снова valid_referers & ssl

[Artem Danilenko <darkden@xxxxxxx>]

Hello Igor,

Проблема в следущем, есть два сервер оба отдают статику(один еще
динамику через прокси) у обих стоит проверка valid_referers в обоих
случаях *.test.com/, на сервер который отдает только статику если
рефер стоит просто домен test.com то выдается 403 ошибка, сначала я
подумал просто нету такова имени в server_name в описании сервер, но
потом заметил что если стоит рефер www.test.com то все нормально,
конфигурации серверов и куски лога приведены ниже...

сегодня поробовал использовать в nginx, ssl на тестовом сервере и
заметил что первый запрос обычно выдает ошибку 400

10.10.4.64 - - [10/Mar/2005:15:27:54 +0500] "" 400 0 "-" "-"
10.10.4.64 - - [10/Mar/2005:15:28:05 +0500] "GET / HTTP/1.1" 200 480 "-" 
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE2; SV1; .NET CLR 1.1.432
2)"



первый сервер:
    server {
        listen  80;
        server_name   download.test.com;

        location / {

        valid_referers  none  server_names  *.test.com/;
        if ($invalid_referer) {
                return   403;
        }

        root /www/download.test.com;
        access_log logs/static/test.log download;
        expires      30d;
        }
    }
5.133.70.115 - - [10/Mar/2005:19:08:19 +0500] "GET /46/2004rt.zip HTTP/1.0" 206 
24820 "http://download.test.com/46/"; "Mozilla/4.0 (compatible;
MSIE 5.0; Windows 98)" "bytes=3056937-" "bytes 3056937-16183824/16183825"
3.237.59.190 - - [10/Mar/2005:19:28:47 +0500] "GET /40/4rv.zip HTTP/1.0" 403 
679 "http://test.com/files.html?action=download&id=1477"; "Mozilla
/4.0 (compatible; MSIE 5.0; Windows 98)" "bytes=10468548-" "-"
7.20.211.210 - - [10/Mar/2005:19:31:45 +0500] "GET /36/fde.zip HTTP/1.1" 200 
8956 "http://www.test.com/forum/index.php?showtopic=7440"; "Mozilla/4.
0 (compatible; MSIE 6.0; Windows NT 5.1)" "-" "-"
3.237.63.134 - - [10/Mar/2005:19:50:18 +0500] "GET /40/4rv.zip HTTP/1.0" 403 
679 "http://test.com/files.html?action=download&id=1477"; "Mozilla
/4.0 (compatible; MSIE 5.0; Windows 98)" "bytes=8988752-" "-"
5.133.70.115 - - [10/Mar/2005:20:14:03 +0500] "GET /46/2004rt.zip HTTP/1.0" 206 
370840 "http://download.test.com/46/"; "Mozilla/4.0 (compatible;
 MSIE 5.0; Windows 98)" "bytes=3068275-" "bytes 3068275-16183824/16183825"
5.133.70.115 - - [10/Mar/2005:20:35:31 +0500] "GET /46/2004rt.zip HTTP/1.0" 206 
994345 "http://download.test.com/46/"; "Mozilla/4.0 (compatible;
 MSIE 5.0; Windows 98)" "bytes=15189821-" "bytes 15189821-16183824/16183825"
5.133.70.115 - - [10/Mar/2005:20:44:20 +0500] "GET /46/2004rt.zip HTTP/1.0" 206 
226300 "http://download.test.com/46/"; "Mozilla/4.0 (compatible;
 MSIE 5.0; Windows 98)" "bytes=4693587-" "bytes 4693587-16183824/16183825"
3.237.63.134 - - [10/Mar/2005:21:17:13 +0500] "GET /27/003.zip HTTP/1.0" 403 
679 "http://test.com/files.html?action=download&id=287"; "Mozilla/4.0 (co
mpatible; MSIE 5.0; Windows 98)" "bytes=3482577-" "-"
3.237.17.148 - - [10/Mar/2005:21:28:57 +0500] "GET /27/003.zip HTTP/1.0" 403 
679 "http://test.com/files.html?action=download&id=287"; "Mozilla/4.0 (co
mpatible; MSIE 5.0; Windows 98)" "bytes=5337625-" "-"
3.237.17.148 - - [10/Mar/2005:21:32:15 +0500] "GET /40/pit.zip HTTP/1.0" 403 
679 "http://test.com/files.html?action=downl
oad&id=1613" "Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)" "bytes=26318102-" 
"-"

второй сервер
    server {
        listen  80;
        server_name   test.com www.test.com;

        access_log  logs/test.log;

    location / {
        proxy_pass  http://127.0.0.1/;
        client_max_body_size       80m;
        client_body_buffer_size    128k;
        proxy_connect_timeout      90;
        proxy_send_timeout         90;
        proxy_read_timeout         9m;
        proxy_preserve_host        on;
        proxy_set_x_real_ip        on;
        proxy_add_x_forwarded_for  on;
        proxy_header_buffer_size   4k;
        proxy_buffers              4 32k;
        proxy_busy_buffers_size    64k;
        proxy_temp_file_write_size 64k;
        proxy_temp_path            /tmp/nginx;
      }
        location ~* 
^.+\.(jpg|jpeg|gif|css|htm|html|zip|rar|swf|txt|exe|mpg|mp3|ico|avi|png|js|pdf)$
 {

        valid_referers  none  server_names  *.test.com/;
        if ($invalid_referer) {
                return   403;
        }

        root /www/test.com;
        access_log logs/test-static.log download;
        expires      30d;
        }
    }

94.84.246.71 - - [10/Mar/2005:12:21:31 +0500] "GET /images/6/img196.jpg 
HTTP/1.0" 200 7037 "http://test.com/files.html?folder=6&page=4"; "Moz
illa/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-" "-"
94.84.246.71 - - [10/Mar/2005:12:21:32 +0500] "GET /images/6/img2875.jpg 
HTTP/1.0" 200 3459 "http://test.com/files.html?folder=6&page=4"; "Mo
zilla/4.0 (compatible; MSIE 5.5; Windows 98; Win 9x 4.90)" "-" "-"
4.142.118.234 - - [10/Mar/2005:12:21:38 +0500] "GET /files/40/2k4.zip HTTP/1.0" 
206 1079160 "http://test.com/files.html?action=download&id=1441"; "
Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)" "bytes=1657475-" "bytes 
1657475-5835928/5835929"
4.142.118.234 - - [10/Mar/2005:12:21:39 +0500] "GET /files/40/2k4.zip HTTP/1.0" 
206 1288920 "http://test.com/files.html?action=download&id=1441"; "
Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)" "bytes=2974393-" "bytes 
2974393-5835928/5835929"
    
Best regards,
 Artem                            mailto:darkden@xxxxxxx
...Мы его в кипятке и сварили!