I am trying to block all requests which do not come from my own server. A quick read of the nginx wiki led me to the valid_referers directive. I implemented it like:

server {
listen 80;

server_name ~^(?<account>.+)\.my-domain\.io$;

root /srv/www/accounts/$account/app;

index index.php;

access_log /var/log/nginx/accounts/$account/access.log;
error_log /var/log/nginx/accounts/error.log;

include /etc/nginx/excludes.conf;
include /etc/nginx/expires.conf;

location / {
valid_referers server_names not-my-domain.com;
if ($invalid_referer) {
return 403;
}

location ~\.php {
try_files $uri =404;
fastcgi_index index.php;
fastcgi_intercept_errors on;
fastcgi_pass 127.0.0.1:3001;
include /etc/nginx/fastcgi_params;
fastcgi_param MY_DOMAIN_ACCOUNT $account;
}
}

I purposefully put not-my-domain.com instead of my-domain.com to make sure a 403 status code was returned. Unfortunately, it is not. I wrote a simple html file with an iframe that grabs a php page from the server from a different domain. This should be returning a 403 code, but it works.

Any ideas? Thanks.