Nginx Valid Referer - Access Control - Help Wanted

AshleyinSpain nginx-forum at forum.nginx.org
Wed Feb 19 23:30:39 UTC 2020


Francis Daly Wrote:
-------------------------------------------------------
> On Thu, Feb 06, 2020 at 06:02:50PM -0500, AshleyinSpain wrote:
> 
> Hi there,
> 
> > > > server {
> > > >    location /radio/ {
> > > >        valid_referers none blocked server_names ~\.mysite\.;
> > > >        if ($invalid_referer) { return 403; }
> > > >    }
> > > > }
> 
> > I deleted the 'none' and 'blocked' and no difference still not
> blocking
> > direct access to the URL
> > 
> > Tried adding it in its own block and adding it to the end of an
> existing
> > block neither worked
> > 
> > Is the location /radio/ part ok
> > 
> > I am trying to block direct access to any URL with a directory
> /radio/
> > 
> > The URLs look like sub.domain.tld/radio/1234/mytrack.mp3?45678901
> 
> In nginx, one request is handled in one location.
> 
> If /radio/ is the location that you configured to handle this request,
> then the config should apply.
> 
> If you have, for example, "location ~ mp3", then *that* would probably
> be the location that is configured to handle this request (and so that
> is where this "return 403;" should be.
> 
> You could try changing the line to be "location ^~ /radio/ {", but
> without knowing your full config, it is hard to know if that will fix
> things or break them.
> 
> http://nginx.org/r/location
> 
> > I need it so the URL is only served if a link on *.mysite.* is
> clicked ie
> > the track is only played through an html5 audio player on mysite
> 
> That is not a thing that can be done reliably.
> 
> If "unreliable" is good enough for you, then carry on. Otherwise, come
> up with a new requirement that can be done.
> 
> Cheers,
> 
> 	f
> -- 
> Francis Daly        francis at daoine.org
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

Hi Francis

I've added further comments here, it's getting a bit messy above

I added, as you suggested, the ^~ to /radio/ and it now blocks it
redirecting to where I put in the invalid_referer bit

The valid_referer part doesn't work though, 

valid_referers server_names 
    *.mysite.com mysite.com dev.mysite.* can.mysite.*
can.mysite.com/dashboard
    ~\.mysite\.;

it doesn't recognise the parameters or urls

I copied the examples in the docs and I have tried loads of variations taken
from various suggestions etc online

When you say above -  That is not a thing that can be done reliably is that
because the headers can be 'forged' or it just doesn't work properly

I am only trying to stop casual copy stream url and paste it into browser to
listen for free - I realise any determined person can get around it, but not
trying to stop that with this - ultimately I will have to add more robust
controls with JS and passwords but that will be later on down the line

Do you need me to copy the entire nginx config here 

Thanks for your help

Ashley

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286958,287068#msg-287068



More information about the nginx mailing list