A simple directive is introduced by this module: valid_referers. Its purpose is to check the Referer HTTP header from the client request and to possibly deny access based on the value. If the referrer is considered invalid, $invalid_referer is set to 1. In the list of valid referrers, you may employ three kinds of values:
-
- None: The absence of a referrer is considered to be a valid referrer
- Blocked: A masked referrer (such as XXXXX) is also considered valid
- A server name: The specified server name is considered to be a valid referrer
Following the definition of the $invalid_referer variable, you may, for example, return an error code if the referrer was found invalid:
valid_referers none blocked *.website.com *.google.com; if ($invalid_referer) { return 403; }
Be aware that spoofing the Referer HTTP header is a very simple process, so checking the referer of client requests should not be used as a security measure.
Two more directives are offered by this module, referer_hash_bucket_size and referer_hash_max_size, respectively allowing you to define the bucket size and maximum size of the valid referrers' hash tables.