原创文章,转载请指明出处并保留原文url地址
本文主要针对nginx的ngx_http_referer_module模块做简单介绍,本文具体包括如下指令:referer_hash_bucket_size,referer_hash_max_size,valid_referers
这个模块的作用允许对某些具有不正确“Referer”头的请求进行拒绝访问。要注意的是仿造一个适合的“Referer”头是件很容易的事情, 因此这个模块的目标不是彻底决绝某些访问, 而是最大限度的减少不必要的来自正规浏览器的访问(例如某系网站可能不再想支持ie6了,就可以参考ie6的相应字段进行限制,这样就可以阻止这个浏览器的访问, 这个模块对那些真正采用程序进行恶意的攻击效果不一定明显)。同时也应该考虑到某些正常的浏览器不能发送合格的“Referer”请求头的情况。
配置例子:
valid_referers none blocked server_names
*.example.com example.* www.example.org/galleries/
~\.google\.;
if ($invalid_referer) {
return 403;
}
Nginx原文:
The ngx_http_referer_module module allows to block access to a site for requests with invalid values in the “Referer” header field. It should be kept in mind that fabricating a request with an appropriate “Referer” field value is quite easy, and so the intended purpose of this module is not to block such requests thoroughly but to block the mass flow of requests sent by regular browsers. It should also be taken into consideration that regular browsers may not send the “Referer” field even for valid requests.
Example Configuration
valid_referers none blocked server_names
*.example.com example.* www.example.org/galleries/
~\.google\.;
if ($invalid_referer) {
return 403;
}
1. referer_hash_bucket_size
syntax: | referer_hash_bucket_size size; |
default: | referer_hash_bucket_size 64; |
context: | server, location |
这个指令出现在1.0.5版本中
设置有效的参考哈希表大小的桶。建立哈希表在一个单独的文件提供细节。
Nginx原文:
Sets the bucket size for the valid referers hash tables. Details of setting up hash tables are provided in a separate document.
2. referer_hash_max_size
syntax: | referer_hash_max_size size; |
default: | referer_hash_max_size 2048; |
context: | server, location |
这个指令出现在1.0.5版本中
设置valid referers哈希表的最大大小。建立哈希表在一个单独的文件提供细节。
Nginx原文:
Sets the maximum size of the valid referers hash tables. Details of setting up hash tables are provided in a separate document.
3. valid_referers
syntax: | valid_referers none | blocked | server_names | string ...; |
default: | — |
context: | server, location |
指定值的“引用”请求标头字段,将导致美元invalid_referer嵌入式变量被设置为空字符串。否则,变量将被设置为“1”。一个匹配搜索不区分大小写。
Nginx原文:
指定“Referer” 中应该包括的值, 这个值触发内嵌的变量$invalid_referer被设置成 空字符串或者,变量被设置成“1”, 搜索匹配不区分大小写。
参数可以为下面值:
None: 请求字段在请求中丢失了(就是没有请求头的情况)
Blocked: 请求头中包括了“Referer”值, 但是这个值被防火墙或者反向代理服务器给删除了, 例如“Referer”头的值不是以“http://” 或者“https://”开头的值。
server_names:“Referer”头中包括一个server的名字
arbitrary string(任意的字符串):定义了服务器名称和一个可选的URI前缀。服务器名称可以有一个“*”开头或结尾。检查时,在“Referer”域中服务器的端口被忽略;
regular expression:第一个符号应该是一个“~”。应当指出的是,一个表达式将匹配文本的开始后的“http://”或“https:/ /”。
例如:
valid_referers none blocked server_names
*.example.com example.* www.example.org/galleries/
~\.google\.;
Nginx原文:
Specifies values of the “Referer” request header field that will cause the embedded variable $invalid_referer to be set to an empty string. Otherwise, the variable will be set to “1”. Search for a match is case-insensitive.
Parameters can be as follows:
none
the “Referer” field is missing in the request header;
blocked
the “Referer” field is present in the request header, but its value was deleted by a firewall or proxy server; such values are strings that do not start from “http://” or “https://”;
server_names
the “Referer” request header field contains one of the server names;
arbitrary string
defines a server name and an optional URI prefix. A server name can have an “*” at the beginning or end. When checking, the server’s port in the “Referer” field is ignored;
regular expression
the first symbol should be a “~”. It should be noted that an expression will be matched against the text starting after the “http://” or “https://”.
Example:
valid_referers none blocked server_names
*.example.com example.* www.example.org/galleries/
~\.google\.;
