No referrer header on leacher's site !!

shahzaib mushtaq shahzaib.cb at gmail.com
Thu Apr 6 07:50:01 UTC 2017


>>With the controls sites have over the referrer header, it's not very
effective as an access control mechanism. You can use something like
http://nginx.org/en/docs/http/ngx_http_secure_link_module.html
instead.

We're also using Nginx secure link module based on HASH + expiry but
somehow this secure link is exploited by that website. The video link hash
on his website is exactly matching with ours means no matter if hash get
expire & new takes it place that leacher is also getting the new hash &
we're unable to find how he exploited us. Though on digging more into this
we found that he's using following script to fetch video links from our
website :

https://github.com/XvBMC/repository.xvbmc/blob/master/plugin.video.saltsrd.lite/scrapers/dizibox_scraper.py

His website name is also dizibox1.


On Wed, Apr 5, 2017 at 1:54 AM, Francis Daly <francis at daoine.org> wrote:

> On Tue, Apr 04, 2017 at 04:39:23PM +0500, shahzaib mushtaq wrote:
>
> Hi there,
>
> > Thanks for quick response. Well its reverse, he's putting our HTTPS video
> > link on his HTTP website. Could that create issue as well? If yes, what's
> > the fix of it.
>
> nginx does not know (or care) what the linking site does. All it can
> see is the request made to it.
>
> The browser entirely controls what request headers the browser sends.
>
> If you want to deny all requests that have no Referer header, you can
> do that.
>
> If you want to deny only some requests that have no Referer header,
> you will need to tell nginx which requests to deny and which requests to
> allow. But before you can do that, you will have to know how to identify
> the requests in one of the sets.
>
>         f
> --
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170406/39677fe6/attachment.html>


More information about the nginx mailing list