$invalid_referer
The $invalid_referer variable is set to 1 if the request's referer is not allowed, based on specified access rules. — NGINX Core (HTTP)
Description
The $invalid_referer variable is utilized within NGINX to indicate whether the referer header of an incoming HTTP request is considered invalid according to predefined access rules. This variable is primarily linked to the `ngx_http_access_module`, which allows administrators to set allowed or denied referers using the `allow` and `deny` directives in the configuration file. Whenever a request is processed, the module checks the `Referer` header against the configured rules. If the referer does not match any of the allowed entries and matches a deny condition, $invalid_referer is set to 1. This functionality is particularly useful in scenarios where content security is vital, such as preventing resource misuse from unauthorized sites. The variable typically returns a value of 1 when the referer is invalid; otherwise, it is unset, indicating a valid referer. It's important to note that referers can be manipulated by clients, so this method should not solely rely on referer checking for security enforcement. The $invalid_referer variable can help control access to resources by implementing conditional logic in the NGINX configuration based on its value, allowing for fine-tuned access management and security mechanisms.
Config Example
location /protected {
valid_referers none blocked example.com;
if ($invalid_referer) {
return 403;
}
}Subsystem
httpCacheable
YesContexts
http, server, location, ifEnsure the referer header is actually sent by clients, as some may choose not to send it, leading to unexpected behavior.
Consider the implications of using `if` inside a location block, as it can create unexpected results if not used carefully.
Be aware that referers can be spoofed; do not rely solely on this variable for critical security decisions.