Best way to block access by url and valid referrer?

I have a requirement to only allow requests from certain referrers. The
trickier part is that the list of valid referrers changes based on what
is in the query string. I would like to know the most efficient way to
do this in nginx please.

For example, assume that “account1” may only make requests with
referrers from abc.com and def.com, and “account2” may only make
requests with referrers from xyz.com.

Further, assume these requests hit my nginx server:

http://www.mynginxserver.com/somefile.htm?id=account1
I want to allow the request for the above only if the referrer is
from abc.com or def.com

http://www.mynginxserver.com/somefile.htm?id=account2
I want to allow the request for the above only if the referrer is
from xyz.com

Currently in my implementation I do not have the above authorization
scheme factored in, and I’m doing this:

    location / {
            proxy_pass      http://my_upstream_servers;
            proxy_set_header        X-Forwarded-For 

$proxy_add_x_forwarded_for;
}

So now I am looking at implementing my authorization scheme and
wondering what is the best way to do this.

For example, am I correct to assume that I would have to have a separate
“location” directive/block for each account that would be made to match
the id=accountX part? And within each location block I would have a
valid_referrers statement that listed what was valid for that account?

Or is there a better way to map this out?

Also I will have thousands of accounts (most of which will only have one
or two valid referrers defined). Would nginx process all those location
blocks extremely fast or would all that regex’ing slow things down
considerably if doing thousands of them?

Thank you!

  ____________________________________________________________________________________

Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

Rt Ibmer <[email protected]…> writes:

I have a requirement to only allow requests from certain referrers. The
trickier part is that the list of valid referrers changes based on what
is
in the query string. I would like to know the most efficient way to do
this
in nginx please.
[…]

According to RFC2616:

"14.36 Referer

The Referer[sic] request-header field allows the client to specify, for
the
server’s benefit, the address (URI) of the resource from which the
Request-URI
was obtained (the “referrer”, although the header field is misspelled.)
The
Referer request-header allows a server to generate lists of back-links
to
resources for interest, logging, optimized caching, etc. It also allows
obsolete
or mistyped links to be traced for maintenance. The Referer field MUST
NOT be
sent if the Request-URI was obtained from a source that does not have
its own
URI, such as input from the user keyboard."

Which seems that the referrer field is not mandatory. So an application
should
not rely on this field. At the server level you can block resource
stealing done
by script kiddies if this field is present and not forged, that’s all.

If you have control on abc, def… try using a more robust method that a
simple
link (a form with POST data) or a GET data containing a timestamp
encoded… it
will be far more reliable but still not perfect.

If you use a POST or a GET you should be able to develop a specific
Nginx module
to avoid thousands of regex and without need to call your application.

I don’t know what is the precise context of your application but try to
avoid
the possibility of forged data input like relying on the referrer value.

Best regards.

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs