Deny referrer using map directive

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

I have a map directive like this :

map $http_referer $badboys {
hostnames;
default 0;
“~*hitleap.com” 1;
}

and already defined on server block like this :

server {
… skip …
if ($badboys) {
return 406;
}

… skip …

}

but, if I tried to access them using given referral, still got HTTP 200.
$ curl -I https://domain.name -L -e hitleap.com | grep 200
% Total % Received % Xferd Average Speed Time Time Time
Current
Dload Upload Total Spent Left
Speed
0 0 0 0 0 0 0 0 --:–:-- --:–:–

  • –:–:-- 0
    HTTP/1.1 200 OK

Is there any additional configuration needed?
Any help will be appreciated :slight_smile:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVRvjdAAoJEF1+odKB6YIxqr0IALSocMLPk584ZuGO82IQ8gw6
//GBuFr1nF15ov9fk3wgcae4S9p4InVWGyQ4y6tvgmrHaaiiZQUg9I99E+P9t7x/
cgdobsy7pg0UZGRsEZSVY5EZhELLyucCZ9p+p0gD/m78JeSHvRFSgPze3jfK5xtv
DsGxu0j8Lk/W7lVqO48mVQTsbsv8mIxGPq5YrReNjXNaRW6XrsW78r8KQH4doTp4
+h3Q0ZfHcl3U28+0I+lmWEAga7/2m9cpRMqoqforvvdOHw/CQStCnPMhLa6ASS8s
kXFqa8xkwjfdoLigGBWjd8hQnHjjBOVdhBUMTTu3i+tAU29H6lJgsipIXe4DWgo=
=pYP1
-----END PGP SIGNATURE-----

On Mon, May 04, 2015 at 11:43:10AM +0700, Dewangga wrote:

Hi there,

map $http_referer $badboys {
hostnames;
default 0;
“~*hitleap.com” 1;
}

For info:

This should work as-is; but when using “hostnames”, you probably don’t
need the regex match. Just “.hitleap.com” will do what you possibly
want. (It is not the same: both will block a.hitleap.com; but only one
will block ahitleap.com or hitleap.com.a.)

but, if I tried to access them using given referral, still got HTTP 200.
$ curl -I https://domain.name -L -e hitleap.com | grep 200

It works for me, using http: (because I don’t have a test https: server
to hand). What happens when you leave all of the “…skip…” parts
empty?

Is there any additional configuration needed?

Do your logs show that this request was handled in the server{} block
that you think it was handled in?

f

Francis D. [email protected]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

On 5/4/2015 15:22, Francis D. wrote:

don’t need the regex match. Just “.hitleap.com” will do what you
possibly want. (It is not the same: both will block a.hitleap.com;
but only one will block ahitleap.com or hitleap.com.a.)

You do the trick, just using “.hitleap.com” and the regex matched.

$ curl -IL https://www.domain.name -e www2.hitleap.com
HTTP/1.1 406 Not Acceptable
Server: MCM-WS
Date: Mon, 04 May 2015 08:30:42 GMT
Content-Type: text/html
Content-Length: 172
Connection: keep-alive

Do your logs show that this request was handled in the server{}
block that you think it was handled in?

f

Thanks in a bunch Francis :slight_smile:
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJVRy2MAAoJEF1+odKB6YIx5zoH/RlUa3u2CIZHTVYYZuQQomEw
s0Ul7D35GNmMWCon2wJDM0fKQKllSWLt6ed/G3UQuVCof3sNd9S8o7cuvsNpSpW5
Vds+lKIRDK6JsNxrjWONoPKWL9iEkIjItwF2VWUHTXhFPBoNEvhD4IWabqhtj4CC
ljaM6Tza8vOIWKBR7FTSwnSwKnXasax7mZwDP0/h+jca7k+KBN9fo2k59yCxZRjm
iAsFfUQ4bCR9jbkE5tqOx+UI2/6QXYsl4I1tqFqUHggHA4t9Hkd5JvcmPIPocCQi
I2ZHOVaU4k7KQfnQtsgnf3YttiOb35/je9085wSm1+uFAfodw3owQxl8eKGaBGs=
=/yob
-----END PGP SIGNATURE-----