I have a site with just one file: index.htm which have some ajax linked to php files. I'd like to make those php files only accessible via ajax (post and get) coming from this index file and block access to all files but the index.htm. Is it possible in Nginx? Thanks.
Asked
Active
Viewed 696 times
0
2 Answers
1
Two thoughts:
- Nginx module that restricts on referrer. List your site and ignore others or blank: http://wiki.nginx.org/HttpRefererModule
- Other possible ideas: http://java.sun.com/developer/technicalArticles/J2EE/usingapikeys/
In the end, somebody's going to be able to get to them directly by forging headers, but it's a start.
Jeff Ferland
- 20,547
- 2
- 62
- 85
1
Something like this would work:
location ~ \.php$ {
if ($http_referer !~* index\.htm) {
return 403;
}
fastcgi_pass 127.0.0.1:9000;
include fastcgi.conf;
fastcgi_intercept_errors on;
error_page 404 /error/404.php;
}
Buf keep in mind that it is easy to spoof this header, for e.g.:
$ telnet localhost 81
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /pwd.php HTTP/1.0
HTTP/1.1 403 Forbidden
Server: nginx/1.0.5
Date: Thu, 20 Oct 2011 03:06:03 GMT
Content-Type: text/html
Content-Length: 168
Connection: close
$ telnet localhost 81
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /pwd.php HTTP/1.0
Referer: index.htm
HTTP/1.1 200 OK
Server: nginx/1.0.5
Date: Thu, 20 Oct 2011 03:06:38 GMT
Content-Type: text/html
Connection: close
/var/www/localhost/htdocs
$ curl localhost:81/pwd.php
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.0.5</center>
</body>
</html>
$ curl --referer index.htm localhost:81/pwd.php
/var/www/localhost/htdocs
quanta
- 51,413
- 19
- 159
- 217