Skip to main content
Version: 2.11




The referer-restriction can restrict access to a Service or a Route by whitelisting/blacklisting request header Referrers.


whitelistarray[string]optionalList of hostname to whitelist. The hostname can be started with * as a wildcard
blacklistarray[string]optionalList of hostname to blacklist. The hostname can be started with * as a wildcard
messagestringoptionalYour referer host is not allowed[1, 1024]Message returned in case access is not allowed.
bypass_missingbooleanoptionalfalseWhether to bypass the check when the Referer header is missing or malformed

One of whitelist or blacklist must be specified, and they can not work together. The message can be user-defined.

How To Enable#

Creates a route or service object, and enable plugin referer-restriction.

curl -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{    "uri": "/index.html",    "upstream": {        "type": "roundrobin",        "nodes": {            "": 1        }    },    "plugins": {        "referer-restriction": {            "bypass_missing": true,            "whitelist": [                "",                "*"            ]        }    }}'

Test Plugin#

Request with Referer:

$ curl -H 'Referer:'HTTP/1.1 200 OK...

Request with Referer:

$ curl -H 'Referer:'HTTP/1.1 403 Forbidden...{"message":"Your referer host is not allowed"}

Request without Referer:

$ curl 200 OK...

Disable Plugin#

When you want to disable the referer-restriction plugin, it is very simple, you can delete the corresponding json configuration in the plugin configuration, no need to restart the service, it will take effect immediately:

$ curl -H 'X-API-KEY: edd1c9f034335f136f87ad84b625c8f1' -X PUT -d '{    "uri": "/index.html",    "plugins": {},    "upstream": {        "type": "roundrobin",        "nodes": {            "": 1        }    }}'

The referer-restriction plugin has been disabled now. It works for other plugins.