Valid_referers dynamic hostname

Sorry for posting here - don’t know for sure if it’s the right place.

I have an issue:

1. I use nginx as reverse proxy, but I don’t always know the domain name
   for
   which I’m serving, so my setup looks like this:

server_name _ $host 0.0.0.0;

2. I try to block invalid referers but when I try to add $host to
   valid_referers - it doesn’t seem to work:

valid_referers none blocked server_names $host ~.google. ~.yahoo.
~.bing. ~.ask. ~.live. ~.googleusercontent.com. ;

How can I make this work?
Also please note that I don’t know regexp.

Kind regards,
Vlad

Posted at Nginx Forum:

Also,

Isn’t this a bug since I have added server_names to valid_referers?

And since server_names knows the domain, it should work…

Any ideas?

Posted at Nginx Forum:

Hello!

On Sat, May 18, 2013 at 01:31:50PM -0400, [email protected] wrote:

Sorry for posting here - don’t know for sure if it’s the right place.

I have an issue:

1. I use nginx as reverse proxy, but I don’t always know the domain name for
   which I’m serving, so my setup looks like this:

server_name _ $host 0.0.0.0;

The “$host” string here means exactly “$host”. There is no
variable expansion for server_name (expect for a special name
“$hostname”, which isn’t actually a variable but a special name).

Most likely requests are handled in the sever{} block in question
as it’s used as a default server.

2. I try to block invalid referers but when I try to add $host to
   valid_referers - it doesn’t seem to work:

valid_referers none blocked server_names $host ~.google. ~.yahoo.
~.bing. ~.ask. ~.live. ~.googleusercontent.com. ;

The valid_referers directive doesn’t support variables.

How can I make this work?
Also please note that I don’t know regexp.

What you are trying to do, i.e. allow referers which match Host
header in a request, currently can’t be done using the referers
module only.

With a litle help from the rewrite module it’s possible though.
Something like this should work:

valid_referers none blocked server_names ~\.google\. ...;

set $temp "$host:$http_referer";

if ($temp ~* "^(.*):https?://\1") {
    set $invalid_referer "0";
}

if ($invalid_referer) {
    return 403;
}

–
Maxim D.
http://nginx.org/en/donation.html

Hello,

Thank you for your example Maxim. This is what I’ve wrote in my config:

set $temp “$host:$http_referer”;

valid_referers none blocked server_names ~.google. ~.yahoo.
~.bing.
~.ask. ~.live. ~.googleusercontent.com. ;

if ($invalid_referer){
set $test A ;
}

if ($temp ~* “^(.*):http?://\1”) {
set $test “${test}B”;
}

if ($temp ~* “^(.*):https?://\1”) {
set $test “${test}C”;
}

if ($test = ABC) {
return 444 ;
}

It is always returning 444 … what am I doing wrong?!

Posted at Nginx Forum:

I suggest you take a look at the order in which ‘if’ statements are
evaluated.
Consider reading the ‘if’ directive
documentationhttp://nginx.org/en/docs/http/ngx_http_rewrite_module.html#if
.

B. R.

On Mon, May 20, 2013 at 2:14 PM, [email protected]

Hello!

On Mon, May 20, 2013 at 02:14:02PM -0400, [email protected] wrote:

set $test A ;

}

if ($temp ~* “^(.*):http?://\1”) {
set $test “${test}B”;
}

Just a side note: this statement isn’t needed. Both http and
https schemes are allowed by a “https?” in the regular expression
I provided, “?” makes preceeding character option.

if ($temp ~* “^(.*):https?://\1”) {
set $test “${test}C”;
}

if ($test = ABC) {
return 444 ;
}

It is always returning 444 … what am I doing wrong?!

You probably mean to write

if ($test = A) {
    return 444;
}

instead, as your initial message suggests you want to allow
requests where Referer matches Host.

–
Maxim D.
http://nginx.org/en/donation.html

Thanks alot! I made a logical error when writing your expression by
thinking
that it will negate the comparison.

Also, I appreciate you have explained that http/https matching as I was
confused.

My best regards,
Vlad

Maxim D. Wrote:

}
if ($test = ABC) {

nginx Info Page
Posted at Nginx Forum:
Re: valid_referers dynamic hostname