Thread: Programs: Lock up your servers against Fusker
View Single Post
Old 2005-03-28, 11:55 AM   #1
raymor
The only guys who wear Hawaiian shirts are gay guys and big fat party animals
 
Join Date: Jan 2004
Posts: 178
Send a message via ICQ to raymor
Quote:
Originally Posted by swedguy
Raymor, the one sparky posted will go through.
Who is sparky? The one bad one I see is what Cleo posted,
which includes a bunch of meaningless BS that does nothing.
For example, look at thr last couple of atoms of this line:

RewriteCond %{HTTP_REFERER} !^http://yourdomain.com/.*$ [NC]

The last bit says "anything, then the end of the string".
Well that's pointless, if anything and everything is allowed
all the way to the end all that crap should be left off.
Also that ruleset is quite repetitive, making it terribly inefficient.
Instead the rules should be combined. For example, these two:
RewriteCond %{HTTP_REFERER} !^http://www.yourdomain.com/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://yourdomain.com/.*$ [NC]

One allows it with a "www" "subdomain", the other allow it without.
They should be combined into one rule that allows it with or without:
RewriteCond %{HTTP_REFERER} !^http://(www\.)+yourdomain.com/.*$ [NC]

As mentioned before, other subdomain besides www are also possible,
so rather than just "www." we allow letters, numbers, and dots:
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9]\.)+yourdomain.com/.*$ [NC]

As mentioned above, the "allow anything at all after the domain name"
part is pointless, as it matches anywhere in the target string,
so we get rid of that:
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9]\.)+yourdomain.com/ [NC]
The only thing left is that there may or may not be a slash,
and only if there is a slash can you have anything else.
This is to avoid allowing http://yourdomain.com.hacker.com
or:
http://yourdomain.comedyhack.com
"Allow only if" requires a bit that looks a little complex:
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9]\.)+yourdomain.com(/.*)?$ [NC]

BTW, when deciding who to listen to on this stuff, whether to
follow the advice of someone who "found something" which "seems to work"
or of someone ellse who seems to actually know what this stuff means,
take a look at the Contributors file for mod_rewrite and see which
of the people posting in this thread helped write the part of Apache that we're dealing with.
__________________
Ray Morris
support@bettercgi.com
Strongbox/Throttlebox & more
TXDPS #A14012
raymor is offline   Reply With Quote