nginx

Module ngx_http_referer_module


english
русский

简体中文
עברית
日本語
türkçe

news
about
download
security advisories
documentation
pgp keys
faq
links
books
support
donation

trac
wiki
twitter
nginx.com
Example Configuration
Directives
     referer_hash_bucket_size
     referer_hash_max_size
     valid_referers

The ngx_http_referer_module module allows to block access to a site for requests with invalid values in the “Referer” header field. It should be kept in mind that fabricating a request with an appropriate “Referer” field value is quite easy, and so the intended purpose of this module is not to block such requests thoroughly but to block the mass flow of requests sent by regular browsers. It should also be taken into consideration that regular browsers may not send the “Referer” field even for valid requests.

Example Configuration

valid_referers none blocked server_names
               *.example.com example.* www.example.org/galleries/
               ~\.google\.;

if ($invalid_referer) {
    return 403;
}

Directives

syntax: referer_hash_bucket_size size;
default:
referer_hash_bucket_size 64;
context: server, location

This directive appeared in version 1.0.5.

Sets the bucket size for the valid referers hash tables. Details of setting up hash tables are provided in a separate document.

syntax: referer_hash_max_size size;
default:
referer_hash_max_size 2048;
context: server, location

This directive appeared in version 1.0.5.

Sets the maximum size of the valid referers hash tables. Details of setting up hash tables are provided in a separate document.

syntax: valid_referers none | blocked | server_names | string ...;
default:
context: server, location

Specifies values of the “Referer” request header field that will cause the embedded variable $invalid_referer to be set to an empty string. Otherwise, the variable will be set to “1”. Search for a match is case-insensitive.

Parameters can be as follows:

none
the “Referer” field is missing in the request header;
blocked
the “Referer” field is present in the request header, but its value was deleted by a firewall or proxy server; such values are strings that do not start from “http://” or “https://”;
server_names
the “Referer” request header field contains one of the server names;
arbitrary string
defines a server name and an optional URI prefix. A server name can have an “*” at the beginning or end. When checking, the server’s port in the “Referer” field is ignored;
regular expression
the first symbol should be a “~”. It should be noted that an expression will be matched against the text starting after the “http://” or “https://”.

Example:

valid_referers none blocked server_names
               *.example.com example.* www.example.org/galleries/
               ~\.google\.;