 | Start a set with this search |
 | Include this search in one of my sets |
 | Exclude this search from one of my sets |
 | Permalink to these results Paste this link in email or IM: |
 | Atom feed for tracking future search results Paste this URL into your reader: |
4 messages in ru.sysoev.nginxRe: Best way to block access by url a...| From | Sent On | Attachments |
|---|---|---|
| Rt Ibmer | Apr 29, 2008 7:56 am | |
| François Battail | Apr 29, 2008 10:06 am | |
| Rt Ibmer | Apr 29, 2008 1:19 pm | |
| François Battail | Apr 29, 2008 1:57 pm |
| Permalink for this message Paste this link in email or IM: |
| Permalink for this thread Paste this link in email or IM: |
| Atom feed for this thread Paste this URL into your reader: |
| Subject: | Re: Best way to block access by url and valid referrer? | Actions... |
|---|---|---|
| From: | Rt Ibmer (rtib...@public.gmane.org) | |
| Date: | Apr 29, 2008 1:19:40 pm | |
| List: | ru.sysoev.nginx | |
According to RFC2616: "14.36 Referer The Referer[sic] request-header field allows the client to specify, for the If you have control on abc, def... try using a more robust method that a simple
Thank you for your concern and pointing this out. I should have mentioned that I
am aware of the limitations of this approach and that the referrer can be absent
or easily faked.
However I do not have control over the GET requests coming in. Basically we give
our users an id=accountX string and only want to provide the requested content
if they embed the link to us within their web site for which we allow such usage
(as deemed from the referrer).
Although they can easily fake the referrer it will not do them much good to do
so because they will want to link to our user's web site, and unless they
instruct their web site users to take special measures to hide or forge their
referrer (this would not be worth it for them anyway) then this method should be
sufficient
So assuming that its "good enough" for me to rely on matching their account id
to a referrer what would you say is the best way to do what I was inquiring
about in my original message on the subject?
If you use a POST or a GET you should be able to develop a specific Nginx module to avoid thousands of regex and without need to call your application.
In light of my response above do you still think that is the best way to go?
Basically I'd create a module so that I could do something like add a
"authenticate" directive (something I made up that my module looks for) to one
"location" block, and then enforce all that logic from my custom module?
That certainly seems like a more efficient way of doing it since I won't have to
define thousands of "location" blocks. Although I imagine the processing speed
won't be much different, as it'll still have to do thousands of regex
comparisons. Well, then again maybe it wouldn't - I could probably take their
account id from the query string and use it for a hash lookup to acess a string
of valid referrers and compare that...?
Thank you.
____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ