Issue Nginx allow referer

[trensco]

Hello,

an external Website (iframe on my website) triggers with button click a certain URL in my CMS like "dev.my domain.com/index.php?id=123". Its a GET request. The problem is that I got an nginx error 500. If I run this URL "dev.my domain.com/index.php?id=123" straight on my server without a referer (without using that iframe button) its working (code 200).

So I'm assuming that nginx got some problem with the referer and dont let it trough.

This is the header request:

:authority: dev.mydomain.com
:method: GET
:path: /index.php?id=123
:scheme: https
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
accept-encoding: gzip, deflate, br
accept-language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
authorization: Basic ZGV2OjEyMzQ1Ng==
referer: https://paketshop.myhermes.de/
sec-ch-ua: "Google Chrome";v="89", "Chromium";v="89", ";Not A Brand";v="99"
sec-ch-ua-mobile: ?0
sec-fetch-dest: iframe
sec-fetch-mode: navigate
sec-fetch-site: cross-site
upgrade-insecure-requests: 1
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36

So what is the best way to allow nginx to access this url/file from a different referer?

I tried things like:

add_header 'Access-Control-Allow-Origin' 'https://myhermes.de';

valid_referers none blocked server_names *.myhermes.de/;
if ($invalid_referer) {
    return 403;
}

Would be nice if somebody can help

nginx/1.16.1

 

[trensco]

Just foud out this only happens in Chromium browsers like chrome, opera ... Seems like this is a browser issue ?! I Need to investigate.

 

[mow]

Are you sure it is nginx that has a problem?
Might also be that the backend has a problem with some headers/cookies, and then nginx returns 500 for backend fetch failure.

 

[trensco]

You are right. It was a cookie problem. All Chromium based browsers require the SameSite attribute for cross-site cookies.

SameSite:None