Best way to block access by url and valid referrer?

François Battail fb at francois.battail.name
Tue Apr 29 21:06:35 MSD 2008


Rt Ibmer <rtibmx at ...> writes:

> I have a requirement to only allow requests from certain referrers. The
trickier part is that the list of valid referrers changes based on what is 
in the query string. I would like to know the most efficient way to do this
in nginx please.
> [...]

According to RFC2616:

"14.36 Referer

The Referer[sic] request-header field allows the client to specify, for the
server's benefit, the address (URI) of the resource from which the Request-URI
was obtained (the "referrer", although the header field is misspelled.) The
Referer request-header allows a server to generate lists of back-links to
resources for interest, logging, optimized caching, etc. It also allows obsolete
or mistyped links to be traced for maintenance. The Referer field MUST NOT be
sent if the Request-URI was obtained from a source that does not have its own
URI, such as input from the user keyboard."

Which seems that the referrer field is not mandatory. So an application should
not rely on this field. At the server level you can block resource stealing done
by script kiddies *if* this field is present and not forged, that's all.

If you have control on abc, def... try using a more robust method that a simple
link (a form with POST data) or a GET data containing a timestamp encoded... it
will be far more reliable but still not perfect.

If you use a POST or a GET you should be able to develop a specific Nginx module
to avoid thousands of regex and without need to call your application.

I don't know what is the precise context of your application but try to avoid
the possibility of forged data input like relying on the referrer value.

Best regards.






More information about the nginx mailing list