Access control: skip the rules if referer is.

Forum Moderators: phranque

Message Too Old, No Replies

Access control: skip the rules if referer is.

flapane

3:33 pm on Nov 2, 2014 (gmt 0)

I have valid reasons for blocking all the traffic coming from certain IP ranges.
So, we have this in .htaccess:

order allow,deny
allow from all
deny from xx.xx.xx.xx
deny from yy.yy.yy.yy

Also, I use <FilesMatch> directive for delivery error pages and robots.txt:

<FilesMatch "(^403\.shtml$|^410\.shtml$|^robots\.txt$)">
Order Allow,Deny
Allow from all
</FilesMatch>

Sometimes there's relevant traffic coming from the blocked IPs, only if the referer is a known one.
I wonder if it's possible to allow such traffic and skip the Access Control rules. Unfortunately, it seems that no <ReferersMatch> directive exists, and I can't figure out how to achieve it via setenvIf.

Thanks in advance.

wilderness

4:50 pm on Nov 2, 2014 (gmt 0)

use mod_rewrite and the except (!) condition.

flapane

5:38 pm on Nov 2, 2014 (gmt 0)

At first I was thinking about using mod_rewrite with the except condition.
However, I wonder if it requires that I use

RewriteCond %{REMOTE_ADDR}

instead of

order allow,deny
allow from all
deny from xx.xx.xx.xx
deny from yy.yy.yy.yy

for blocking IPs, or if I'm missing something?

Thanks

wilderness

6:30 pm on Nov 2, 2014 (gmt 0)

I'm missing something?

Definitely.

See if your able to accomplish this in mod_access? In just three lines and two IP references.

RewriteCond %{REMOTE_ADDR} ^123\.
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.
RewriteRule .* - [F]

Sometimes there's relevant traffic coming from the blocked IPs, only if the referer is a known one.

You may even add another line (exception) using the refer condition.

flapane

6:38 pm on Nov 2, 2014 (gmt 0)

So as I thought, I have to switch from

allow/deny

directives to

RewriteCond %{REMOTE_ADDR}

.
It'll be a few clicks on a good text editor, but it looks like it's the only way to do what I need (even if they're some 4k lines of IP addresses).
edit: Ouch, I'd better find a CIDR->regex batch converter.
edit2: here's a good one: [gist.github.com...]

penders

7:47 pm on Nov 2, 2014 (gmt 0)

See if your able to accomplish this in mod_access?

Shouldn't that be mod_rewrite?

flapane

7:56 pm on Nov 2, 2014 (gmt 0)

I guess that he meant that by using mod_rewrite, you obtain a more compact notation.
I guess it depends on the situation.

lucy24

9:02 pm on Nov 2, 2014 (gmt 0)

Shouldn't that be mod_rewrite?

I think wilderness started out on Apache 1.3, which used mod_access for what is now done by mod_authzwhatsit. So a combination of typo and, er, braino.

flapane, find out what Apache version you are on. There's a prevailing rumor that 2.4 supports CIDR ranges in mod_rewrite. If you can spare your server from having to parse Regular Expressions (in htaccess, this has to be done every time, not just once at server startup), do so.

If you have a strong reason for avoiding mod_rewrite-- for example, if your htaccess is shared by multiple sites on the same server-- it is probably possible to achieve the same result using mod_setenvif.

You don't need to change all your Allow/Deny directives. Only the ones with the referer exemption, and there probably aren't that many. Just remember that each module issues its own 403. If a request is denied by one mod, no other mod can override the denial.

wilderness

9:08 pm on Nov 2, 2014 (gmt 0)

FWIW, my host is a reseller for a major hosting org.

Apache 2.2.29, and I'd wager that I'll never see 2.4 ;)

flapane

9:21 pm on Nov 2, 2014 (gmt 0)

Apache/2 here.
No luck... what a pity. :(

I'll check the server load with and without reg.expressions, and will eventually decide whether it's better to change my strategy or not.
I may decide to add just a message on my error403 page, so that "good users" can choose to contact me and do whatever they have to do.

Thanks for your help.