Protecting your Discourse installation for Hotlinking?


#1

I wonder what do you think guys about adding this rules to NGINX to protect from hotlinking.

http://nginxlibrary.com/hotlink-protection/

location ~ \.(jpe?g|png|gif)$ {
     valid_referers none blocked mysite.com *.mysite.com;
     if ($invalid_referer) {
        return   403;
    }
}

I think it should help if you are hosting images in your forum.


Can we prevent others from using the image resources on our discourse?
How to do hotlink protection in discourse?
(Jeff Atwood) #2

It’s fine as a first line of defense, and probably something we want to include in the documentation @supermathie.

I feel like bandwidth costs and sharing rules have gotten a lot more relaxed since 2004, so I am more open to letting people share the images on a forum outside the forum, within reason… though if it gets abused, and a certain uploaded forum image goes hyper viral, that’d be a problem for sure.


(Michael Brown) #3

Good plan! Added to my documents-in-progress.

Also want to add in an option to have nginx log a message when this is detected, but permit it.


(ampburner) #4

Is there any way that I can do this myself? I’m experiencing some hotlinking issues and I would like to know what my options are.


(Régis Hanol) #5

You will have to update your app.yml so that it updates the /etc/nginx/conf.d/discourse.conf file using pups’ replacement syntax.


(Chris Beach) #6

I have edited this file (within the running Docker container) and restarted nginx (service nginx restart). However, my uploads are still being successfully hot-linked from another site.

Have I set the nginx config correctly?

      ## optional upload anti-hotlinking rules
      valid_referers none blocked se26.life;
      if ($invalid_referer) { return 403; }

Version of nginx is as follows:

root@gbyk1-se26:/var/www/discourse# nginx -v
nginx version: nginx/1.15.0

The access log lines shows the referrer of the hot-linking site is coming through correctly, but status 200 is returned.

EDIT:

I resolved this by putting the hotlink rules inside the individual location matchers

      location ~* \.(gif|png|jpg|jpeg|bmp|tif|tiff|svg|ico|webp)$ {
          if ($http_referer ~* naughtyhotlinker.com) {
              return 403;
          }
          try_files $uri =404;
      }
      # thumbnails & optimized images
      location ~ /_?optimized/ {
          if ($http_referer ~* naughtyhotlinker.com) {
              return 403;
          }
          try_files $uri =404;
      }