From c8313299aa59d5de140eecf3366ab7b5361d8921 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ant=C3=B3nio=20P=2E=20P=2E=20Almeida?= <appa@perusio.net>
Date: Sun, 11 Mar 2012 02:56:04 +0100
Subject: [PATCH] * Added hotlinking protection.

---
 README.md                                  | 37 ++++++++++++++++------
 sites-available/drupal.conf                |  4 +++
 sites-available/drupal6.conf               |  4 +++
 sites-available/drupal_boost.conf          |  4 +++
 sites-available/drupal_boost6.conf         |  4 +++
 sites-available/hotlinking_protection.conf | 10 ++++++
 6 files changed, 54 insertions(+), 9 deletions(-)
 create mode 100644 sites-available/hotlinking_protection.conf

diff --git a/README.md b/README.md
index 9dfbf4b8..9bb8655f 100644
--- a/README.md
+++ b/README.md
@@ -177,30 +177,34 @@ This is strictly a **drupal 6** issue.
    
    10. Support for **private file** serving in drupal.
 
-   11. Use of UNIX sockets in `/tmp/` subdirectory with permissions
-       **700**, i.e., accessible only to the user running the process.
-       You may consider the
+   11. Support for
+       [hot link protection](https://simple.wikipedia.org/wiki/Hot-linking)
+       imagecache generated images.
+
+   12. If using `php-cgi` with UNIX sockets in `/tmp/` subdirectory
+       with permissions **700**, i.e., accessible only to the user
+       running the process.  You may consider the
        [init script](github.com/perusio/php-fastcgi-debian-script)
        that I make available here on github that launches the PHP
        FastCGI daemon and spawns new instances as required. This is
        not needed if you're using php-fpm.
   
-   12. End of the [expensive 404s](http://drupal.org/node/76824
+   13. End of the [expensive 404s](http://drupal.org/node/76824
        "Expensive 404s issue") that Drupal usually handles when
        using Apache with the default `.htaccess`.
   
-   13. Possibility of using **Apache** as a backend for dealing with
+   14. Possibility of using **Apache** as a backend for dealing with
        PHP. Meaning using Nginx as
        [reverse proxy](http://wiki.nginx.org/HttpProxyModule "Nginx
        Proxy Module").
        
-   14. [Advanced Help](http://drupal.org/project/advanced_help)
+   15. [Advanced Help](http://drupal.org/project/advanced_help)
        support.
        
-   15. [Advanced Aggregation](http://drupal.org/project/advagg)
+   16. [Advanced Aggregation](http://drupal.org/project/advagg)
        support.
        
-   16. [Microcaching](http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n)
+   17. [Microcaching](http://fennb.com/microcaching-speed-your-app-up-250x-with-no-n)
        support for both **anonymous** and **authenticated** users.
            
 ## Secure HTTP aka SSL/TLS support
@@ -391,7 +395,6 @@ This is strictly a **drupal 6** issue.
    module tailored for Nginx:
    [nginx\_accel\_redirect](http://drupal.org/project/nginx_accel_redirect "Module for Drupal providing fast private file transfer"). 
 
-
 ## Connections per client and DoS Mitigation
 
    The **connection zone** defined, called `arbeit` allows for **16**
@@ -410,6 +413,22 @@ This is strictly a **drupal 6** issue.
    a working setup. This number must be as small as possible as a way
    to mitigate the potential for DoS attacks.
 
+## Image hotlinking protection
+
+   Imagecache generated images can be **expensive** to generate. In
+   those cases providing protection against
+   [hotlinking](https://simple.wikipedia.org/wiki/Hot-linking) is a
+   must.
+   
+   To make use of that uncomment the proper line on the `/imagecache/`
+   location that includes the
+   `sites-available/hotlinking_protection.conf` file.
+   
+   The protection is based on the
+   [Nginx referer module](http://nginx.org/en/docs/http/ngx_http_referer_module.html). You
+   must specify the hosts that are allowed to access the images. The
+   hostnames can use wildcards or use regexes.
+
 ## Nginx as a Reverse Proxy: Proxying to Apache for PHP
 
    If you **absolutely need** to use the rather _bad habit_ of
diff --git a/sites-available/drupal.conf b/sites-available/drupal.conf
index 2e71a60c..38a78c7b 100644
--- a/sites-available/drupal.conf
+++ b/sites-available/drupal.conf
@@ -47,6 +47,10 @@ location / {
     ## available, if not relay the request to Drupal to (re)generate the
     ## image.
     location ~* /imagecache/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include sites-available/hotlinking_protection.conf;
+
         access_log off;
         expires 30d;
         try_files $uri @drupal;
diff --git a/sites-available/drupal6.conf b/sites-available/drupal6.conf
index bcbc2461..a0612a41 100644
--- a/sites-available/drupal6.conf
+++ b/sites-available/drupal6.conf
@@ -52,6 +52,10 @@ location / {
     ## available, if not relay the request to Drupal to (re)generate the
     ## image.
     location ~* /imagecache/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include sites-available/hotlinking_protection.conf;
+
         access_log off;
         expires 30d;
         try_files $uri /index.php?q=$no_slash_uri&$args;
diff --git a/sites-available/drupal_boost.conf b/sites-available/drupal_boost.conf
index fde3dc8c..b84501e8 100644
--- a/sites-available/drupal_boost.conf
+++ b/sites-available/drupal_boost.conf
@@ -48,6 +48,10 @@ location / {
     ## available, if not relay the request to Drupal to (re)generate the
     ## image.
     location ~* /imagecache/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include sites-available/hotlinking_protection.conf;
+
         access_log off;
         expires 30d;
         try_files $uri @drupal;
diff --git a/sites-available/drupal_boost6.conf b/sites-available/drupal_boost6.conf
index cfbe6ca1..7cbdad6a 100644
--- a/sites-available/drupal_boost6.conf
+++ b/sites-available/drupal_boost6.conf
@@ -70,6 +70,10 @@ location / {
     ## available, if not relay the request to Drupal to (re)generate the
     ## image.
     location ~* /imagecache/ {
+        ## Image hotlinking protection. If you want hotlinking
+        ## protection for your images uncomment the following line.
+        #include sites-available/hotlinking_protection.conf;
+
         access_log off;
         expires 30d;
         try_files $uri /index.php?q=$no_slash_uri&$args;
diff --git a/sites-available/hotlinking_protection.conf b/sites-available/hotlinking_protection.conf
new file mode 100644
index 00000000..ebffd47d
--- /dev/null
+++ b/sites-available/hotlinking_protection.conf
@@ -0,0 +1,10 @@
+# -*- mode: nginx; mode: flyspell-prog;  ispell-local-dictionary: "american" -*-
+
+### Hotlinking protection for images. Include it in any context you
+### want. Adjust the list of allowed referers to your liking.
+
+valid_referers none blocked *.example.* *.google.* my.site.com;
+
+if ($invalid_referer) {
+    return 200 "No image hotlinking allowed!\n";
+}