On Monday 12 November 2012 13:03:49 justin wrote:
> I am trying to block all requests which do not come from my own server. A
> quick read of the nginx wiki led me to the valid_referers directive. I
> implemented it like:
>
> server {
> listen 80;
>
> server_name ~^(?<account>.+)\.my-domain\.io$;
>
> root /srv/www/accounts/$account/app;
>
> index index.php;
>
> access_log /var/log/nginx/accounts/$account/access.log;
> error_log /var/log/nginx/accounts/error.log;
>
> include /etc/nginx/excludes.conf;
> include /etc/nginx/expires.conf;
>
> location / {
> valid_referers server_names not-my-domain.com;
> if ($invalid_referer) {
> return 403;
> }
>
> location ~\.php {
> try_files $uri =404;
> fastcgi_index index.php;
> fastcgi_intercept_errors on;
> fastcgi_pass 127.0.0.1:3001;
> include /etc/nginx/fastcgi_params;
> fastcgi_param MY_DOMAIN_ACCOUNT $account;
> }
> }
>
> I purposefully put not-my-domain.com instead of my-domain.com to make sure
> a 403 status code was returned. Unfortunately, it is not. I wrote a simple
> html file with an iframe that grabs a php page from the server from a
> different domain. This should be returning a 403 code, but it works.
>
> Any ideas? Thanks.
>

Your request to php page is processed in "location ~\.php" which do not have any
referrer constraints.

wbr, Valentin V. Bartenev

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx