简体繁体 English

如何保护我的网站免遭窃取？

[英]How can I protect my site from being leeched?

原文 2010-01-08 17:13:20 0 4 php

I am using the header function of PHP to send the file to the browser with some small code. 我正在使用PHP的header功能，使用一些小代码将文件发送到浏览器。 Its work well and I have it so that if any one requests it with a referer other than my site it redirects to a page first. 它运作良好，而且我拥有它，因此，如果有人通过我网站以外的引荐来源提出请求，它将首先重定向到页面。 Unfortunately it's not working with the internet download manager. 不幸的是，它不能与Internet下载管理器一起使用。

What I want to know is how the rabidshare and 4shared sites do this. 我想知道的是rabidshare和4shared网站是如何做到的。

4 个解决方案

您可以使用会话来确保有效用户正在请求下载。

Not all browsers / softwares that can see web pages will send a Referer to your server. 并非所有可以查看网页的浏览器/软件都将引荐来源网址发送到您的服务器。 Some sites will make a browser "fingerprint", usually hashed, which might be Referer, User-Agent and a couple of other headers strung together to make a uniquie identifier for that user and thus restrict access as you describe. 某些站点会将浏览器“指纹”（通常是散列的）制成，这些指纹可能是Referer，User-Agent和其他几个标头并列在一起，以为该用户提供唯一标识符，从而限制了您所描述的访问。

Of course, I may have completely missed the point of your post! 当然，我可能完全错过了您的帖子的重点！

A typical design pattern is using a front controller to have a single entry point for all requests. 典型的设计模式是使用前端控制器为所有请求提供单个入口点。 By having a front controller, you can control exactly what the client sees. 通过使用前端控制器，您可以精确地控制客户端看到的内容。

You can configure this in Apache so that all requests go through a single file (it's been a while since I've done this because I now concentrate on Java). 您可以在Apache中进行配置，以使所有请求都通过一个文件（因为我这样做已经有一段时间了，因为我现在专注于Java）。 I think you would need to look at pathinfo documentation for Apache. 我认为您需要查看Apache的pathinfo文档。

This might require a significant change in the rest of your application code. 这可能需要对其余应用程序代码进行重大更改。 But, the code will be more secure and maintainable in the long run. 但是，从长远来看，该代码将更加安全和可维护。

I've served images and other binary files through this pattern. 我已经通过这种模式提供了图像和其他二进制文件。 This allowed me to easily verify users were authenticated before actually sending them the file. 这使我可以轻松地验证用户是否经过身份验证，然后才实际向他们发送文件。 Obfuscation is not security, so if you rely on obfuscating your URL, an attacker may be delayed in getting in, but it is just a matter of time. 混淆不是安全性，因此，如果您依赖混淆URL，攻击者可能会延迟进入，但这只是时间问题。

Walter 沃尔特

The problem probably is that sending file through php script (with headers you mentioned) doesn't support starting file download at certain position. 问题可能是通过php脚本（带有您提到的标头）发送文件不支持在特定位置开始文件下载。 Download managers use this feature to download file using several simultaneous threads (assuming server gives one thread at certain speed). 下载管理器使用此功能通过多个同时线程下载文件（假设服务器以某个速度提供一个线程）。

For small project I would recommend making a copy of file with unique filename just for download time and redirecting user to this copied file. 对于小型项目，我建议使用唯一的文件名来复制文件，仅用于下载时间，并将用户重定向到此复制的文件。 This way he gets full server download features and it also doesn't load processor as php does. 这样，他可以获得完整的服务器下载功能，并且也不会像php那样加载处理器。 Disadvantages - more disk space required and need to cleanup download directory. 缺点-需要更多磁盘空间，并且需要清理下载目录。