There is an iframe page site.ru/embed/12345 with a player, which is designed to insert the player on other sites.

How to block access to this page on the site, but to allow, if the page is inserted into other sites?

Registered rewrite ^/embed/([0-9]+)$ /embed.php?v=$1 last;

  • Please describe what the differences between these two states are from the point of view of an abstract http-server, and someone will tell you how to implement it in concrete (nginx). To correct the question text, click edit below the question text. - aleksandr barakin pm

2 answers 2

You can configure permissions in location

For example:

 location /embed/([0-9]+)$ { deny 192.168.1.0/32; # IP или подсеть, для которых хотим запретить доступ allow all; # разрешаем всем остальным rewrite ^/embed/([0-9]+)$ /embed.php?v=$1 last; }
  • and how it affects frames? - aleksandr barakin
  • no way. nginx can restrict access only by headers and metadata, it cannot parse html. If your page is loaded separately from the main document, then everything will be ok. If you want to remove the iframe tag from html - use other tools. The easiest and the wrong one is to copy this page without iframe and nginx to revite it - bmsdave
  • No way - that is, do you understand that your “answer” is not a complete answer to the question? - aleksandr barakin
  • @alexanderbarakin, I agree. hurried with the answer. If there is a clarification of the question - I will correct the answer. If not - delete. - bmsdave

as far as I understand, it is impossible to determine that the html-code that accesses your site is in the iframe .

in part, you can only rely on the presence of the referer http-header , although it is most likely not difficult to substitute any when addressing even without any iframes .

manipulations with this header are repeatedly described on the Internet (search query: "nginx http_referer"). for example, you can use the http_referer module or directly use the $http_referer variable ( example ).