Nginx Valid Referer - Access Control - Help Wanted

Francis Daly francis at daoine.org
Thu Feb 20 14:20:30 UTC 2020 

On Wed, Feb 19, 2020 at 06:30:39PM -0500, AshleyinSpain wrote:
> Francis Daly Wrote:
> > On Thu, Feb 06, 2020 at 06:02:50PM -0500, AshleyinSpain wrote:

Hi there,

> > > I am trying to block direct access to any URL with a directory
> > /radio/
> > > 
> > > The URLs look like sub.domain.tld/radio/1234/mytrack.mp3?45678901

> > > I need it so the URL is only served if a link on *.mysite.* is
> > clicked ie
> > > the track is only played through an html5 audio player on mysite
> > 
> > That is not a thing that can be done reliably.

> The valid_referer part doesn't work though, 
> 
> valid_referers server_names 
>     *.mysite.com mysite.com dev.mysite.* can.mysite.*
> can.mysite.com/dashboard
>     ~\.mysite\.;
> 
> it doesn't recognise the parameters or urls

Can you show exactly what you means by "doesn't work"? It seems to work
for me.

That is, if I use

===
  server {
    listen 8080 default_server;
    server_name three;
    location ^~ /radio/ {
      valid_referers server_names
        *.mysite.com mysite.com dev.mysite.* can.mysite.*
        can.mysite.com/dashboard ~\.mysite\.;
      if ($invalid_referer) { return 403; }
      return 200 "This request is allowed: $request_uri, $http_referer\n";
    }
  }
===

then I see (403 is "blocked"; 200 is "allowed"):

# no Referer
$ curl -i  http://127.0.0.1:8080/radio/one
403

# Referer that matches can.mysite.*
$ curl -i -H Referer:http://can.mysite.cxx http://127.0.0.1:8080/radio/one
200

# Referer that does not match can.mysite.com/dashboard
curl -i -H Referer:http://can.mysite.com/dashboar http://127.0.0.1:8080/radio/one
403

# Referer that matches can.mysite.com/dashboard
curl -i -H Referer:http://can.mysite.com/dashboards http://127.0.0.1:8080/radio/one
200

# Referer that matches a server_name
$ curl -i -H Referer:https://three http://127.0.0.1:8080/radio/one
200

> I copied the examples in the docs and I have tried loads of variations taken
> from various suggestions etc online

If you can show one specific config that you use; and one specific
request that you make; and the response that you get and how it is not
the response that you want; it will probably be easier to identify where
the problem is.

> When you say above -  That is not a thing that can be done reliably is that
> because the headers can be 'forged' or it just doesn't work properly

The headers can be forged, just like I do above in the "curl" commands.

All the best,

	f
-- 
Francis Daly        francis at daoine.org

More information about the nginx mailing list