Today, I will show you how to stop referral spam using simple nginx directives to return 403 Forbidden HTTP status code after encountering troublesome referer hostnames.

First step

Create referer blacklist /etc/nginx/referer_blacklist.conf configuration file that will contain void_referer variable
whose value depends on the provided http referer.

Notice that void_referer variable will be evaluated only when used. Even a large list of blocked referer domains does not add any extra costs to request processing.

map $http_referer $void_referer {

  default                    0;
  "~*.example\.com"          1;
  "~*.example\.org"          1;

The regular expression is case-insensitive ~* and the will match hostnames like, and

Second step

Include blacklist in the main http block so it can be used in every protected server block.

http {


  # void_referer
  include referer_blacklist.conf;


Third step

Include referer validation in each server block you want to protect – return 403 Forbidden HTTP status code if referer matched.

server {


  if ($void_referer) {
    return 403;


Fourth step

Reload nginx configuration.

$ sudo systemctl reload nginx

Fifth step

Verify HTTP status codes for common scenarios.

$ curl -s -o /dev/null -I -w "%{http_code}\n"
$ curl -s -o /dev/null -I -w "%{http_code}\n" --referer
$ curl -s -o /dev/null -I -w "%{http_code}\n" --referer


Nginx map and referer modules.

Additional information

You can alternatively save the blacklist file inside /etc/nginx/conf.d/ directory as it is used to store global configuration directives in the default setup.