建议增加防盗链配置防止被刷流量
ZhiXuanWang opened this issue · comments
思路:图片get请求, 添加验签参数。配置ak+时间戳,加密参数传递请求。验证参数正确,且时间戳前后2分钟内可通过。
感觉用白名单功能最简单?比如自己部署的域名限定在白名单内可以引用图片资源。
name = "cf-image-hosting"
compatibility_date = "2023-12-01"
main = "src/index.ts"
[env.dev.vars]
API_HOST = "https://telegraph.mingming.dev"
USERNAME = "admin"
PASSWORD = "admin"
whiteList = ['localhost', 'abc.com', '123.com']
[env.prod.vars]
API_HOST = "https://telegra.ph"
USERNAME = "admin"
PASSWORD = "123456"
whiteList = ['img.164746.xyz', '164746.xyz', '1024it.eu.org']
[site]
bucket = "./src"
import { Hono } from "hono";
import { serveStatic } from "hono/cloudflare-workers";
import { basicAuth } from 'hono/basic-auth'
const app = new Hono<{ Bindings: { API_HOST: string, USERNAME: string, PASSWORD: string, whiteList : Array } }>();
app.use('/', async (c, next) => {
const auth = basicAuth({
username: c.env.USERNAME,
password: c.env.PASSWORD,
})
return auth(c, next)
});
app.get("/*", serveStatic({ root: "./public" }));
app.post("/upload", async (c) => {
const body = await c.req.parseBody();
const formData = new FormData();
// Telegraph ignores filenames, so we can use any filename we want!
formData.append("file", body.file as Blob, "test.png");
return fetch(${c.env.API_HOST}/upload, {
method: "POST",
body: formData,
});
});
app.get("/file/:fileName", async (c) => {
const referrer = c.req.header('Referer') || '';
const url = referrer.split('/')[2] || '';
const min_ulr = url.split(':')[0] || '';
if(referrer && c.env.whiteList.includes(min_ulr) || !referrer) {
// 访问域名在白名单内,放行 !referer表示直接访问图片(比如浏览器地址栏输入图片地址)
return fetch(${c.env.API_HOST}/file/${c.req.param("fileName")});
} else {
return fetch('https://pic.diydoutu.com/bq/1061.jpg');
}
});
export default app;
感觉用白名单功能最简单?比如自己部署的域名限定在白名单内可以引用图片资源。
按照大佬指导已实现:https://github.com/ZhiXuanWang/cf-image-hosting/tree/img