.htaccess site blocking code doesn't work for me

Forum Moderators: phranque

Message Too Old, No Replies

.htaccess site blocking code doesn't work for me

bouncybunny

11:41 am on Aug 12, 2006 (gmt 0)

I put this into my .htacces file. Unfortunately it seems to block access to all sites, rather than just the ones specified. Any help, much appreciated.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} site1\.com [NC,OR]
RewriteCond %{HTTP_REFERER} site2\.co.uk [NC,OR]
RewriteCond %{HTTP_REFERER} site3\.com [NC,OR]
RewriteCond %{HTTP_REFERER} site4\.info [NC,OR]
RewriteCond %{HTTP_REFERER} site5\.com [NC,OR]
RewriteCond %{HTTP_REFERER} site6\.net [NC,OR]
RewriteRule .* - [F]

jdMorgan

4:14 pm on Aug 12, 2006 (gmt 0)

Remove the [OR] flag from your last RewriteCond -- It is invalid there, and will disable the entire rule.

Also, be aware that if you use a custom 403 ErrorDocument, you will need to add a RewriteCond to this ruleset to *allow* it to be served. Otherwise, you will get an error loop when a request is received from a forbidden referrer.

Jim

bouncybunny

3:27 am on Aug 14, 2006 (gmt 0)

Thanks Jim

You're a star.

> Also, be aware that if you use a custom 403 ErrorDocument, you will need to add a RewriteCond to this ruleset to *allow* it to be served. Otherwise, you will get an error loop when a request is received from a forbidden referrer.

I was hoping to use a custom error document, and this has indeed stopped working. Would you mind expanding on how I can add a "RewriteCond" (I'm still very much learning this stuff). I enabled the custom error document via CPanel, will this do the trick, or do I need to do something else?

Thanks.

jdMorgan

3:52 am on Aug 14, 2006 (gmt 0)

If you test this --say, by adding the URL of a page of your own site as a 'forbidden referer-- you may find that any request from a forbidden referer results in an 'infinite' loop:

The request is attempted, but denied based on ther referrer.

As a result, the server attempts to serve the custom 403 error document with a 403-Forbidden status.

The request for the errordocument request is then also denied because the referrer is unchanged.

As a result, the server attempts to serve the custom 403 error document with a 403-Forbidden status.

The request for the errordocument is again denied.
-and so forth-

The end result is likely to be a 500-Server Error status returned to the requestor, instead of the intended 403-Forbidden.

If this is the case, the cure is to add a RewriteCond with a negative match on the URL-path of the custom error document:


RewriteCond %{REQUEST_URI} !^/custom_403_page_path

Alternatively, you can change the rule itself:


RewriteRule !^custom_403_page_path$ - [F]

Just bear in mind that you may also want to make the same provision for all custom error documents, such as those for 401, 403, 404, 410, 500, etc. In that case, the RewriteCond approach tends to be easier to maintain.

Keep your error documents simple and free of dependencies on images, external scripts or CSS files, etc. If your error document has such dependencies, you will need to make similar provisions to allow them to be accessed by denied referrers as well. This complicates things, and you end up allowing these denied referrers to access many of your site's resources after all... This rather defeats the purpose of denying them access in the first place. The more critical the error, the fewer dependencies the error document should have -- I suggest a plain static HTML page with no images, external stylesheets, or included scripts for 500-Server Error and for 403-Forbidden error documents -- simple is good.

For background information, see the documents cited in our forum charter [webmasterworld.com] and the tutorials in the Apache forum section of the WebmasterWorld library [webmasterworld.com].

Jim

bouncybunny

4:41 pm on Aug 14, 2006 (gmt 0)

Thanks Jim.

I generally plan to make the 403 page look like a 404 page. OK, it's not going to fool an experienced webmaster, but it's useful for putting off the casual annoying forum troll and the effect on unwanted bots and the like is the same.

Thanks again for the help.