lucy24 - 9:14 pm on Aug 22, 2012 (gmt 0)
Does blocking an IP in two different ways in htaccess cause a problem or does it matter? Like with deny,allow and RewriteCond.
Only if one of your blocks also prevents the server from displaying your ErrorDocument. (Been there. Done that.) This results in an infinite loop winding up in a 500 error.
If you think about it, low-budget robots are almost bound to be blocked in more than one way. For example, someone claiming to be MSIE 3 referred by a bogus Russian site coming from an IP in the Ukraine is going to run into the full belt-plus-suspenders-plus-trouserbutton combo :)
So each category of blocks needs to come with a separate exemption for the error document. Core-level "Deny from..." directives go with a <Files> or <FilesMatch> to let them see your custom 403. Denials via mod_rewrite similarly need some type of escape clause. You generally don't need to do anything in SetEnvIf, because the module itself isn't issuing the lockout; it's just passing information to the core.
Incidentally, your OP looked familiar to me. It's the same configuration I see in my logs when I'm testing something offline that includes an absolute link to material on my site. So "localhost" as referer isn't intrinsically evil. But the harmless ones will come from a familiar IP.