0

It seems like this is not working:

server_name blabla.bla;    
    location ~* (wp-comments-posts|wp-login)\.php$ {
            if ($http_referer !~ ^(http://$servername) ) {
            return 405;
            }
     }

While

server_name blabla.bla;    
    location ~* (wp-comments-posts|wp-login)\.php$ {
            if ($http_referer !~ ^(http://blabla.bla) ) {
            return 405;
            }
     }

works just fine. Is this expected and if so why? Or am I doing something wrong here?

Greg
  • 3
  • 1
  • 2

2 Answers2

1

Regular expressions are compiled while reading configuration, thus they cannot contain variables.

Also please note:

VBart
  • 14,714
  • 4
  • 45
  • 49
  • Thanks! I know the "if's" are evil, but letting php execute all the brute force password crack attempts is even more evil (performance wise). – Greg Feb 07 '14 at 13:56
  • My remark is more about your use of `$http_referer` instead of special `$invalid_referer`. – VBart Feb 07 '14 at 14:00
  • *palms face* Thanks! Again! – Greg Feb 07 '14 at 14:26
  • 1
    @greg if preventing brute force attacks is your objective I suggest you move it to the TCP layer, using [fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page). –  Feb 08 '14 at 10:18
0

If you have the referer module you might like this one, this will ONLY allow the current server names to be valid referrers. All others will return as 405 error.

        location ~* (wp-comments-post)\.php$ {
            valid_referers server_names;
            
            if ( $invalid_referer ) {
                    return 405;
            }

            ### Do your stuff here
              
        }
Ramon Fincken
  • 253
  • 1
  • 5
  • 11