Nginx Valid Referer - Access Control - Help Wanted
Francis Daly
francis at daoine.org
Thu Feb 20 14:20:30 UTC 2020
On Wed, Feb 19, 2020 at 06:30:39PM -0500, AshleyinSpain wrote:
> Francis Daly Wrote:
> > On Thu, Feb 06, 2020 at 06:02:50PM -0500, AshleyinSpain wrote:
Hi there,
> > > I am trying to block direct access to any URL with a directory
> > /radio/
> > >
> > > The URLs look like sub.domain.tld/radio/1234/mytrack.mp3?45678901
> > > I need it so the URL is only served if a link on *.mysite.* is
> > clicked ie
> > > the track is only played through an html5 audio player on mysite
> >
> > That is not a thing that can be done reliably.
> The valid_referer part doesn't work though,
>
> valid_referers server_names
> *.mysite.com mysite.com dev.mysite.* can.mysite.*
> can.mysite.com/dashboard
> ~\.mysite\.;
>
> it doesn't recognise the parameters or urls
Can you show exactly what you means by "doesn't work"? It seems to work
for me.
That is, if I use
===
server {
listen 8080 default_server;
server_name three;
location ^~ /radio/ {
valid_referers server_names
*.mysite.com mysite.com dev.mysite.* can.mysite.*
can.mysite.com/dashboard ~\.mysite\.;
if ($invalid_referer) { return 403; }
return 200 "This request is allowed: $request_uri, $http_referer\n";
}
}
===
then I see (403 is "blocked"; 200 is "allowed"):
# no Referer
$ curl -i http://127.0.0.1:8080/radio/one
403
# Referer that matches can.mysite.*
$ curl -i -H Referer:http://can.mysite.cxx http://127.0.0.1:8080/radio/one
200
# Referer that does not match can.mysite.com/dashboard
curl -i -H Referer:http://can.mysite.com/dashboar http://127.0.0.1:8080/radio/one
403
# Referer that matches can.mysite.com/dashboard
curl -i -H Referer:http://can.mysite.com/dashboards http://127.0.0.1:8080/radio/one
200
# Referer that matches a server_name
$ curl -i -H Referer:https://three http://127.0.0.1:8080/radio/one
200
> I copied the examples in the docs and I have tried loads of variations taken
> from various suggestions etc online
If you can show one specific config that you use; and one specific
request that you make; and the response that you get and how it is not
the response that you want; it will probably be easier to identify where
the problem is.
> When you say above - That is not a thing that can be done reliably is that
> because the headers can be 'forged' or it just doesn't work properly
The headers can be forged, just like I do above in the "curl" commands.
All the best,
f
--
Francis Daly francis at daoine.org
More information about the nginx
mailing list