Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 5 Nov 2008 20:24:16 +1100 (EST)
From:      Ian Smith <smithi@nimnet.asn.au>
To:        Jeremy Chadwick <koitsu@FreeBSD.org>
Cc:        questions@FreeBSD.org
Subject:   Re: Apache environment variables - logical AND
Message-ID:  <20081105194002.N70117@sola.nimnet.asn.au>
In-Reply-To: <20081105072752.GA4079@icarus.home.lan>
References:  <20081105170631.O70117@sola.nimnet.asn.au> <20081105072752.GA4079@icarus.home.lan>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 4 Nov 2008, Jeremy Chadwick wrote:
 > On Wed, Nov 05, 2008 at 05:33:45PM +1100, Ian Smith wrote:
 > > I know this isn't FreeBSD specific - but I am, so crave your indulgence.
 > > 
 > > Running Apache 1.3.27, using a fairly extensive access.conf to beat off 
 > > the most rapacious robots and such, using mostly BrowserMatch[NoCase] 
 > > and SetEnvIf to moderate access to several virtual hosts.  No problem.
 > > 
 > > OR conditions are of course straighforward:
 > > 
 > >   SetEnvIf <condition1> somevar
 > >   SetEnvIf <condition2> somevar
 > >   SetEnvIf <exception1> !somevar
 > > 
 > > What I can't figure out is how to set a variable3 if and only if both 
 > > variable1 AND variable2 are set.  Eg:
 > > 
 > >   SetEnvIf Referer "^$" no_referer
 > >   SetEnvIf User-Agent "^$" no_browser
 > > 
 > > I want the equivalent for this (invalid and totally fanciful) match: 
 > > 
 > >   SetEnvIf (no_browser AND no_referer) go_away
 > 
 > Sounds like a job for mod_rewrite.  The SetEnvIf stuff is such a hack.

It may be a hack, but I've found it an extremely useful one so far.

 > This is what we use on our production servers (snipped to keep it
 > short):
 > 
 > RewriteEngine on
 > RewriteCond %{HTTP_REFERER} ^XXXX:                      [OR]
 > RewriteCond %{HTTP_REFERER} ^http://forums.somethingawful.com/  [OR]
 > RewriteCond %{HTTP_REFERER} ^http://forums.fark.com/    [OR]
 > RewriteCond %{HTTP_USER_AGENT} ^Alexibot                [OR]
 > RewriteCond %{HTTP_USER_AGENT} ^asterias                [OR]
 > RewriteCond %{HTTP_USER_AGENT} ^BackDoorBot             [OR]
 > RewriteCond %{HTTP_USER_AGENT} ^Black.Hole              [NC,OR]
 > RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE                [OR]
 > RewriteCond %{HTTP_USER_AGENT} ^Xaldon.WebSpider
 > RewriteRule ^.* - [F,L]
 > 
 > You need to keep something in mind however: blocking by user agent is
 > basically worthless these days.  Most "leeching" tools now let you
 > spoof the user agent to show up as Internet Explorer, essentially
 > defeating the checks.

While that's true, I've found most of the more troublesome robots are 
too proud of their 'brand' to spoof user agent, and those that do are a) 
often consistent enough in their Remote_Addr to exclude by subnet and/or 
b) often make obvious errors in spoofed User_Agent strings .. especially 
those pretending to be some variant of MSIE :)

 > If you're that concerned about bandwidth (which is why a lot of people
 > do the above), consider rate-limiting.  It's really, quite honestly, the
 > only method that is fail-safe.

Thanks Jeremy.  Certainly time to take the time to have another look at 
mod_rewrite, especially regarding redirection, alternative pages etc, 
but I still tend to glaze over about halfway through all that section.

And unless I've completely missed it, your examples don't address my 
question, being how to AND two or more conditions in a particular test?

If I really can't do this with mod_setenvif I'll have to take that time.

cheers, Ian



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081105194002.N70117>