403 forbidden from Riak 1.2.0 when referer header is set

Fredrik Lindström Fredrik.Lindstrom at qbranch.se
Wed Aug 15 09:46:42 EDT 2012


Curl repro for clarity

200 OK
curl -v --referer http://riaknode:8098/ http://riaknode:8098/riak

403 Forbidden
curl -v --referer http://flashystartup.com/ http://riaknode:8098/riak

Both return 200 OK on Riak 1.0.2

/F

From: Fredrik Lindström <fredrik.lindstrom at qbranch.se<mailto:fredrik.lindstrom at qbranch.se>>
Date: onsdag 15 augusti 2012 14:24
To: "riak-users at lists.basho.com<mailto:riak-users at lists.basho.com>" <riak-users at lists.basho.com<mailto:riak-users at lists.basho.com>>
Subject: 403 forbidden from Riak 1.2.0 when referer header is set

Hi everyone,
One of the things we use Riak for is to serve images straight to the browser (obviously via a firewall etc etc). These images are displayed on our webpages so when the browser loads the page it will fire off GET requests for the image URLs and for good measure it will include a referer header when doing this. This works fine in production since we're still on Riak 1.0.2 but our dev and stage clusters have been upgraded to 1.2.0 and the story is a bit different there.
Riak will respond with 403 Forbidden if the referer header is set, the same is also logged in the access.log files.

I found this while digging around:
https://github.com/basho/riak_kv/commit/3cd75e76c20b77dec2be0cb36892f5cc79dbec0b
"Validate that the Referer matches up with scheme, host and port of the machine that received the request"

Since the referer (http://mysupderduperwebapp.xyz/snazzypage.html) will not match the scheme, host and port of the riak node that received the request no image will be served.
Is there any way to configure riak 1.2.0 to allow any referer header value?

/F
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.basho.com/pipermail/riak-users_lists.basho.com/attachments/20120815/742aaf0d/attachment.html>


More information about the riak-users mailing list