valid_referers directive not working correctly

justin nginx-forum at nginx.us
Mon Nov 12 09:03:49 UTC 2012


I am trying to block all requests which do not come from my own server. A
quick read of the nginx wiki  led me to the valid_referers directive. I
implemented it like:

server {
  listen 80;

  server_name ~^(?<account>.+)\.my-domain\.io$;

  root /srv/www/accounts/$account/app;

  index index.php;

  access_log /var/log/nginx/accounts/$account/access.log;
  error_log /var/log/nginx/accounts/error.log;

  include /etc/nginx/excludes.conf;
  include /etc/nginx/expires.conf;

  location  /  {
    valid_referers server_names not-my-domain.com;
    if ($invalid_referer) {
      return 403;
    }

    location ~\.php {
      try_files $uri =404;
      fastcgi_index index.php;
      fastcgi_intercept_errors on;
      fastcgi_pass 127.0.0.1:3001;
      include /etc/nginx/fastcgi_params;
      fastcgi_param MY_DOMAIN_ACCOUNT $account;
    }
}

I purposefully put not-my-domain.com instead of my-domain.com to make sure a
403 status code was returned. Unfortunately, it is not. I wrote a simple
html file with an iframe that grabs a php page from the server from a
different domain. This should be returning a 403 code, but it works.

Any ideas? Thanks.

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,232722,232722#msg-232722



More information about the nginx mailing list