valid_referers directive not working correctly

justin nginx-forum at
Mon Nov 12 09:03:49 UTC 2012

I am trying to block all requests which do not come from my own server. A
quick read of the nginx wiki  led me to the valid_referers directive. I
implemented it like:

server {
  listen 80;

  server_name ~^(?<account>.+)\.my-domain\.io$;

  root /srv/www/accounts/$account/app;

  index index.php;

  access_log /var/log/nginx/accounts/$account/access.log;
  error_log /var/log/nginx/accounts/error.log;

  include /etc/nginx/excludes.conf;
  include /etc/nginx/expires.conf;

  location  /  {
    valid_referers server_names;
    if ($invalid_referer) {
      return 403;

    location ~\.php {
      try_files $uri =404;
      fastcgi_index index.php;
      fastcgi_intercept_errors on;
      include /etc/nginx/fastcgi_params;
      fastcgi_param MY_DOMAIN_ACCOUNT $account;

I purposefully put instead of to make sure a
403 status code was returned. Unfortunately, it is not. I wrote a simple
html file with an iframe that grabs a php page from the server from a
different domain. This should be returning a 403 code, but it works.

Any ideas? Thanks.

Posted at Nginx Forum:,232722,232722#msg-232722

More information about the nginx mailing list