No referrer header on leacher's site !!
shahzaib mushtaq
shahzaib.cb at gmail.com
Thu Apr 6 07:50:01 UTC 2017
>>With the controls sites have over the referrer header, it's not very
effective as an access control mechanism. You can use something like
http://nginx.org/en/docs/http/ngx_http_secure_link_module.html
instead.
We're also using Nginx secure link module based on HASH + expiry but
somehow this secure link is exploited by that website. The video link hash
on his website is exactly matching with ours means no matter if hash get
expire & new takes it place that leacher is also getting the new hash &
we're unable to find how he exploited us. Though on digging more into this
we found that he's using following script to fetch video links from our
website :
https://github.com/XvBMC/repository.xvbmc/blob/master/plugin.video.saltsrd.lite/scrapers/dizibox_scraper.py
His website name is also dizibox1.
On Wed, Apr 5, 2017 at 1:54 AM, Francis Daly <francis at daoine.org> wrote:
> On Tue, Apr 04, 2017 at 04:39:23PM +0500, shahzaib mushtaq wrote:
>
> Hi there,
>
> > Thanks for quick response. Well its reverse, he's putting our HTTPS video
> > link on his HTTP website. Could that create issue as well? If yes, what's
> > the fix of it.
>
> nginx does not know (or care) what the linking site does. All it can
> see is the request made to it.
>
> The browser entirely controls what request headers the browser sends.
>
> If you want to deny all requests that have no Referer header, you can
> do that.
>
> If you want to deny only some requests that have no Referer header,
> you will need to tell nginx which requests to deny and which requests to
> allow. But before you can do that, you will have to know how to identify
> the requests in one of the sets.
>
> f
> --
> Francis Daly francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20170406/39677fe6/attachment.html>
More information about the nginx
mailing list