Nginx Valid Referer - Access Control - Help Wanted

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Nginx Valid Referer - Access Control - Help Wanted

Olaf van der Spek
I want to use nginx referer module to restrict access to a URL containing a
directory /radio/
Only allowing access to it from a link with http referer *.mysite.*
(anysubdomain.mysite.anytld) otherwise redirect to 403

Is the referer module already loaded in nginx if not how do I load it

I found various code examples to add to the conf file and coupled this
together and added it to the end of the conf file, but it doesn't work,
entering a URL directly into the browser serves it

<code>
server {
    location /radio/ {
        valid_referers none blocked server_names ~\.mysite\.;
    if ($invalid_referer) {
        return 403;
        }
    }
}
</code>

Should just the location bit of code be added inside an existing server
block

My set up is nginx in docker on Ubunto 18 on a Digital Ocean droplet

Any help would be appreciated, been working on this for days

Best regards
Ashley

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286958,286958#msg-286958

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Nginx Valid Referer - Access Control - Help Wanted

J.R.
> I found various code examples to add to the conf file and coupled this
> together and added it to the end of the conf file, but it doesn't work,
> entering a URL directly into the browser serves it

> server {
>    location /radio/ {
>        valid_referers none blocked server_names ~\.mysite\.;
>        if ($invalid_referer) { return 403; }
>    }
> }

If you enter a URL directly into your browser, there will be no
referrer. You have "none" set as a valid value, thus that is why it is
working...

If you only want to accept requests with your server's name in the
referrer field, remove "none" & "blocked"...
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Nginx Valid Referer - Access Control - Help Wanted

Olaf van der Spek
J.R. Wrote:
-------------------------------------------------------

> > I found various code examples to add to the conf file and coupled
> this
> > together and added it to the end of the conf file, but it doesn't
> work,
> > entering a URL directly into the browser serves it
>
> > server {
> >    location /radio/ {
> >        valid_referers none blocked server_names ~\.mysite\.;
> >        if ($invalid_referer) { return 403; }
> >    }
> > }
>
> If you enter a URL directly into your browser, there will be no
> referrer. You have "none" set as a valid value, thus that is why it is
> working...
>
> If you only want to accept requests with your server's name in the
> referrer field, remove "none" & "blocked"...
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx

I deleted the 'none' and 'blocked' and no difference still not blocking
direct access to the URL

Tried adding it in its own block and adding it to the end of an existing
block neither worked

Is the location /radio/ part ok

I am trying to block direct access to any URL with a directory /radio/

The URLs look like sub.domain.tld/radio/1234/mytrack.mp3?45678901

I need it so the URL is only served if a link on *.mysite.* is clicked ie
the track is only played through an html5 audio player on mysite

Anyone have anymore ideas

Best regards

Ashley

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286958,286965#msg-286965

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Nginx Valid Referer - Access Control - Help Wanted

Francis Daly
On Thu, Feb 06, 2020 at 06:02:50PM -0500, AshleyinSpain wrote:

Hi there,

> > > server {
> > >    location /radio/ {
> > >        valid_referers none blocked server_names ~\.mysite\.;
> > >        if ($invalid_referer) { return 403; }
> > >    }
> > > }

> I deleted the 'none' and 'blocked' and no difference still not blocking
> direct access to the URL
>
> Tried adding it in its own block and adding it to the end of an existing
> block neither worked
>
> Is the location /radio/ part ok
>
> I am trying to block direct access to any URL with a directory /radio/
>
> The URLs look like sub.domain.tld/radio/1234/mytrack.mp3?45678901

In nginx, one request is handled in one location.

If /radio/ is the location that you configured to handle this request,
then the config should apply.

If you have, for example, "location ~ mp3", then *that* would probably
be the location that is configured to handle this request (and so that
is where this "return 403;" should be.

You could try changing the line to be "location ^~ /radio/ {", but
without knowing your full config, it is hard to know if that will fix
things or break them.

http://nginx.org/r/location

> I need it so the URL is only served if a link on *.mysite.* is clicked ie
> the track is only played through an html5 audio player on mysite

That is not a thing that can be done reliably.

If "unreliable" is good enough for you, then carry on. Otherwise, come
up with a new requirement that can be done.

Cheers,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Nginx Valid Referer - Access Control - Help Wanted

lists@lazygranch.com
In reply to this post by Olaf van der Spek
If you are going to block one thing, eventually you will block two, then three, etc.

I suggest learning how to use "map".

https://www.edmondscommerce.co.uk/handbook/Servers/Config/Nginx/Blocking-URLs-in-batch-using-nginx-map/







  Original Message  


From: [hidden email]
Sent: February 6, 2020 3:03 PM
To: [hidden email]
Reply-to: [hidden email]
Subject: Re: Nginx Valid Referer - Access Control - Help Wanted


J.R. Wrote:
-------------------------------------------------------

> > I found various code examples to add to the conf file and coupled
> this
> > together and added it to the end of the conf file, but it doesn't
> work,
> > entering a URL directly into the browser serves it
>
> > server {
> >    location /radio/ {
> >        valid_referers none blocked server_names ~\.mysite\.;
> >        if ($invalid_referer) { return 403; }
> >    }
> > }
>
> If you enter a URL directly into your browser, there will be no
> referrer. You have "none" set as a valid value, thus that is why it is
> working...
>
> If you only want to accept requests with your server's name in the
> referrer field, remove "none" & "blocked"...
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx

I deleted the 'none' and 'blocked' and no difference still not blocking
direct access to the URL

Tried adding it in its own block and adding it to the end of an existing
block neither worked

Is the location /radio/ part ok

I am trying to block direct access to any URL with a directory /radio/

The URLs look like sub.domain.tld/radio/1234/mytrack.mp3?45678901

I need it so the URL is only served if a link on *.mysite.* is clicked ie
the track is only played through an html5 audio player on mysite

Anyone have anymore ideas

Best regards

Ashley

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286958,286965#msg-286965

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Nginx Valid Referer - Access Control - Help Wanted

Olaf van der Spek
In reply to this post by Francis Daly
Francis Daly Wrote:
-------------------------------------------------------

> On Thu, Feb 06, 2020 at 06:02:50PM -0500, AshleyinSpain wrote:
>
> Hi there,
>
> > > > server {
> > > >    location /radio/ {
> > > >        valid_referers none blocked server_names ~\.mysite\.;
> > > >        if ($invalid_referer) { return 403; }
> > > >    }
> > > > }
>
> > I deleted the 'none' and 'blocked' and no difference still not
> blocking
> > direct access to the URL
> >
> > Tried adding it in its own block and adding it to the end of an
> existing
> > block neither worked
> >
> > Is the location /radio/ part ok
> >
> > I am trying to block direct access to any URL with a directory
> /radio/
> >
> > The URLs look like sub.domain.tld/radio/1234/mytrack.mp3?45678901
>
> In nginx, one request is handled in one location.
>
> If /radio/ is the location that you configured to handle this request,
> then the config should apply.
>
> If you have, for example, "location ~ mp3", then *that* would probably
> be the location that is configured to handle this request (and so that
> is where this "return 403;" should be.
>
> You could try changing the line to be "location ^~ /radio/ {", but
> without knowing your full config, it is hard to know if that will fix
> things or break them.
>
> http://nginx.org/r/location
>
> > I need it so the URL is only served if a link on *.mysite.* is
> clicked ie
> > the track is only played through an html5 audio player on mysite
>
> That is not a thing that can be done reliably.
>
> If "unreliable" is good enough for you, then carry on. Otherwise, come
> up with a new requirement that can be done.
>
> Cheers,
>
> f
> --
> Francis Daly        [hidden email]
> _______________________________________________
> nginx mailing list
> [hidden email]
> http://mailman.nginx.org/mailman/listinfo/nginx

Hi Francis

I've added further comments here, it's getting a bit messy above

I added, as you suggested, the ^~ to /radio/ and it now blocks it
redirecting to where I put in the invalid_referer bit

The valid_referer part doesn't work though,

valid_referers server_names
    *.mysite.com mysite.com dev.mysite.* can.mysite.*
can.mysite.com/dashboard
    ~\.mysite\.;

it doesn't recognise the parameters or urls

I copied the examples in the docs and I have tried loads of variations taken
from various suggestions etc online

When you say above -  That is not a thing that can be done reliably is that
because the headers can be 'forged' or it just doesn't work properly

I am only trying to stop casual copy stream url and paste it into browser to
listen for free - I realise any determined person can get around it, but not
trying to stop that with this - ultimately I will have to add more robust
controls with JS and passwords but that will be later on down the line

Do you need me to copy the entire nginx config here

Thanks for your help

Ashley

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,286958,287068#msg-287068

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

Re: Nginx Valid Referer - Access Control - Help Wanted

Francis Daly
On Wed, Feb 19, 2020 at 06:30:39PM -0500, AshleyinSpain wrote:
> Francis Daly Wrote:
> > On Thu, Feb 06, 2020 at 06:02:50PM -0500, AshleyinSpain wrote:

Hi there,

> > > I am trying to block direct access to any URL with a directory
> > /radio/
> > >
> > > The URLs look like sub.domain.tld/radio/1234/mytrack.mp3?45678901

> > > I need it so the URL is only served if a link on *.mysite.* is
> > clicked ie
> > > the track is only played through an html5 audio player on mysite
> >
> > That is not a thing that can be done reliably.

> The valid_referer part doesn't work though,
>
> valid_referers server_names
>     *.mysite.com mysite.com dev.mysite.* can.mysite.*
> can.mysite.com/dashboard
>     ~\.mysite\.;
>
> it doesn't recognise the parameters or urls

Can you show exactly what you means by "doesn't work"? It seems to work
for me.

That is, if I use

===
  server {
    listen 8080 default_server;
    server_name three;
    location ^~ /radio/ {
      valid_referers server_names
        *.mysite.com mysite.com dev.mysite.* can.mysite.*
        can.mysite.com/dashboard ~\.mysite\.;
      if ($invalid_referer) { return 403; }
      return 200 "This request is allowed: $request_uri, $http_referer\n";
    }
  }
===

then I see (403 is "blocked"; 200 is "allowed"):

# no Referer
$ curl -i  http://127.0.0.1:8080/radio/one
403

# Referer that matches can.mysite.*
$ curl -i -H Referer:http://can.mysite.cxx http://127.0.0.1:8080/radio/one
200

# Referer that does not match can.mysite.com/dashboard
curl -i -H Referer:http://can.mysite.com/dashboar http://127.0.0.1:8080/radio/one
403

# Referer that matches can.mysite.com/dashboard
curl -i -H Referer:http://can.mysite.com/dashboards http://127.0.0.1:8080/radio/one
200

# Referer that matches a server_name
$ curl -i -H Referer:https://three http://127.0.0.1:8080/radio/one
200

> I copied the examples in the docs and I have tried loads of variations taken
> from various suggestions etc online

If you can show one specific config that you use; and one specific
request that you make; and the response that you get and how it is not
the response that you want; it will probably be easier to identify where
the problem is.

> When you say above -  That is not a thing that can be done reliably is that
> because the headers can be 'forged' or it just doesn't work properly

The headers can be forged, just like I do above in the "curl" commands.

All the best,

        f
--
Francis Daly        [hidden email]
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx