如何防止热链接到 public 存储中的文件?
How can I prevent hot-linking to my files in public storage?
我有一个 NGINX 服务器(带有一个 wordpress 站点)并使用 Google 云存储来提供我的内容。我注意到网站在没有任何归属的情况下热链接到我的文件。
我想我需要:
- 让我的链接在一段时间后过期,以便在一段时间后失效
- 让我的 wordpress 网站传递 AUTH TOKEN 以允许访问我的文件
- 我的 google 云存储不提供文件,除非它来自正确的 REFERRER?
有人会怎么做?
将以下信息放入您的 .htaccess 文件
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain2.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://hpmouse.googlepages.com/hotlink.gif [NC,R,L]
第 2 行和第 3 行是您希望允许链接图像的网站。
第 4 行:要阻止链接的文件格式
有多种方法可以控制对 GCS 存储桶 and/or 单个对象的访问,您需要研究它们以了解哪一种最适合您的情况。来自 Access Control Options:
You can control who has access to your Cloud Storage buckets and
objects as well as what level of access they have. Below is a summary
of the access control options available to you, along with links to
learning more about each:
Identity and Access Management (IAM) permissions: Grant access to buckets as well as bulk access to a bucket's objects. IAM
permissions give you broad control over your projects and buckets, but
not fine-grained control over individual objects. For a reference of
IAM permissions and roles specific to Cloud Storage, as well as which
permissions allow users to run JSON and XML methods on buckets and
objects, see the IAM Reference pages. To learn how to use IAM
permissions, see Using IAM Permissions.
Access Control Lists (ACLs): Grant read or write access to users for individual buckets or objects. In most cases, you should use
IAM permissions instead of ACLs. Use ACLs only when you need
fine-grained control over individual objects. To learn how to use
ACLs, see Create and Manage Access Control Lists.
Signed URLs (query string authentication): Give time-limited read or write access to an object through a URL you generate. Anyone
with whom you share the URL can access the object for the duration of
time you specify, regardless of whether or not they have a Google
account. Learn how to create signed URLs:
Signed Policy Documents: Specify what can be uploaded to a bucket. Policy documents allow greater control over size, content
type, and other upload characteristics than signed URLs, and can be
used by website owners to allow visitors to upload files to Google
Cloud Storage.
Firebase Security Rules: Provide granular, attribute-based access control to mobile and web apps using the Firebase SDKs for
Cloud Storage. For example, you can specify who can upload or
download objects, how large an object can be, or when an object can be
downloaded.
These options are not mutually exclusive. For example, you can use
ACLs to generally give private access to a bucket, but then create a
signed URL or policy document that allows anyone you choose to access
a resource within the bucket, bypassing the ACL mechanism.
我有一个 NGINX 服务器(带有一个 wordpress 站点)并使用 Google 云存储来提供我的内容。我注意到网站在没有任何归属的情况下热链接到我的文件。
我想我需要:
- 让我的链接在一段时间后过期,以便在一段时间后失效
- 让我的 wordpress 网站传递 AUTH TOKEN 以允许访问我的文件
- 我的 google 云存储不提供文件,除非它来自正确的 REFERRER?
有人会怎么做?
将以下信息放入您的 .htaccess 文件
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain2.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://hpmouse.googlepages.com/hotlink.gif [NC,R,L]
第 2 行和第 3 行是您希望允许链接图像的网站。 第 4 行:要阻止链接的文件格式
有多种方法可以控制对 GCS 存储桶 and/or 单个对象的访问,您需要研究它们以了解哪一种最适合您的情况。来自 Access Control Options:
You can control who has access to your Cloud Storage buckets and objects as well as what level of access they have. Below is a summary of the access control options available to you, along with links to learning more about each:
Identity and Access Management (IAM) permissions: Grant access to buckets as well as bulk access to a bucket's objects. IAM permissions give you broad control over your projects and buckets, but not fine-grained control over individual objects. For a reference of IAM permissions and roles specific to Cloud Storage, as well as which permissions allow users to run JSON and XML methods on buckets and objects, see the IAM Reference pages. To learn how to use IAM permissions, see Using IAM Permissions.
Access Control Lists (ACLs): Grant read or write access to users for individual buckets or objects. In most cases, you should use IAM permissions instead of ACLs. Use ACLs only when you need fine-grained control over individual objects. To learn how to use ACLs, see Create and Manage Access Control Lists.
Signed URLs (query string authentication): Give time-limited read or write access to an object through a URL you generate. Anyone with whom you share the URL can access the object for the duration of time you specify, regardless of whether or not they have a Google account. Learn how to create signed URLs:
Signed Policy Documents: Specify what can be uploaded to a bucket. Policy documents allow greater control over size, content type, and other upload characteristics than signed URLs, and can be used by website owners to allow visitors to upload files to Google Cloud Storage.
Firebase Security Rules: Provide granular, attribute-based access control to mobile and web apps using the Firebase SDKs for Cloud Storage. For example, you can specify who can upload or download objects, how large an object can be, or when an object can be downloaded.
These options are not mutually exclusive. For example, you can use ACLs to generally give private access to a bucket, but then create a signed URL or policy document that allows anyone you choose to access a resource within the bucket, bypassing the ACL mechanism.