How to deny requests in nginx when there is no referer?

Question

In nginx access.log I see many lines like:

1.2.3.4 - - [19/Oct/2014:22:48:11 -0400] "POST /someurl/suburl HTTP/1.1" 200 19967 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071127 Firefox/2"

Where only common thing between them is the "-" (which I assume means no referer is set).

So I tried to deny these requests using:

if ($http_referer ~ ^(-))
    {  return 444;
}

However, as you see above, this does not work for POST requests.

You have absolutely no guarantee that this header is not forged, that's usually a bad way to see things. — Xavier Lucas, Oct 20 '14 at 06:41

score 8 · Accepted Answer · answered Oct 20 '14 at 05:16

8

The issue you are having is nginx doesn't see a referer of "-" it just uses that in the log to keep log parsing apps in check that expect a referer. This will pretty much stop anyone that types the url by hand or bookmarks it though

Try this

 if ($http_referer = "") {  return 403; }

answered Oct 20 '14 at 05:16

Mike

22,310
7
56
79

great tip. Can I use this inside a 'location' directive, to avoid many bookmarked urls being wrongly denied? – Jand Oct 20 '14 at 05:31
yes you can do that – Mike Oct 20 '14 at 05:36

How to deny requests in nginx when there is no referer?

1 Answers1