blob: 24cb17b8f5a3682948e40b549229d734b6525af1 [file] [log] [blame] [view]
---
title: referer-restriction
keywords:
- Apache APISIX
- API Gateway
- Referer restriction
description: This document contains information about the Apache APISIX referer-restriction Plugin, which can be used to restrict access to a Service or a Route by whitelisting/blacklisting the Referer request header.
---
<!--
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
-->
## Description
The `referer-restriction` Plugin can be used to restrict access to a Service or a Route by whitelisting/blacklisting the `Referer` request header.
## Attributes
| Name | Type | Required | Default | Valid values | Description |
|----------------|---------------|----------|----------------------------------|--------------|---------------------------------------------------------------------------------------------------|
| whitelist | array[string] | False | | | List of hostnames to whitelist. A hostname can start with `*` for wildcard. |
| blacklist | array[string] | False | | | List of hostnames to blacklist. A hostname can start with `*` for wildcard. |
| message | string | False | "Your referer host is not allowed" | [1, 1024] | Message returned when access is not allowed. |
| bypass_missing | boolean | False | false | | When set to `true`, bypasses the check when the `Referer` request header is missing or malformed. |
:::info IMPORTANT
Only one of `whitelist` or `blacklist` attribute must be specified. They cannot work together.
:::
## Enable Plugin
You can enable the Plugin on a specific Route or a Service as shown below:
:::note
You can fetch the `admin_key` from `config.yaml` and save to an environment variable with the following command:
```bash
admin_key=$(yq '.deployment.admin.admin_key[0].key' conf/config.yaml | sed 's/"//g')
```
:::
```shell
curl http://127.0.0.1:9180/apisix/admin/routes/1 -H "X-API-KEY: $admin_key" -X PUT -d '
{
"uri": "/index.html",
"upstream": {
"type": "roundrobin",
"nodes": {
"127.0.0.1:1980": 1
}
},
"plugins": {
"referer-restriction": {
"bypass_missing": true,
"whitelist": [
"xx.com",
"*.xx.com"
]
}
}
}'
```
## Example usage
Once you have configured the Plugin as shown above, you can test it by setting `Referer: http://xx.com/x`:
```shell
curl http://127.0.0.1:9080/index.html -H 'Referer: http://xx.com/x'
```
```shell
HTTP/1.1 200 OK
...
```
Now, if you make a request with `Referer: http://yy.com/x`, the request will be blocked:
```shell
curl http://127.0.0.1:9080/index.html -H 'Referer: http://yy.com/x'
```
```shell
HTTP/1.1 403 Forbidden
...
{"message":"Your referer host is not allowed"}
```
Since we have set `bypass_missing` to `true`, a request without the `Referer` header will be successful as the check is skipped:
```shell
curl http://127.0.0.1:9080/index.html
```
```shell
HTTP/1.1 200 OK
...
```
## Delete Plugin
To remove the `referer-restriction` Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.
```shell
curl http://127.0.0.1:9180/apisix/admin/routes/1 -H "X-API-KEY: $admin_key" -X PUT -d '
{
"uri": "/index.html",
"plugins": {},
"upstream": {
"type": "roundrobin",
"nodes": {
"127.0.0.1:1980": 1
}
}
}'
```