blocking a referrer

Forum Moderators: phranque

Message Too Old, No Replies

blocking a referrer

Nothing is working

crobb305

6:18 pm on Dec 21, 2014 (gmt 0)

I am trying my best to block an annoying referrer. I've tried blocking the IP, the CIDR, and the domain using htaccess.

The referrer looks like this:

http://make-money-online.example.com/money.php?u=http://example.net

I have tried:

deny from IP
deny from CIDR

and

RewriteEngine on
# Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} example\.com [NC]
RewriteRule .* - [F]

Any suggestions?

Thanks!

[edited by: phranque at 10:02 pm (utc) on Dec 21, 2014]
[edit reason] exemplified domains [/edit]

wilderness

6:21 pm on Dec 21, 2014 (gmt 0)

SetEnvIf Referer money keep_out

BTW, there was a recent thread (even more than one) discussing the 'buttons' and 'semalt' refers.

The same solutions are applicable to the 'money' refer.

wilderness

6:45 pm on Dec 21, 2014 (gmt 0)

in fact, the thread immediately below (Blocking visitors) this one offers your example and solution

lucy24

8:16 pm on Dec 21, 2014 (gmt 0)

SetEnvIf Referer money keep_out

LOL. If your site involves anything other than, perhaps, banking services, this generic rule is pretty close to a One Size Fits All.

crobb305

1:54 am on Dec 22, 2014 (gmt 0)

SetEnvIf Referer money keep_out

LOL. If your site involves anything other than, perhaps, banking services, this generic rule is pretty close to a One Size Fits All.

haha. yeah, I think it will work well. It's not a banking-services website (in fact, it's a science website), so this should work perfectly.

I appreciate the help with it.

lucy24

4:54 am on Dec 22, 2014 (gmt 0)

Oh, oops, for the benefit of people coming along later and reading the thread and saying "Huh what?"

The mod_setenvif line

SetEnvIf Referer money keep_out

has no effect by itself. It works in conjunction with the mod_authzthingamajig line

Deny from env=keep_out

crobb305

11:28 pm on Dec 22, 2014 (gmt 0)

The mod_setenvif line
SetEnvIf Referer money keep_out
has no effect by itself. It works in conjunction with the mod_authzthingamajig line
Deny from env=keep_out

Lucy, do you mean that the "deny" line should follow immediately below the setenvif line, as in:

SetEnvIf Referer money keep_out
Deny from env=keep_out

lucy24

1:25 am on Dec 23, 2014 (gmt 0)

The "Deny from..." line doesn't have to come immediately after, before, or in any other particular location relative to the SetEnvIf line. They're separate and unrelated modules. But you can be confident that mod_setenvif executes before mod_authzzzz and that's all that matters.

What you're doing is attaching an environmental variable to the request; in this discussion we're giving it the name "keep_out". (Apache docs sometimes use "bad_bot". Use any name you like.) And then later, when the request reaches the Allow/Deny phase, you say "Deny any request that includes such-and-such environmental variable".

In the course of this discussion I re-checked the docs. For your basic Allow or Deny directives you can't say anything about the particular value of the environmental variable. You can only check whether it exists or doesn't exist.