homepage Welcome to WebmasterWorld Guest from 54.163.84.199
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
.htaccess processing
Question about best method
jlnaman




msg:4546894
 9:19 pm on Feb 19, 2013 (gmt 0)

If someone else asked this, just shoot me because I couldn't find it. Given the following skeletal .htaccess, which is the better/best/sane way to code my .htaccess? 1) Deny with rewrite or 2) Deny with authz_host? Thanks!

SetEnvIfNoCase Request_URI robots\.txt$ OKFILE
SetEnvIfNoCase Request_URI (401|403|404).php$ OKFILE
#=============
SetEnvIf Remote_Addr ^23\.(19|2[0-3])\. BLOCK
SetEnvIf Remote_Addr ^199\.212\. BLOCK
# ... more ip/UA/etc. tests
#=============
# Always Allow from ME ! (in case I block myself, above)
SetEnvIf Remote_Addr ^xx\.xx\.xx\xx MYIP
#=====================
# #1 Deny with rewrite_module
#.....................
# Kill bad requests, unless OKFILE or ME
RewriteCond %{ENV:BLOCK} 1
RewriteCond %{ENV:OKFILE} !1
RewriteCond %{ENV:MYIP} !1
RewriteRule ^(.*)$ - [F,L]
#=====================
# #2 Deny with authz_host_module
#.....................
<Files *>
Order deny,allow
Deny from env=BLOCK
Allow from env=OKFILE
Allow from env=MYIP
# No match: Default to second directive: Allowed
# Match both Allow & Deny: Final match controls: Allowed
</Files>
#=====================
# ? Which is Better/Best?
#.....................

 

lucy24




msg:4546935
 11:14 pm on Feb 19, 2013 (gmt 0)

This package
RewriteCond %{ENV:BLOCK} 1
RewriteCond %{ENV:OKFILE} !1
RewriteCond %{ENV:MYIP} !1

Seems awfully redundant. In particular, "BLOCK" and "MYIP" would seem to be mutually exclusive so why check for both?

I would say they are both wrong-- and so is the <Files *> envelope which simply means "The enclosed rule applies to all files", in other words exactly the same as if you didn't have the envelope at all.

Block by whatever means is appropriate. It doesn't have to be one or the other. IP ranges are most efficiently blocked directly in mod_authz where you can say

Deny from {some CIDR range}

Simple user-agents can be listed in mod_setenvif leading to a single

Deny from env=keepaway

This is assuming mod_setenvif executes before mod_authz. Unlike some order-of-modules assumptions, this one appears to be safe even in shared hosting. Conversely I wouldn't make rules based on the assumption that mod_setenvif executes before mod_rewrite, since this is very likely not going to be true.

More complicated combinations such as "anyone from this IP whose user agent is/isn't on the Short List" (such as the plainclothes bingbot) or conversely "anyone professing to be such-and-such but not arriving from appropriate IP" (such as googlebot spoofers) belong in mod_rewrite.

Some categories almost have to be in mod_rewrite-- though it's not 24 hours since I saw an anti-hotlink routine done entirely in mod_setenvif. Followed by mod_authz of course, since mod_setenvif by itself can't issue lockouts.

jlnaman




msg:4546957
 12:43 am on Feb 20, 2013 (gmt 0)

Lucy24, Thank you for your response. I was using 1,000 Deny from {some CIDR range}, but I wanted to try to get more flexibility. The redundant "BLOCK" and "MYIP" OUGHT to be mutually exclusive, but I figured it would be safe to double-check. There is a performance penalty. I'll take the MYIP out after testing.
* I wasn't sure if rewrite might execute before or after setenvif and you just taught me to assume the worst (I have moved hosts and they do upgrade).
* You also educated me to divide up Deny ip from UA and other behavior-based testing. Thanks a second million for that one!
Thanks!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved