valid_referers directive not working correctly

Valentin V. Bartenev ne at vbart.ru
Mon Nov 12 09:13:38 UTC 2012


On Monday 12 November 2012 13:03:49 justin wrote:
> I am trying to block all requests which do not come from my own server. A
> quick read of the nginx wiki  led me to the valid_referers directive. I
> implemented it like:
> 
> server {
>   listen 80;
> 
>   server_name ~^(?<account>.+)\.my-domain\.io$;
> 
>   root /srv/www/accounts/$account/app;
> 
>   index index.php;
> 
>   access_log /var/log/nginx/accounts/$account/access.log;
>   error_log /var/log/nginx/accounts/error.log;
> 
>   include /etc/nginx/excludes.conf;
>   include /etc/nginx/expires.conf;
> 
>   location  /  {
>     valid_referers server_names not-my-domain.com;
>     if ($invalid_referer) {
>       return 403;
>     }
> 
>     location ~\.php {
>       try_files $uri =404;
>       fastcgi_index index.php;
>       fastcgi_intercept_errors on;
>       fastcgi_pass 127.0.0.1:3001;
>       include /etc/nginx/fastcgi_params;
>       fastcgi_param MY_DOMAIN_ACCOUNT $account;
>     }
> }
> 
> I purposefully put not-my-domain.com instead of my-domain.com to make sure
> a 403 status code was returned. Unfortunately, it is not. I wrote a simple
> html file with an iframe that grabs a php page from the server from a
> different domain. This should be returning a 403 code, but it works.
> 
> Any ideas? Thanks.
> 

Your request to php page is processed in "location ~\.php" which do not have any 
referrer constraints.

 wbr, Valentin V. Bartenev



More information about the nginx mailing list