How to deny requests in nginx when there is no referer?
8,451
The issue you are having is nginx doesn't see a referer of "-" it just uses that in the log to keep log parsing apps in check that expect a referer. This will pretty much stop anyone that types the url by hand or bookmarks it though
Try this
if ($http_referer = "") { return 403; }
Related videos on Youtube
Author by
Jand
Updated on September 18, 2022Comments
-
Jand almost 2 years
In nginx access.log I see many lines like:
1.2.3.4 - - [19/Oct/2014:22:48:11 -0400] "POST /someurl/suburl HTTP/1.1" 200 19967 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2"
Where only common thing between them is the "-" (which I assume means no referer is set).
So I tried to deny these requests using:
if ($http_referer ~ ^(-)) { return 444; }
However, as you see above, this does not work for POST requests.
-
Xavier Lucas over 9 yearsYou have absolutely no guarantee that this header is not forged, that's usually a bad way to see things.
-
-
Jand over 9 yearsgreat tip. Can I use this inside a 'location' directive, to avoid many bookmarked urls being wrongly denied?
-
Mike over 9 yearsyes you can do that