Using Nginx "Ngx_http_referer_module" module to set up anti-theft chain

The Ngx_http_referer_module module allows blocking requests that contain illegal values in the "Referer" request header, preventing them from accessing the site. Note that it is fairly easy to forge a valid "Referer" request header, so the intended purpose of this module is not to completely block these illegal requests, but to block large-scale requests made by normal browsers. It is also important to note that even if legitimate requests are sent by a normal browser, there may not be a "Referer" request header.

Syntax: Valid_referers None | Blocked | Server_names | String ...;

When the "Referer" request header is a specified value, the inline variable $invalid_referer is set to an empty string, otherwise the variable is placed as "1". Find matches are case insensitive.

The parameters of the directive can be as follows:
None: Missing "Referer" request header;
Blocked: the "Referer" request header exists, but its value is removed by the firewall or proxy server, and these values do not start with "http:/" or "https://" string;
Server_names: "Referer" request header contains a virtual host name;
String ... : Any string defines a server name and an optional URI prefix. The server name allows the "*" symbol to be used at the beginning or end. When Nginx checks, the server port in the "Referer" request header is ignored.
The regular expression must begin with a "~" symbol. It is important to note that the expression begins to match the text after "http:/" or "https://".

None: Indicates that referer is empty, such as when we open a website or a picture directly in the browser.

Blocked: This is not a good understanding, on the machine to do a test:

The configuration in the NGINX.CONFG is

Location ~. *\.    (gif|jpg|jpeg|png|bmp|swf) $ {valid_referers blocked www.a.com;    if ($invalid _referer) {return 403; }}

Test with Curl

[Email protected] ~]# curl-x127.0.0.1:80 ' localhost/static/image/common/logo.png '-i-e ' http://www.a.com '
http/1.1 OK
server:nginx/1.8.1
Date:thu, 00:59:44 GMT
Content-type:image/png
content-length:4425
Last-modified:tue, 03:08:36 GMT
Connection:keep-alive
ETag: "574d0034-1149"
Accept-ranges:bytes

[Email protected] ~]# curl-x127.0.0.1:80 ' localhost/static/image/common/logo.png '-i-e ' http://www.b.com '
http/1.1 403 Forbidden
server:nginx/1.8.1
Date:thu, 01:00:09 GMT
Content-type:text/html
content-length:168
Connection:keep-alive

[Email protected] ~]# curl-x127.0.0.1:80 ' localhost/static/image/common/logo.png '-i-e ' www.b.com '
http/1.1 OK
server:nginx/1.8.1
Date:thu, 01:00:15 GMT
Content-type:image/png
content-length:4425
Last-modified:tue, 03:08:36 GMT
Connection:keep-alive
ETag: "574d0034-1149"
Accept-ranges:bytes

Through testing, I understand that because some firewalls or proxy servers will remove Referer values, they cannot be intercepted with referer values, as long as they do not have an "HTTP//" or "https://" string as the beginning of the referer. I don't know if this is the right idea.

Server_names: Refers to the virtual host name set in the Nginx configuration file;

For example, the anti-theft chain for sites other than www.a.com,www.b.com:

    server {        listen 80;         server_name www.a.com www.b.com;         root   /data/www;        index   index.html index.htm;        location ~ .*\ . (gif|jpg|jpeg|png|bmp|swf) $ {        valid_referers server_ names;            if  ($invalid _referer)   {                return  403;                 #rewrite  ^/ http://www.example.com/nophoto.gif;             }         }     } 

String ... : Arbitrary strings can be represented by *.example.com,www.example.*, for example:

Valid_referers none blocked *.example.com;        Valid_referers Server_names;        if ($invalid _referer) {return 403; }

Using Nginx "Ngx_http_referer_module" module to set up anti-theft chain