Welcome! Log In Create A New Profile

Advanced

Re: Nginx Valid Referer - Access Control - Help Wanted

Francis Daly
February 20, 2020 09:22AM
On Wed, Feb 19, 2020 at 06:30:39PM -0500, AshleyinSpain wrote:
> Francis Daly Wrote:
> > On Thu, Feb 06, 2020 at 06:02:50PM -0500, AshleyinSpain wrote:

Hi there,

> > > I am trying to block direct access to any URL with a directory
> > /radio/
> > >
> > > The URLs look like sub.domain.tld/radio/1234/mytrack.mp3?45678901

> > > I need it so the URL is only served if a link on *.mysite.* is
> > clicked ie
> > > the track is only played through an html5 audio player on mysite
> >
> > That is not a thing that can be done reliably.

> The valid_referer part doesn't work though,
>
> valid_referers server_names
> *.mysite.com mysite.com dev.mysite.* can.mysite.*
> can.mysite.com/dashboard
> ~\.mysite\.;
>
> it doesn't recognise the parameters or urls

Can you show exactly what you means by "doesn't work"? It seems to work
for me.

That is, if I use

===
server {
listen 8080 default_server;
server_name three;
location ^~ /radio/ {
valid_referers server_names
*.mysite.com mysite.com dev.mysite.* can.mysite.*
can.mysite.com/dashboard ~\.mysite\.;
if ($invalid_referer) { return 403; }
return 200 "This request is allowed: $request_uri, $http_referer\n";
}
}
===

then I see (403 is "blocked"; 200 is "allowed"):

# no Referer
$ curl -i http://127.0.0.1:8080/radio/one
403

# Referer that matches can.mysite.*
$ curl -i -H Referer:http://can.mysite.cxx http://127.0.0.1:8080/radio/one
200

# Referer that does not match can.mysite.com/dashboard
curl -i -H Referer:http://can.mysite.com/dashboar http://127.0.0.1:8080/radio/one
403

# Referer that matches can.mysite.com/dashboard
curl -i -H Referer:http://can.mysite.com/dashboards http://127.0.0.1:8080/radio/one
200

# Referer that matches a server_name
$ curl -i -H Referer:https://three http://127.0.0.1:8080/radio/one
200

> I copied the examples in the docs and I have tried loads of variations taken
> from various suggestions etc online

If you can show one specific config that you use; and one specific
request that you make; and the response that you get and how it is not
the response that you want; it will probably be easier to identify where
the problem is.

> When you say above - That is not a thing that can be done reliably is that
> because the headers can be 'forged' or it just doesn't work properly

The headers can be forged, just like I do above in the "curl" commands.

All the best,

f
--
Francis Daly francis@daoine.org
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Nginx Valid Referer - Access Control - Help Wanted

AshleyinSpain February 05, 2020 02:43PM

Re: Nginx Valid Referer - Access Control - Help Wanted

J.R. February 05, 2020 04:42PM

Re: Nginx Valid Referer - Access Control - Help Wanted

AshleyinSpain February 06, 2020 06:02PM

Re: Nginx Valid Referer - Access Control - Help Wanted

Francis Daly February 06, 2020 07:10PM

Re: Nginx Valid Referer - Access Control - Help Wanted

AshleyinSpain February 19, 2020 06:30PM

Re: Nginx Valid Referer - Access Control - Help Wanted

Francis Daly February 20, 2020 09:22AM

Re: Nginx Valid Referer - Access Control - Help Wanted

gariac February 07, 2020 07:10AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 67
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready