewriteRule (.*) http\://www\.web\.cnThe $1 [I,RP]"Copy the code

Htaccess can be written like this

"RewriteCond % {HTTP_HOST}! ^www.web.cn$ [NC] RewriteRule ^(.*)$ http://www.web.cn/The $1[L, R = 301]"Copy the code

The code is very simple: if you visit a domain other than “www.web.cn”, you are automatically redirected to “www.web.cn”. This setup is not afraid of their hard maintenance of the site is mirrored by others.

2. Prevent urls from being iframe

Code: Add the following code at the bottom of the page or elsewhere common

<script type= "text/javascript >if(window! =parent) window.top.location.href = window.location.href; < /script>Copy the code

The meaning of the code is also very simple, with JS method to detect the address bar domain name is not the current site binding domain name, if not, jump to the binding domain name, so that you are not afraid of the site by others iframe.

(Ant No.)
www.v5ant.com/details/YZE…