.htaccess processing - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

.htaccess processing

Question about best method

jlnaman

9:19 pm on Feb 19, 2013 (gmt 0)

10+ Year Member

If someone else asked this, just shoot me because I couldn't find it. Given the following skeletal .htaccess, which is the better/best/sane way to code my .htaccess? 1) Deny with rewrite or 2) Deny with authz_host? Thanks!

SetEnvIfNoCase Request_URI robots\.txt$ OKFILE
SetEnvIfNoCase Request_URI (401|403|404).php$ OKFILE
#=============
SetEnvIf Remote_Addr ^23\.(19|2[0-3])\. BLOCK
SetEnvIf Remote_Addr ^199\.212\. BLOCK
# ... more ip/UA/etc. tests
#=============
# Always Allow from ME ! (in case I block myself, above)
SetEnvIf Remote_Addr ^xx\.xx\.xx\xx MYIP
#=====================
# #1 Deny with rewrite_module
#.....................
# Kill bad requests, unless OKFILE or ME
RewriteCond %{ENV:BLOCK} 1
RewriteCond %{ENV:OKFILE} !1
RewriteCond %{ENV:MYIP} !1
RewriteRule ^(.*)$ - [F,L]
#=====================
# #2 Deny with authz_host_module
#.....................
<Files *>
Order deny,allow
Deny from env=BLOCK
Allow from env=OKFILE
Allow from env=MYIP
# No match: Default to second directive: Allowed
# Match both Allow & Deny: Final match controls: Allowed
</Files> 
#=====================
# ? Which is Better/Best?
#.....................

lucy24

11:14 pm on Feb 19, 2013 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

This package

RewriteCond %{ENV:BLOCK} 1
RewriteCond %{ENV:OKFILE} !1
RewriteCond %{ENV:MYIP} !1

Seems awfully redundant. In particular, "BLOCK" and "MYIP" would seem to be mutually exclusive so why check for both?

I would say they are both wrong-- and so is the <Files *> envelope which simply means "The enclosed rule applies to all files", in other words exactly the same as if you didn't have the envelope at all.

Block by whatever means is appropriate. It doesn't have to be one or the other. IP ranges are most efficiently blocked directly in mod_authz where you can say

Deny from {some CIDR range}

Simple user-agents can be listed in mod_setenvif leading to a single

Deny from env=keepaway

This is assuming mod_setenvif executes before mod_authz. Unlike some order-of-modules assumptions, this one appears to be safe even in shared hosting. Conversely I wouldn't make rules based on the assumption that mod_setenvif executes before mod_rewrite, since this is very likely not going to be true.

More complicated combinations such as "anyone from this IP whose user agent is/isn't on the Short List" (such as the plainclothes bingbot) or conversely "anyone professing to be such-and-such but not arriving from appropriate IP" (such as googlebot spoofers) belong in mod_rewrite.

Some categories almost have to be in mod_rewrite-- though it's not 24 hours since I saw an anti-hotlink routine done entirely in mod_setenvif. Followed by mod_authz of course, since mod_setenvif by itself can't issue lockouts.

jlnaman

12:43 am on Feb 20, 2013 (gmt 0)

10+ Year Member

Lucy24, Thank you for your response. I was using 1,000 Deny from {some CIDR range}, but I wanted to try to get more flexibility. The redundant "BLOCK" and "MYIP" OUGHT to be mutually exclusive, but I figured it would be safe to double-check. There is a performance penalty. I'll take the MYIP out after testing.
* I wasn't sure if rewrite might execute before or after setenvif and you just taught me to assume the worst (I have moved hosts and they do upgrade).
* You also educated me to divide up Deny ip from UA and other behavior-based testing. Thanks a second million for that one!
Thanks!