Best way to block access by url and valid referrer?

Rt Ibmer rtibmx at yahoo.com
Tue Apr 29 18:56:43 MSD 2008


I have a requirement to only allow requests from certain referrers.  The trickier part is that the list of valid referrers changes based on what is in the query string. I would like to know the most efficient way to do this in nginx please.

For example, assume that "account1" may only make requests with referrers from abc.com and def.com, and "account2" may only make requests with referrers from xyz.com.

Further, assume these requests hit my nginx server:

   http://www.mynginxserver.com/somefile.htm?id=account1
   I want to allow the request for the above only if the referrer is from abc.com or def.com

   http://www.mynginxserver.com/somefile.htm?id=account2
   I want to allow the request for the above only if the referrer is from xyz.com

Currently in my implementation I do not have the above authorization scheme factored in, and I'm doing this:

        location / {
                proxy_pass      http://my_upstream_servers;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        }

So now I am looking at implementing my authorization scheme and wondering what is the best way to do this.

For example, am I correct to assume that I would have to have a separate "location" directive/block for each account that would be made to match the id=accountX part?  And within each location block I would have a valid_referrers statement that listed what was valid for that account?

Or is there a better way to map this out?

Also I will have thousands of accounts (most of which will only have one or two valid referrers defined).  Would nginx process all those location blocks extremely fast or would all that regex'ing slow things down considerably if doing thousands of them?

Thank you!



      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ






More information about the nginx mailing list