From owner-freebsd-questions@FreeBSD.ORG Wed Nov 5 07:27:55 2008 Return-Path: Delivered-To: questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 994E21065677 for ; Wed, 5 Nov 2008 07:27:55 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA09.westchester.pa.mail.comcast.net (qmta09.westchester.pa.mail.comcast.net [76.96.62.96]) by mx1.freebsd.org (Postfix) with ESMTP id 4506B8FC13 for ; Wed, 5 Nov 2008 07:27:54 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA02.westchester.pa.mail.comcast.net ([76.96.62.19]) by QMTA09.westchester.pa.mail.comcast.net with comcast id bKRA1a0050QuhwU59KTun7; Wed, 05 Nov 2008 07:27:54 +0000 Received: from koitsu.dyndns.org ([69.181.141.110]) by OMTA02.westchester.pa.mail.comcast.net with comcast id bKTt1a0062P6wsM3NKTt1g; Wed, 05 Nov 2008 07:27:54 +0000 X-Authority-Analysis: v=1.0 c=1 a=DpYL8BXZZmYA:10 a=hTXgk7_0KgIA:10 a=D58XV3euAAAA:8 a=yuk-rqkyAAAA:8 a=QycZ5dHgAAAA:8 a=GAcX4u8q0yL7CmJsUrwA:9 a=TzEJ67Ijp-oi7zNd700VHlSEoAIA:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id E87D8C9439; Tue, 4 Nov 2008 23:27:52 -0800 (PST) Date: Tue, 4 Nov 2008 23:27:52 -0800 From: Jeremy Chadwick To: Ian Smith Message-ID: <20081105072752.GA4079@icarus.home.lan> References: <20081105170631.O70117@sola.nimnet.asn.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20081105170631.O70117@sola.nimnet.asn.au> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: questions@freebsd.org Subject: Re: Apache environment variables - logical AND X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2008 07:27:55 -0000 On Wed, Nov 05, 2008 at 05:33:45PM +1100, Ian Smith wrote: > I know this isn't FreeBSD specific - but I am, so crave your indulgence. > > Running Apache 1.3.27, using a fairly extensive access.conf to beat off > the most rapacious robots and such, using mostly BrowserMatch[NoCase] > and SetEnvIf to moderate access to several virtual hosts. No problem. > > OR conditions are of course straighforward: > > SetEnvIf somevar > SetEnvIf somevar > SetEnvIf !somevar > > What I can't figure out is how to set a variable3 if and only if both > variable1 AND variable2 are set. Eg: > > SetEnvIf Referer "^$" no_referer > SetEnvIf User-Agent "^$" no_browser > > I want the equivalent for this (invalid and totally fanciful) match: > > SetEnvIf (no_browser AND no_referer) go_away Sounds like a job for mod_rewrite. The SetEnvIf stuff is such a hack. This is what we use on our production servers (snipped to keep it short): RewriteEngine on RewriteCond %{HTTP_REFERER} ^XXXX: [OR] RewriteCond %{HTTP_REFERER} ^http://forums.somethingawful.com/ [OR] RewriteCond %{HTTP_REFERER} ^http://forums.fark.com/ [OR] RewriteCond %{HTTP_USER_AGENT} ^Alexibot [OR] RewriteCond %{HTTP_USER_AGENT} ^asterias [OR] RewriteCond %{HTTP_USER_AGENT} ^BackDoorBot [OR] RewriteCond %{HTTP_USER_AGENT} ^Black.Hole [NC,OR] RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR] RewriteCond %{HTTP_USER_AGENT} ^Xaldon.WebSpider RewriteRule ^.* - [F,L] You need to keep something in mind however: blocking by user agent is basically worthless these days. Most "leeching" tools now let you spoof the user agent to show up as Internet Explorer, essentially defeating the checks. If you're that concerned about bandwidth (which is why a lot of people do the above), consider rate-limiting. It's really, quite honestly, the only method that is fail-safe. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |