From: Rich Bowen Date: Thu, 30 Apr 2026 20:25:15 +0000 (+0000) Subject: rewrite guide: move access-control recipes to avoid.xml, reorder simple-to-complex... X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7e7a8030f747d50b11239e022da87fe37215f864;p=thirdparty%2Fapache%2Fhttpd.git rewrite guide: move access-control recipes to avoid.xml, reorder simple-to-complex, drop referer-deflector (BZ 58892, step 3) git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1933618 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/rewrite/avoid.xml b/docs/manual/rewrite/avoid.xml index c8ae7e5d74..3e42770c3b 100644 --- a/docs/manual/rewrite/avoid.xml +++ b/docs/manual/rewrite/avoid.xml @@ -154,28 +154,6 @@ you have Options FollowSymLinks enabled on your server.

-
Virtual Hosting -

Although it is possible to handle virtual hosts -with mod_rewrite, it is seldom the right way. Creating individual -VirtualHost blocks is -almost always the right way to go. In the -event that you have an enormous number of virtual hosts, consider using -mod_vhost_alias to create these hosts automatically.

- -

Modules such as mod_macro are -also useful for creating a large number of virtual hosts dynamically.

- -

Using mod_rewrite for vitualhost creation may be -appropriate if you are using a hosting service that does not provide -you access to the server configuration files, and you are therefore -restricted to configuration using .htaccess files.

- -

See the virtual hosts with mod_rewrite -document for more details on how you might accomplish this if it still -seems like the right approach.

- -
-
Simple Proxying

RewriteRule provides the

+
+ + Forbidding Image Hotlinking + +
+
Description:
+ +
+

"Hotlinking" is the practice of other sites including your + images inline in their pages, using your bandwidth to serve + content for someone else's site. You can prevent this without + mod_rewrite.

+
+ +
Solution:
+ +
+

Use SetEnvIf + with Require:

+ + +SetEnvIf Referer example\.com localreferer +<FilesMatch "\.(jpg|png|gif)$"> + Require env localreferer +</FilesMatch> + +
+ +
Discussion:
+ +
+

If you need more complex logic — such as serving an + alternate image to hotlinkers instead of denying the request — you + may need mod_rewrite. The following examples + rely on the HTTP_REFERER header, which is optional + and can be spoofed. The !^$ condition allows + requests with no Referer header at all, so that users who type + the URL directly, or whose browsers suppress the Referer, are + not blocked.

+ +

Deny the request outright:

+ + +RewriteCond "%{HTTP_REFERER}" "!^$" +RewriteCond "%{HTTP_REFERER}" "!www.example.com" [NC] +RewriteRule "\.(gif|jpg|png)$" "-" [F,NC] + + +

Serve an alternate image:

+ + +RewriteCond "%{HTTP_REFERER}" "!^$" +RewriteCond "%{HTTP_REFERER}" "!www.example.com" [NC] +RewriteRule "\.(gif|jpg|png)$" "/images/go-away.png" [R,NC] + + +
+
+ +
+ +
+ + Blocking of Robots + +
+
Description:
+ +
+

You wish to block persistent requests from a particular robot + or user agent that ignores your /robots.txt.

+
+ +
Solution:
+ +
+

Use SetEnvIfNoCase + with Require:

+ + +SetEnvIfNoCase User-Agent ^NameOfBadRobot goaway +<Location "/secret/files"> + <RequireAll> + Require all granted + Require not env goaway + </RequireAll> +</Location> + +
+ +
Discussion:
+ +
+

Any technique that relies on the USER_AGENT + string can be trivially circumvented, since that string can be + changed by the client. If you are experiencing a sustained attack, + you should consider blocking it at a higher level, such as at your + firewall.

+ +

If you need to combine user-agent and IP address matching, + mod_rewrite can be used as a fallback:

+ + +RewriteCond "%{HTTP_USER_AGENT}" "^NameOfBadRobot" +RewriteCond "%{REMOTE_ADDR}" "=123\.45\.67\.[8-9]" +RewriteRule "^/secret/files/" "-" [F] + + +
+
+ +
+ +
+ + Denying Hosts in a Reject List + +
+
Description:
+ +
+

We wish to maintain a list of hosts and have those hosts + blocked from accessing our server.

+
+ +
Solution:
+ +
+

For simple IP-based blocking, use + Require directly:

+ + +<Location "/"> + Require all granted + Require not ip 193.102.180.41 + Require not ip 192.76.162.40 +</Location> + +
+ +
Discussion:
+ +
+

If you need a dynamic, file-based deny list (rather than + enumerating addresses in the configuration), mod_rewrite + with a RewriteMap + can be used:

+ + +RewriteEngine on +RewriteMap hosts-deny "txt:/path/to/hosts.deny" +RewriteCond "${hosts-deny:%{REMOTE_ADDR}|NOT-FOUND}" "!=NOT-FOUND" [OR] +RewriteCond "${hosts-deny:%{REMOTE_HOST}|NOT-FOUND}" "!=NOT-FOUND" +RewriteRule "^" "-" [F] + + +

The map file contains one entry per line, with IP addresses or + hostnames as keys and a dummy value (since + RewriteMap requires + key/value pairs):

+ + +## hosts.deny
+193.102.180.41 -
+192.76.162.40 -
+ + +

The second RewriteCond + assumes HostnameLookups is enabled. If not, drop it + and remove the [OR] flag from the first condition.

+
+
+ +
+ +
Virtual Hosting +

Although it is possible to handle virtual hosts +with mod_rewrite, it is seldom the right way. Creating individual +VirtualHost blocks is +almost always the right way to go. In the +event that you have an enormous number of virtual hosts, consider using +mod_vhost_alias to create these hosts automatically.

+ +

Modules such as mod_macro are +also useful for creating a large number of virtual hosts dynamically.

+ +

Using mod_rewrite for vitualhost creation may be +appropriate if you are using a hosting service that does not provide +you access to the server configuration files, and you are therefore +restricted to configuration using .htaccess files.

+ +

See the virtual hosts with mod_rewrite +document for more details on how you might accomplish this if it still +seems like the right approach.

+ +
+
Load Balancing @@ -297,6 +472,5 @@ featureful than anything you can cobble together using
-