valid_referers directive not working correctly
justin
nginx-forum at nginx.us
Mon Nov 12 09:03:49 UTC 2012
I am trying to block all requests which do not come from my own server. A
quick read of the nginx wiki led me to the valid_referers directive. I
implemented it like:
server {
listen 80;
server_name ~^(?<account>.+)\.my-domain\.io$;
root /srv/www/accounts/$account/app;
index index.php;
access_log /var/log/nginx/accounts/$account/access.log;
error_log /var/log/nginx/accounts/error.log;
include /etc/nginx/excludes.conf;
include /etc/nginx/expires.conf;
location / {
valid_referers server_names not-my-domain.com;
if ($invalid_referer) {
return 403;
}
location ~\.php {
try_files $uri =404;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_pass 127.0.0.1:3001;
include /etc/nginx/fastcgi_params;
fastcgi_param MY_DOMAIN_ACCOUNT $account;
}
}
I purposefully put not-my-domain.com instead of my-domain.com to make sure a
403 status code was returned. Unfortunately, it is not. I wrote a simple
html file with an iframe that grabs a php page from the server from a
different domain. This should be returning a 403 code, but it works.
Any ideas? Thanks.
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,232722,232722#msg-232722
More information about the nginx
mailing list