Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 4 Nov 2008 23:27:52 -0800
From:      Jeremy Chadwick <koitsu@FreeBSD.org>
To:        Ian Smith <smithi@nimnet.asn.au>
Cc:        questions@freebsd.org
Subject:   Re: Apache environment variables - logical AND
Message-ID:  <20081105072752.GA4079@icarus.home.lan>
In-Reply-To: <20081105170631.O70117@sola.nimnet.asn.au>
References:  <20081105170631.O70117@sola.nimnet.asn.au>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, Nov 05, 2008 at 05:33:45PM +1100, Ian Smith wrote:
> I know this isn't FreeBSD specific - but I am, so crave your indulgence.
> 
> Running Apache 1.3.27, using a fairly extensive access.conf to beat off 
> the most rapacious robots and such, using mostly BrowserMatch[NoCase] 
> and SetEnvIf to moderate access to several virtual hosts.  No problem.
> 
> OR conditions are of course straighforward:
> 
>   SetEnvIf <condition1> somevar
>   SetEnvIf <condition2> somevar
>   SetEnvIf <exception1> !somevar
> 
> What I can't figure out is how to set a variable3 if and only if both 
> variable1 AND variable2 are set.  Eg:
> 
>   SetEnvIf Referer "^$" no_referer
>   SetEnvIf User-Agent "^$" no_browser
> 
> I want the equivalent for this (invalid and totally fanciful) match: 
> 
>   SetEnvIf (no_browser AND no_referer) go_away

Sounds like a job for mod_rewrite.  The SetEnvIf stuff is such a hack.

This is what we use on our production servers (snipped to keep it
short):

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^XXXX:                      [OR]
RewriteCond %{HTTP_REFERER} ^http://forums.somethingawful.com/  [OR]
RewriteCond %{HTTP_REFERER} ^http://forums.fark.com/    [OR]
RewriteCond %{HTTP_USER_AGENT} ^Alexibot                [OR]
RewriteCond %{HTTP_USER_AGENT} ^asterias                [OR]
RewriteCond %{HTTP_USER_AGENT} ^BackDoorBot             [OR]
RewriteCond %{HTTP_USER_AGENT} ^Black.Hole              [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE                [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon.WebSpider
RewriteRule ^.* - [F,L]

You need to keep something in mind however: blocking by user agent is
basically worthless these days.  Most "leeching" tools now let you
spoof the user agent to show up as Internet Explorer, essentially
defeating the checks.

If you're that concerned about bandwidth (which is why a lot of people
do the above), consider rate-limiting.  It's really, quite honestly, the
only method that is fail-safe.

-- 
| Jeremy Chadwick                                jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.              PGP: 4BD6C0CB |

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081105072752.GA4079>