<dependencies>
    <!-- Web支持 -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-web</artifactId>
    </dependency>

    <!-- 緩存支持（可選） -->
    <dependency>
        <groupId>org.springframework.boot</groupId>
        <artifactId>spring-boot-starter-cache</artifactId>
    </dependency>

    <!-- Lombok（簡化代碼） -->
    <dependency>
        <groupId>org.projectlombok</groupId>
        <artifactId>lombok</artifactId>
        <optional>true</optional>
    </dependency>
</dependencies>

# 防盜鏈配置
anti-hotlink:
  # 是否啟用防盜鏈
  enabled: true
  # 允許的域名列表（支持子域名和正則）
  allowed-domains:
    - localhost
    - 127.0.0.1
    - "*.example.com"
    - "^test\\d+\\.domain\\.com$"  # 匹配test1.domain.com等
  # 需要保護(hù)的資源格式（結(jié)尾匹配）
  protected-formats:
    - .jpg
    - .jpeg
    - .png
    - .gif
  # 是否允許直接訪問（無Referer）
  allow-direct-access: true
  # 拒絕訪問時的動作（REDIRECT/FORBIDDEN/DEFAULT_IMAGE）
  deny-action: DEFAULT_IMAGE
  # 默認(rèn)圖片路徑
  default-image: /images/no-hotlinking.png
  # 白名單路徑（無需檢查）
  whitelist-paths:
    - /api/public/**
    - /images/public/**

import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.core.env.Environment;
import org.springframework.stereotype.Component;

import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.*;
import java.util.regex.Pattern;

/**
 * 圖片防盜鏈過濾器
 */
@Component
@Slf4j
public class AntiHotlinkFilter implements Filter {

    // 從配置中讀取參數(shù)
    @Value("${anti-hotlink.enabled}")
    private boolean enabled;

    @Value("${anti-hotlink.allowed-domains}")
    private List<String> allowedDomains;

    @Value("${anti-hotlink.protected-formats}")
    private List<String> protectedFormats;

    @Value("${anti-hotlink.allow-direct-access}")
    private boolean allowDirectAccess;

    @Value("${anti-hotlink.deny-action}")
    private String denyAction;

    @Value("${anti-hotlink.default-image}")
    private String defaultImage;

    @Value("${anti-hotlink.whitelist-paths}")
    private List<String> whitelistPaths;

    // 路徑匹配工具
    private final AntPathMatcher pathMatcher = new AntPathMatcher();

    @Override
    public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
            throws IOException, ServletException {
        if (!enabled) {
            chain.doFilter(request, response);
            return;
        }

        HttpServletRequest httpRequest = (HttpServletRequest) request;
        HttpServletResponse httpResponse = (HttpServletResponse) response;

        String requestURI = httpRequest.getRequestURI();
        String referer = httpRequest.getHeader("Referer");

        // 檢查是否在白名單中
        if (isWhitelisted(requestURI)) {
            chain.doFilter(request, response);
            return;
        }

        // 檢查是否是受保護(hù)的資源格式
        if (!isProtectedResource(requestURI)) {
            chain.doFilter(request, response);
            return;
        }

        // 直接訪問（無Referer）且允許
        if (allowDirectAccess && referer == null) {
            chain.doFilter(request, response);
            return;
        }

        // 檢查Referer是否合法
        if (isValidReferer(referer)) {
            chain.doFilter(request, response);
        } else {
            handleInvalidRequest(httpResponse);
        }
    }

    /**
     * 檢查路徑是否在白名單中
     */
    private boolean isWhitelisted(String requestURI) {
        for (String path : whitelistPaths) {
            if (pathMatcher.match(path, requestURI)) {
                return true;
            }
        }
        return false;
    }

    /**
     * 檢查是否是受保護(hù)的資源格式
     */
    private boolean isProtectedResource(String requestURI) {
        for (String format : protectedFormats) {
            if (requestURI.endsWith(format)) {
                return true;
            }
        }
        return false;
    }

    /**
     * 檢查Referer是否合法
     */
    private boolean isValidReferer(String referer) {
        if (referer == null) {
            return false;
        }

        for (String domain : allowedDomains) {
            if (domain.startsWith("^")) {
                // 正則匹配
                Pattern pattern = Pattern.compile(domain.substring(1));
                if (pattern.matcher(referer).matches()) {
                    return true;
                }
            } else if (domain.equals("*")) {
                // 通配符匹配
                return true;
            } else if (referer.contains(domain)) {
                // 精確匹配
                return true;
            }
        }
        return false;
    }

    /**
     * 處理非法請求
     */
    private void handleInvalidRequest(HttpServletResponse response) throws IOException {
        switch (denyAction) {
            case "REDIRECT":
                response.sendRedirect("https://example.com/forbidden");
                break;
            case "FORBIDDEN":
                response.sendError(HttpServletResponse.SC_FORBIDDEN, "Forbidden");
                break;
            case "DEFAULT_IMAGE":
                response.sendRedirect(defaultImage);
                break;
            default:
                response.sendError(HttpServletResponse.SC_FORBIDDEN, "Forbidden");
        }
    }
}

import org.springframework.stereotype.Component;
import org.springframework.web.servlet.HandlerInterceptor;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * 圖片防盜鏈攔截器
 */
@Component
public class AntiHotlinkInterceptor implements HandlerInterceptor {

    // 配置參數(shù)（需從配置文件注入）
    private final List<String> allowedDomains;
    private final List<String> protectedFormats;
    private final boolean allowDirectAccess;
    private final String denyAction;
    private final String defaultImage;

    public AntiHotlinkInterceptor(
            List<String> allowedDomains,
            List<String> protectedFormats,
            boolean allowDirectAccess,
            String denyAction,
            String defaultImage) {
        this.allowedDomains = allowedDomains;
        this.protectedFormats = protectedFormats;
        this.allowDirectAccess = allowDirectAccess;
        this.denyAction = denyAction;
        this.defaultImage = defaultImage;
    }

    @Override
    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
        String requestURI = request.getRequestURI();
        String referer = request.getHeader("Referer");

        // 檢查是否是受保護(hù)的資源格式
        if (!isProtectedResource(requestURI)) {
            return true;
        }

        // 直接訪問（無Referer）且允許
        if (allowDirectAccess && referer == null) {
            return true;
        }

        // 檢查Referer是否合法
        if (isValidReferer(referer)) {
            return true;
        } else {
            handleInvalidRequest(response);
            return false;
        }
    }

    private boolean isProtectedResource(String requestURI) {
        for (String format : protectedFormats) {
            if (requestURI.endsWith(format)) {
                return true;
            }
        }
        return false;
    }

    private boolean isValidReferer(String referer) {
        if (referer == null) {
            return false;
        }

        for (String domain : allowedDomains) {
            if (domain.startsWith("^")) {
                // 正則匹配
                Pattern pattern = Pattern.compile(domain.substring(1));
                if (pattern.matcher(referer).matches()) {
                    return true;
                }
            } else if (domain.equals("*")) {
                // 通配符匹配
                return true;
            } else if (referer.contains(domain)) {
                // 精確匹配
                return true;
            }
        }
        return false;
    }

    private void handleInvalidRequest(HttpServletResponse response) throws IOException {
        switch (denyAction) {
            case "REDIRECT":
                response.sendRedirect("https://example.com/forbidden");
                break;
            case "FORBIDDEN":
                response.sendError(HttpServletResponse.SC_FORBIDDEN, "Forbidden");
                break;
            case "DEFAULT_IMAGE":
                response.sendRedirect(defaultImage);
                break;
            default:
                response.sendError(HttpServletResponse.SC_FORBIDDEN, "Forbidden");
        }
    }
}

location ~* \.(jpg|jpeg|png|gif)$ {
    # 限制Referer
    valid_referers none blocked example.com *.example.com ~\.example\.com$;
    if ($invalid_referer) {
        rewrite ^/images/(.*)$ /images/no-hotlinking.png last;
    }
}

import java.security.MessageDigest;
import java.time.Instant;
import java.util.Base64;

public class TokenGenerator {

    private static final String SECRET_KEY = "your-secret-key";
    private static final int TTL_SECONDS = 300; // 5分鐘過期

    public static String generateSignedUrl(String filePath) {
        long timestamp = Instant.now().getEpochSecond();
        String token = generateToken(filePath, timestamp);
        return "https://yourdomain.com" + filePath + "?token=" + token + "&ts=" + timestamp;
    }

    private static String generateToken(String filePath, long timestamp) {
        try {
            String input = filePath + SECRET_KEY + timestamp;
            MessageDigest md = MessageDigest.getInstance("MD5");
            byte[] digest = md.digest(input.getBytes());
            return Base64.getEncoder().encodeToString(digest);
        } catch (Exception e) {
            throw new RuntimeException("Token generation failed", e);
        }
    }

    public static boolean validateToken(String filePath, String token, long timestamp) {
        return generateToken(filePath, timestamp).equals(token);
    }
}

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
        throws IOException, ServletException {
    HttpServletRequest httpRequest = (HttpServletRequest) request;
    HttpServletResponse httpResponse = (HttpServletResponse) response;

    String requestURI = httpRequest.getRequestURI();
    String referer = httpRequest.getHeader("Referer");

    // 檢查是否是簽名請求
    if (isSignedRequest(httpRequest)) {
        chain.doFilter(request, response);
        return;
    }

    // 其余邏輯同方法1
}

@Cacheable("hotlink_domains")
private boolean isAllowedDomain(String domain) {
    // 緩存域名檢查結(jié)果
    return allowedDomains.contains(domain);
}