Nginx配置referer校验，实现简单的防盗链

1.0 背景

对增删修改类请求接口的referer做白名单校验或 在参数中增加随机，预防跨站请求伪造漏洞

2.1 Nginx Referer模块

ngx_http_referer_module模块用于阻止"Refer"头字段中具有无效值的来源非法的域名请求。使用适当的"Referer"字段值创建请求非常容易，这些伪造的"Referer"字段可能会包括一些不合法的字段。本模块的目的不是彻底阻止此类请求，而是阻止常规浏览器发送的大量非允许"Refer"请求。还需应考虑到，即使对于有效的请求，常规浏览器也不应发送"Referer"字段。

2.2 valid_referers

| Syntax:  | valid_referers none | blocked | server_names | string ...; |
| -------- | ---------------------------------------------------------- |
| Default: | —                                                          |
| Context: | server, location                                           |

none：请求头缺少Referer字段，即空Referer

blocked：请求头Referer字段不为空（即存在Referer），但是值被代理或者防火墙删除了，这些值不以“http://”或“https://”开头，通俗点说就是允许“http://”或"https//"以外的请求。

server_names：Referer请求头白名单。

arbitrary string：任意字符串，定义服务器名称或可选的URI前缀，主机名可以使用*号开头或结尾，Referer字段中的服务器端口将被忽略掉。

regular expression：正则表达式，以“~”开头，在“http://”或"https://"之后的文本匹配。

指定合法的来源'referer', 决定了内置变量$invalid_referer的值，如果referer头部包含在这个合法值里面，这个变量被设置为0，否则设置为1. 需要注意的是：这里并不区分大小写的.

2.2.1 Example Configuration

server {
	listen 80;
	server_name app123456.eapps.dingtalkcloud.com;

	client_max_body_size 100m;
	proxy_buffering off;
	proxy_read_timeout  3600;

	access_log /var/log/nginx/app123456.eapps.dingtalkcloud.com-access.log main;
	error_log /var/log/nginx/app123456.eapps.dingtalkcloud.com.com-error.log;

        if ($host != 'app123456.eapps.dingtalkcloud.com') { 
              return 403 ; 
          } 

        valid_referers server_names none *.test.com *.dingtalkcloud.com;
        if ($invalid_referer) {
            return 403;
        }

        add_header 'X-Permitted-Cross-Domain-Policies' 'master-only';
        add_header 'X-Content-Type-Options' 'nosniff';
        add_header 'X-XSS-Protection' '1; mode=block';
        add_header 'X-Frame-Options' 'SAMEORIGIN';
        add_header 'X-Download-Options' 'noopen';

	location / {
            proxy_pass https://123456-dingtalk-h5-dev.test.com;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

        location /cb/ {
            proxy_pass https://cb.test.com/;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

}

上面配置合法的Referer为*.test.com *.dingtalkcloud.com 和 无Referer（none）(浏览器直接访问，就没有Referer) ; 其他非法Referer请求过来时， $invalid_referer 值为1 ， 就return 403

2.2.1 验证效果

[root@10-80-15-202 ~]# curl  -sI --referer "https://appxxx.eapps.dingtalkcloud.com" http://app123456.eapps.dingtalkcloud.com/self-serve
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 08 Mar 2023 07:12:49 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 9316
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Access-Control-Allow-Headers: accept,os,accesstoken,content-Type,X-Requested-With,Authorization,apptype,appkey,devid,token,uid,versioncode,versionname,mfg,x-request-id,x-request-uid
Access-Control-Max-Age: 2592000
Access-Control-Allow-Methods: GET, PUT, OPTIONS, POST, DELETE
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Permitted-Cross-Domain-Policies: master-only
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen

[root@10-80-15-202 ~]# curl  -sI  http://app123456.eapps.dingtalkcloud.com/self-serve
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 08 Mar 2023 07:12:49 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 9316
Connection: keep-alive
Vary: Accept-Encoding
Vary: Accept-Encoding
Access-Control-Allow-Headers: accept,os,accesstoken,content-Type,X-Requested-With,Authorization,apptype,appkey,devid,token,uid,versioncode,versionname,mfg,x-request-id,x-request-uid
Access-Control-Max-Age: 2592000
Access-Control-Allow-Methods: GET, PUT, OPTIONS, POST, DELETE
Access-Control-Allow-Credentials: true
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Permitted-Cross-Domain-Policies: master-only
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen

[root@10-80-15-202 ~]# curl  -sI --referer "https://baidu.com" http://app123456.eapps.dingtalkcloud.com/self-serve
HTTP/1.1 403 Forbidden
Server: nginx
Date: Wed, 08 Mar 2023 07:10:41 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 146
Connection: keep-alive
Vary: Accept-Encoding