Possible to make subdomain only accessible through 'embed'

Francis Daly francis at daoine.org
Sun Mar 14 14:50:43 UTC 2021

On Sat, Mar 13, 2021 at 07:56:35AM +1100, Jore wrote:

Hi there,

> I have pages served from "embed.domain.com" that I'd only like to be
> accessible when they're embedded in files served from "docs.domain.com"

> Is it possible to lock down "embed.domain.com" so it can only be accessed
> through "docs.domain.com"?

If you mean "a http request to the embed.domain.com site must only get
a response if the request was made by a user clicking a link on the
docs.domain.com site", then that can't be done reliably. That's the
nature of http.

You could do something like block external access to embed.domain.com
altogether, and use nginx to reverse-proxy requests to it behind
http://docs.domain.com/embed/, for example.

That would mean that all external http requests would go to
docs.domain.com; but it still does not mean that a request to
docs.domain.com/embed/ came from a user clicking a link somewhere else
on docs.domain.com.

It may or may not match what you want.

Good luck with it,

Francis Daly        francis at daoine.org

More information about the nginx mailing list