Best way to block access by url and valid referrer?

Rt Ibmer rtibmx at yahoo.com
Wed Apr 30 00:20:03 MSD 2008


>According to RFC2616:
>"14.36 Referer
>The Referer[sic] request-header field allows the client to specify, for the
>If you have control on abc, def... try using a more robust method that a simple

Thank you for your concern and pointing this out. I should have mentioned that I am aware of the limitations of this approach and that the referrer can be absent or easily faked.

However I do not have control over the GET requests coming in. Basically we give our users an id=accountX string and only want to provide the requested content if they embed the link to us within their web site for which we allow such usage (as deemed from the referrer).

Although they can easily fake the referrer it will not do them much good to do so because they will want to link to our user's web site, and unless they instruct their web site users to take special measures to hide or forge their referrer (this would not be worth it for them anyway) then this method should be sufficient 

So assuming that its "good enough" for me to rely on matching their account id to a referrer what would you say is the best way to do what I was inquiring about in my original message on the subject? 

>If you use a POST or a GET you should be able to develop a specific Nginx module
>to avoid thousands of regex and without need to call your application.

In light of my response above do you still think that is the best way to go? Basically I'd create a module so that I could do something like add a "authenticate" directive (something I made up that my module looks for) to one "location" block, and then enforce all that logic from my custom module?  

That certainly seems like a more efficient way of doing it since I won't have to define thousands of "location" blocks.  Although I imagine the processing speed won't be much different, as it'll still have to do thousands of regex comparisons.  Well, then again maybe it wouldn't - I could probably take their account id from  the query string and use it for a hash lookup to acess a string of valid referrers and compare that...?

Thank you.



      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ






More information about the nginx mailing list