Nginx hotlinking prevention

hotlinkingnginxvideo

I know this is quite a basic question, but whereas i had no problem preventing image files from hotlinking, i can't figure out how i can't protect mp4 video files…

i just tried to specify mp4 next to jpg, (that's the two filetypes i need to protect), but as it works for jpg, mp4 does nothing !

Any idea ?

location ~* \.(jpg|mp4)$ {
valid_referers none blocked www.mysite.com mysite.com;
if ($invalid_referer) { return 403; }
}

Best Answer

Unfortunately whatever method you use to "protect" the progressive download, it can still be thwarted.

This problem is, that videos are specified as streaming contents.

Actually, many video-downloader tools are so powerful, so it is very difficult to protect the video files from being downloaded.

Usually, there is a three step solution:

GET /path/to/file - return an HTML form with a capcha or some other method to avoid automa
POST /path/to/file - return an HTTP redirect using a secure hash
GET /path/to/file?hash=xxx - check the hash

You can perfect this method by implementing the H264 Streaming Module for nginx.

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

Nginx – How to Prevent Hotlinking

Without access to the server configuration, you cannot change any settings. There is no equivalent to Apache httpd's .htaccess in nginx.

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

Nginx – How to Prevent Hotlinking

Related Topic