Sean and Doug, thank you both for your replies. Sadly my Riak nodes are behind a Microsoft TMG firewall/reverse proxy which doesn't let me tinker with the incoming headers. There is a commercial plugin from an unknown third-party to add this (amazing and futuristic) functionality but I'm not really wild about that option. Adding another layer of abstraction (nginx, etc) is probably preferable although having the referer validation in Riak be configurable would be ideal.
/F From: Sean Cribbs <s...@basho.com<mailto:s...@basho.com>> Date: onsdag 15 augusti 2012 15:56 To: Fredrik Lindström <fredrik.lindst...@qbranch.se<mailto:fredrik.lindst...@qbranch.se>> Cc: "riak-users@lists.basho.com<mailto:riak-users@lists.basho.com>" <riak-users@lists.basho.com<mailto:riak-users@lists.basho.com>> Subject: Re: 403 forbidden from Riak 1.2.0 when referer header is set Fredrik, This is intentional -- in 1.2 we added some measures to counteract cross-site scripting and request-forgery attacks. For your application, it would be best to have a reverse-proxy remove the Referer header (as long as the request is a GET to allowed resources, like your images). On Wed, Aug 15, 2012 at 8:24 AM, Fredrik Lindström <fredrik.lindst...@qbranch.se<mailto:fredrik.lindst...@qbranch.se>> wrote: Hi everyone, One of the things we use Riak for is to serve images straight to the browser (obviously via a firewall etc etc). These images are displayed on our webpages so when the browser loads the page it will fire off GET requests for the image URLs and for good measure it will include a referer header when doing this. This works fine in production since we're still on Riak 1.0.2 but our dev and stage clusters have been upgraded to 1.2.0 and the story is a bit different there. Riak will respond with 403 Forbidden if the referer header is set, the same is also logged in the access.log files. I found this while digging around: https://github.com/basho/riak_kv/commit/3cd75e76c20b77dec2be0cb36892f5cc79dbec0b "Validate that the Referer matches up with scheme, host and port of the machine that received the request" Since the referer (http://mysupderduperwebapp.xyz/snazzypage.html) will not match the scheme, host and port of the riak node that received the request no image will be served. Is there any way to configure riak 1.2.0 to allow any referer header value? /F _______________________________________________ riak-users mailing list riak-users@lists.basho.com<mailto:riak-users@lists.basho.com> http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com -- Sean Cribbs <s...@basho.com<mailto:s...@basho.com>> Software Engineer Basho Technologies, Inc. http://basho.com/
_______________________________________________ riak-users mailing list riak-users@lists.basho.com http://lists.basho.com/mailman/listinfo/riak-users_lists.basho.com
