Welcome to WebmasterWorld Guest from

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

.htaccess processing

Question about best method

9:19 pm on Feb 19, 2013 (gmt 0)

New User

joined:Jan 29, 2013
posts: 29
votes: 0

If someone else asked this, just shoot me because I couldn't find it. Given the following skeletal .htaccess, which is the better/best/sane way to code my .htaccess? 1) Deny with rewrite or 2) Deny with authz_host? Thanks!

SetEnvIfNoCase Request_URI robots\.txt$ OKFILE
SetEnvIfNoCase Request_URI (401|403|404).php$ OKFILE
SetEnvIf Remote_Addr ^23\.(19|2[0-3])\. BLOCK
SetEnvIf Remote_Addr ^199\.212\. BLOCK
# ... more ip/UA/etc. tests
# Always Allow from ME ! (in case I block myself, above)
SetEnvIf Remote_Addr ^xx\.xx\.xx\xx MYIP
# #1 Deny with rewrite_module
# Kill bad requests, unless OKFILE or ME
RewriteCond %{ENV:BLOCK} 1
RewriteCond %{ENV:OKFILE} !1
RewriteCond %{ENV:MYIP} !1
RewriteRule ^(.*)$ - [F,L]
# #2 Deny with authz_host_module
<Files *>
Order deny,allow
Deny from env=BLOCK
Allow from env=OKFILE
Allow from env=MYIP
# No match: Default to second directive: Allowed
# Match both Allow & Deny: Final match controls: Allowed
# ? Which is Better/Best?
11:14 pm on Feb 19, 2013 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
votes: 389

This package
RewriteCond %{ENV:BLOCK} 1
RewriteCond %{ENV:OKFILE} !1
RewriteCond %{ENV:MYIP} !1

Seems awfully redundant. In particular, "BLOCK" and "MYIP" would seem to be mutually exclusive so why check for both?

I would say they are both wrong-- and so is the <Files *> envelope which simply means "The enclosed rule applies to all files", in other words exactly the same as if you didn't have the envelope at all.

Block by whatever means is appropriate. It doesn't have to be one or the other. IP ranges are most efficiently blocked directly in mod_authz where you can say

Deny from {some CIDR range}

Simple user-agents can be listed in mod_setenvif leading to a single

Deny from env=keepaway

This is assuming mod_setenvif executes before mod_authz. Unlike some order-of-modules assumptions, this one appears to be safe even in shared hosting. Conversely I wouldn't make rules based on the assumption that mod_setenvif executes before mod_rewrite, since this is very likely not going to be true.

More complicated combinations such as "anyone from this IP whose user agent is/isn't on the Short List" (such as the plainclothes bingbot) or conversely "anyone professing to be such-and-such but not arriving from appropriate IP" (such as googlebot spoofers) belong in mod_rewrite.

Some categories almost have to be in mod_rewrite-- though it's not 24 hours since I saw an anti-hotlink routine done entirely in mod_setenvif. Followed by mod_authz of course, since mod_setenvif by itself can't issue lockouts.
12:43 am on Feb 20, 2013 (gmt 0)

New User

joined:Jan 29, 2013
posts: 29
votes: 0

Lucy24, Thank you for your response. I was using 1,000 Deny from {some CIDR range}, but I wanted to try to get more flexibility. The redundant "BLOCK" and "MYIP" OUGHT to be mutually exclusive, but I figured it would be safe to double-check. There is a performance penalty. I'll take the MYIP out after testing.
* I wasn't sure if rewrite might execute before or after setenvif and you just taught me to assume the worst (I have moved hosts and they do upgrade).
* You also educated me to divide up Deny ip from UA and other behavior-based testing. Thanks a second million for that one!

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members