HttpRefererModule
Contents |
Synopsis
This module makes it possible to block access to the site with the incorrect values of line "Referer" in the request header.
Keep in mind that it is easy to spoof this header; therefore, the purpose of using of this module consists not in 100% blocking of these requests, but in the blocking of the mass flow of requests, made from typical browsers. Also, consider that the typical browser does not always provide a "Referer" header, even for correct requests.
Example
location /photos/ { valid_referers none blocked www.mydomain.com mydomain.com; if ($invalid_referer) { return 403; } }
Directives
valid_referers
Syntax: |
valid_referers none | blocked | server_names | string ... |
Default: | |
Context: |
server location |
Reference: | valid_referers |
This directive assigns a value of 0 or 1 to the variable $invalid_referer
based on the contents of the referer
header.
You can use this to help reduce deep-linking from outside sites. If Referer
header is not accounted for in the list of valid_referers
, then $invalid_referer
will be set to 1 (see example above).
The parameters can be as follows:
-
none
means the absence of "Referer" header. -
blocked
means maskedReferer
header by firewall, for example, "Referer: XXXXXXX". - server_names is a list of one or more servers. From version 0.5.33 onwards, * wildcards can be used in the server names.