Skip to main content
Version: 2.13

referer-restriction

Description#

The referer-restriction can restrict access to a Service or a Route by whitelisting/blacklisting request header Referrers.

Attributes#

NameTypeRequirementDefaultValidDescription
whitelistarray[string]optionalList of hostname to whitelist. The hostname can be started with * as a wildcard
blacklistarray[string]optionalList of hostname to blacklist. The hostname can be started with * as a wildcard
messagestringoptionalYour referer host is not allowed[1, 1024]Message returned in case access is not allowed.
bypass_missingbooleanoptionalfalseWhether to bypass the check when the Referer header is missing or malformed

One of whitelist or blacklist must be specified, and they can not work together. The message can be user-defined.

How To Enable#

Creates a route or service object, and enable plugin referer-restriction.

curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/index.html",
"upstream": {
"type": "roundrobin",
"nodes": {
"127.0.0.1:1980": 1
}
},
"plugins": {
"referer-restriction": {
"bypass_missing": true,
"whitelist": [
"xx.com",
"*.xx.com"
]
}
}
}'

Test Plugin#

Request with Referer: http://xx.com/x:

$ curl http://127.0.0.1:9080/index.html -H 'Referer: http://xx.com/x'
HTTP/1.1 200 OK
...

Request with Referer: http://yy.com/x:

$ curl http://127.0.0.1:9080/index.html -H 'Referer: http://yy.com/x'
HTTP/1.1 403 Forbidden
...
{"message":"Your referer host is not allowed"}

Request without Referer:

$ curl http://127.0.0.1:9080/index.html
HTTP/1.1 200 OK
...

Disable Plugin#

When you want to disable the referer-restriction plugin, it is very simple, you can delete the corresponding json configuration in the plugin configuration, no need to restart the service, it will take effect immediately:

$ curl http://127.0.0.1:9080/apisix/admin/routes/1 -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '
{
"uri": "/index.html",
"plugins": {},
"upstream": {
"type": "roundrobin",
"nodes": {
"127.0.0.1:1980": 1
}
}
}'

The referer-restriction plugin has been disabled now. It works for other plugins.