htaccess problem / block by referrer

Permalink
I tried to change the concrete5 htaccess, to block traffic coming from a certain referrer.
This code doesn´t work.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
#Options +FollowSymlinks
RewriteCond %{HTTP_REFERER} example\.com [NC]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME}/index.html !-f
RewriteCond %{REQUEST_FILENAME}/index.php !-f
RewriteRule . index.php [L]
</IfModule>


What I´m doing wrong?
kind regards
Bobby

View Replies: View Best Answer
jero replied on at Permalink Reply
jero
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} example.com [NC]
RewriteRule .* - [F,NC]
</IfModule>
        # -- concrete5 urls start --
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME}/index.html !-f
RewriteCond %{REQUEST_FILENAME}/index.php !-f
RewriteRule . index.php [L]
</IfModule>


This should chuck a 403 forbidden response
FAFutureLabs replied on at Permalink Reply
Hey Jero,

thanks for your reply and your help.
Your code works, but only for subpages. example.com/test

I shortly want to explain my problem.
The webmaster of example.com has wrongly pointed his A-Record to my IP Address.
I think your code is fine, but ist doesn´t work for the "home" site, because Apache doesn´t recognize the first visit of "example.com" as a referrer. Images, css, js etc is blocked (403), but pure html is delivered.

Any further idea to block a wrong A-Record pointer
kind regards
Bobby
jero replied on at Permalink Best Answer Reply
jero
That's likely because someone typing in example.com to their browser won't send you a referrer - because there isn't one.

Perhaps a better solution here is to add this to the top of your index.php file:

if ($_SERVER['HTTP_HOST'] == 'example.com') {
        die("These aren't the droids you're looking for");
}


HTTP_HOST is the hostname used by the browser to access your webserver.
FAFutureLabs replied on at Permalink Reply
Thanks a lot, works great.
I extended your snippet to fix the issue for subdomains, too.
if (strpos($_SERVER['HTTP_HOST'], 'example.com') !== false) {
        die("not allowed");
}

kind regards
jero replied on at Permalink Reply
jero
Awesome. Glad you got it working.