XF 2.2 When a Guzzle request is made is "referer" included in the headers?

Kevin

Well-known member
I'm running into a scenario where I think the issue may be that the when XF makes a call to an outbound file (such as to proxy images) that the Guzzle request is not including a referer value in the header. Should it be? If not, is there any way of getting it to include it (like an entry in config 🤔)?

The slightly longer explanation of what I'm doing is that I'm testing the current version of XF using the Amazon S3 add-on for file storage with Amazon CloudFront distributions pointing to the S3 buckets and would like to use WAF to whitelist my own domains and block the rest of the traffic. Sounds good in theory. It works for images that are (a) within the same domain and it works on (b) a second domain pointing to a file on the first domain if the image proxy is turned off but if (c) the image proxy is turned on then the image is shown in the editor with the [img] tags pointing to the remote site and when the post is saved then the post being shown with the proxy image URL for the image doesn't work. Based on those results it would seem to indicate to me that the WAF rule is seeing the referer value as expected in results A & B but is not finding a referer value in result C.

EDIT: Should mention, using curl to test the WAF rules I can simulate making a request with a whitelisted referer and without, both work as expected. It's only requests from within XF, such as the proxy images, that are failing.
 
Last edited:
Thinking about this more, instead of adding the referer value to the header, maybe a quick way of adding a custom key-pair to the header and having WAF look for that? 🤔 (eg: my-key: my-key-value)
 
To answer my own question, no.... only a user-agent value is added to the header when doing a Guzzle HTTP request.

Thinking about this more, instead of adding the referer value to the header, maybe a quick way of adding a custom key-pair to the header and having WAF look for that? 🤔 (eg: my-key: my-key-value)
Was easy enough to do but still ended up with hot-linking prevention problem after realizing some images where being displayed on pages and no referer was being added to the header so using the combination of looking for a referer domain and/or a specific key-value pair in the header was failing.
 
Back
Top Bottom