我有一个只有一个文件的网站: index.htm其中有一些Ajax链接到PHP文件。 我想让这些php文件只能通过来自这个索引文件的ajax(post和get)访问,并且阻止访问除index.htm所有文件。 Nginx可能吗? 谢谢。
两个想法:
最后,有人可以通过伪造头文件直接find他们,但这只是一个开始。
像这样的东西可以工作:
location ~ \.php$ { if ($http_referer !~* index\.htm) { return 403; } fastcgi_pass 127.0.0.1:9000; include fastcgi.conf; fastcgi_intercept_errors on; error_page 404 /error/404.php; }
Buf请记住,很容易欺骗这个头,例如:
$ telnet localhost 81 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /pwd.php HTTP/1.0 HTTP/1.1 403 Forbidden Server: nginx/1.0.5 Date: Thu, 20 Oct 2011 03:06:03 GMT Content-Type: text/html Content-Length: 168 Connection: close
$ telnet localhost 81 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. GET /pwd.php HTTP/1.0 Referer: index.htm HTTP/1.1 200 OK Server: nginx/1.0.5 Date: Thu, 20 Oct 2011 03:06:38 GMT Content-Type: text/html Connection: close /var/www/localhost/htdocs
$ curl localhost:81/pwd.php <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.0.5</center> </body> </html>
$ curl --referer index.htm localhost:81/pwd.php /var/www/localhost/htdocs