---
title: Nginx: Hotlink protection via rewrite - isla Studio
url: https://isla-stud.io/howtos-anleitungen/nginx-hotlink-schutz/
date: 2016-01-31
---

# Nginx: Hotlink protection via rewrite

There is not even a backlink to your own website, unless the content thief has simply copied and pasted the entire content from the source code into his website. Then it can happen that you have linked somewhere to another of your own posts with the complete URL. And this link is then still contained in the text. But first take a deep breath and first things first:



What is a hotlink actually?



A hotlink is, for example, the integration of an image via a direct link to the existing URL. Without downloading the image beforehand, uploading it to your own web space or server and then linking it from there.



Hotlinks are not generally a bad thing. At least not if the hotlinking has been agreed with each other or if you are an image upload service, but in most cases you are not an image upload service, but simply someone who pays for their web hosting every month and has a certain traffic limit. And here we come to the crux of the matter: If someone else displays media files on their homepage that are located on your web server, your server will serve each of these third-party requests, because that's what servers do. They serve (serve, provide, serve, serve).



Now the content thief has a free image on his website for which no traffic is generated/charged on his own server. This traffic (server load) is billed to the thief, i.e. you, and costs server resources every time a visitor surfs to the content thief's site and the image is displayed in their web browser. Depending on how much visitor traffic the content thief has on his website, this is really not funny.



Today I would like to show you how you can configure your own NGINX web server so that it does not serve these external requests as expected, but instead serves the visitors to the content thief's website a different image, so that you can reverse the supposed damage and benefit from it and, if you are really angry, get one over on the thief: get the visitors to your own website!



How you can turn NGINX into an invincible hotlink enemy!



This is the plan:



 We want an overarching solution that works for all domains. So that you don't have to customize each individual vHost configuration (sites-available). The request link should be rewritten and a specific, different image should be served to the thief page instead. It must work with Google Image Search and other search engines with an image search function, instead of banning hotlinking altogether. Otherwise, Google Image Search will no longer display your actual images, but only the replacement image



Solution to image theft



These few lines of code are ultimately the solution to the image theft problem. You can find out how and where to place the code in the next section.



location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ {
  add_header "Access-Control-Allow-Origin" "*";
  access_log off;
  log_not_found off;
  expires max;
  valid_referers none blocked ~.google. ~.bing. ~.yahoo. ~.yandex. server_names ~($host);
    if ($invalid_referer) {
      rewrite (.*) /hotlink/eight-content-and-image-stealing.png redirect;
      }
}
#hotlink end redirect loop
location = /hotlink/acht-inhalts-und-bilderklau.png { }



What does the code do?



~ is used to take upper/lower case into account, while ~* ignores upper/lower case.



NGINX checks the locations rule in the order in which the regular expressions are inserted. This means that the caching header instructions for media files and the instructions of our hotlink protection must be in the same block!



location = /hotlink/achtung-inhalts-und-bilderklau.png { } is required so that the new request for the replacement image does not result in an infinite forwarding loop:
Image theft site sends request for imageA → our NGINX redirects the request for replacement image → image theft site sends request for replacement image → our NGINX redirects the request for replacement image, but does not serve → and so on...







$host is a variable that makes this instruction globally usable and works under all vHost domains on the web server. The following URL is valid for every domain: http://$host/hotlink/achtung-inhalts-und-bilderklau.png



You should only create the directory /hotlink under each domain and store an image file with the name: achtung-inhalts-und-bilderklau.png in this directory. You can also name the file and the directory differently if you wish. Just adapt the code accordingly.



To include the location rule





This is how you proceed to equip your NGINX web server with this special hotlink protection against image theft.


Total time: 30 minutes


Preparations: Create and upload an exchange graphic
First create a graphic that visitors to the Thief website should see and upload it to the desired directory on your web server. Make a note of the URL of the graphic.



Customizing the NGINX Webserver locations configuration
On your server, navigate to the directory /etc/nginx/common/ and find the locations configuration included in the server block of your vhost, which contains rules for the location defined in the code above. As a rule, there will already be an existing rule block for the specified location. If not, simply insert the above code as a new rule block in the correct file; if the block already exists, insert only the above rules without the locations wrap.



Save and reload NGINX web server configuration
Then save the configuration file with the extended locations block on the server and test the new configuration first via the SSH terminal with nginx -tIf the test goes through without any problems, restart your NGINX with the command service nginx restart.










Test your hotlink protection!



Here I have written a tool that you can use to test your hotlink protection configuration. Enter the direct URL for a graphic on your nginx server in the input field. Ideally, your replacement image should then be displayed in the output field below. If the image from the entered URL appears, you must check your hotlink protection again.



If you want to run the test several times in succession for the same image URL, you must clear your browser cache after each test and reload this page.



 Check image URL







Do you still have questions? Then don't hesitate to use the comment function below this article!



Please share this article on your Facebook page, Twitter, Google+ or another social platform of your choice. You will find the share buttons below. Sharing is quick and easy and I would really appreciate it.