From owner-freebsd-questions@FreeBSD.ORG Wed Nov 5 09:24:18 2008 Return-Path: Delivered-To: questions@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E44641065677; Wed, 5 Nov 2008 09:24:18 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [220.233.188.227]) by mx1.freebsd.org (Postfix) with ESMTP id 387C08FC20; Wed, 5 Nov 2008 09:24:17 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id mA59OGMR033222; Wed, 5 Nov 2008 20:24:16 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Wed, 5 Nov 2008 20:24:16 +1100 (EST) From: Ian Smith To: Jeremy Chadwick In-Reply-To: <20081105072752.GA4079@icarus.home.lan> Message-ID: <20081105194002.N70117@sola.nimnet.asn.au> References: <20081105170631.O70117@sola.nimnet.asn.au> <20081105072752.GA4079@icarus.home.lan> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: questions@FreeBSD.org Subject: Re: Apache environment variables - logical AND X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2008 09:24:19 -0000 On Tue, 4 Nov 2008, Jeremy Chadwick wrote: > On Wed, Nov 05, 2008 at 05:33:45PM +1100, Ian Smith wrote: > > I know this isn't FreeBSD specific - but I am, so crave your indulgence. > > > > Running Apache 1.3.27, using a fairly extensive access.conf to beat off > > the most rapacious robots and such, using mostly BrowserMatch[NoCase] > > and SetEnvIf to moderate access to several virtual hosts. No problem. > > > > OR conditions are of course straighforward: > > > > SetEnvIf somevar > > SetEnvIf somevar > > SetEnvIf !somevar > > > > What I can't figure out is how to set a variable3 if and only if both > > variable1 AND variable2 are set. Eg: > > > > SetEnvIf Referer "^$" no_referer > > SetEnvIf User-Agent "^$" no_browser > > > > I want the equivalent for this (invalid and totally fanciful) match: > > > > SetEnvIf (no_browser AND no_referer) go_away > > Sounds like a job for mod_rewrite. The SetEnvIf stuff is such a hack. It may be a hack, but I've found it an extremely useful one so far. > This is what we use on our production servers (snipped to keep it > short): > > RewriteEngine on > RewriteCond %{HTTP_REFERER} ^XXXX: [OR] > RewriteCond %{HTTP_REFERER} ^http://forums.somethingawful.com/ [OR] > RewriteCond %{HTTP_REFERER} ^http://forums.fark.com/ [OR] > RewriteCond %{HTTP_USER_AGENT} ^Alexibot [OR] > RewriteCond %{HTTP_USER_AGENT} ^asterias [OR] > RewriteCond %{HTTP_USER_AGENT} ^BackDoorBot [OR] > RewriteCond %{HTTP_USER_AGENT} ^Black.Hole [NC,OR] > RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR] > RewriteCond %{HTTP_USER_AGENT} ^Xaldon.WebSpider > RewriteRule ^.* - [F,L] > > You need to keep something in mind however: blocking by user agent is > basically worthless these days. Most "leeching" tools now let you > spoof the user agent to show up as Internet Explorer, essentially > defeating the checks. While that's true, I've found most of the more troublesome robots are too proud of their 'brand' to spoof user agent, and those that do are a) often consistent enough in their Remote_Addr to exclude by subnet and/or b) often make obvious errors in spoofed User_Agent strings .. especially those pretending to be some variant of MSIE :) > If you're that concerned about bandwidth (which is why a lot of people > do the above), consider rate-limiting. It's really, quite honestly, the > only method that is fail-safe. Thanks Jeremy. Certainly time to take the time to have another look at mod_rewrite, especially regarding redirection, alternative pages etc, but I still tend to glaze over about halfway through all that section. And unless I've completely missed it, your examples don't address my question, being how to AND two or more conditions in a particular test? If I really can't do this with mod_setenvif I'll have to take that time. cheers, Ian