Programs: Lock up your servers against Fusker

cd34 · 2005-03-28, 02:24 PM

you are correct, your method is faster.

with 20 concurrent threads, 100k requests, no keepalives, .46 seconds faster and 3.4 tps faster.
oddly, at 20/10k/no keepalives, the margin tilts the opposite direction and is just as slim.

Although, I tested Apache2/mpm-prefork, not Apache1. When I benchmarked Apache1.3 last spring, there was a considerable difference edging towards having separate lines. However, with the config file in the virtual host rather than being read from .htaccess, and turning Override's off, it narrows down to .16 seconds faster and less than 1.1 tps faster. Granted this was just a seat-of-the-pants quick benchmark using ab, with all 5 tests run 5 times and the lowest score taken. Each used a referrer that required every rule to be evaluated.

So, current wisdom would suggest this:

Slightly corrected to remove two typos:

RewriteCond %{HTTP_REFERER} !^http://([a-z0-9]+\.)?yourdomain.com(/.*)?$ [NC]

this disallows RFC compliant hostnames that have a - in them, fixing the regexp to allow that makes it a bit more complex since the leading character cannot be a -, but, lets skip that for now and allow - anywhere in the hostname and allow for the port designation which some edge proxy servers like to insert. We might also consider allowing _ which was not in the original specs, but, Microsoft supported it, and it was later adopted. This rule also doesn't allow for the new International characters, but, if someone is using those, they can change the regexp.

RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)?yourdomain.com(:[0-9]+)?(/.*)?$ [NC]

This disallows subdomain.subdomain.yourdomain.com, which might be part of the + typo in the earlier post.

RewriteCond %{HTTP_REFERER} !^http://(([a-z0-9-]+\.)+)?yourdomain.com(:[0-9]+)?(/.*)?$ [NC]

So, Raymor, does the above rule seem sufficient for as many cases as possible?

Offhand, I can think of one really simple way to circumvent this -- Firefox pops a warning, but IE seems to have no problem with it.

I've run that rule against a regression test to make sure that it appears to behave exactly the way I would expect and intend it to work and short of the one possible regexp match which could be very easily implemented on fuskers side, it seems fairly complete.

Now, of course we're back to the age old problem of Google/Yahoo's hotlinking image search. By doing the rules this way, we are only allowing the listed domains to be able to hotlink. If the rule is sufficiently loose to allow google/yahoo, a slight url change on fusker's side will make all of this for naught.

Torn Rose · 2005-03-28, 02:37 PM

slide rulers at twenty paces?

raymor · 2005-03-28, 03:21 PM

Quote:

Originally Posted by cd34

So, Raymor, does the above rule seem sufficient for as many cases as possible?

Offhand, I can think of one really simple way to circumvent this -- Firefox pops a warning, but IE seems to have no problem with it.

One additional atom I included in my original 1999 regex
but I removed along with the port number was http(s)?
in case
some part of the site used SSL either presently or in the future.
That would cover an additional case, whether or not it's worth including
is another matter.
Additionally I unless you're running a web server on some port other
than port 80 you may want to just say 80 for the port number.
Makes it just a tad faster. Of course that analagous to my subdomain
part, where I chose to allow more than just www.
Another judgement call speed / versus flexibility.

I was thinking that we had taken care of user:pass@host URLs,
but I'm not seeing exactly how just at this moment.
Perhaps the tested browsers wouldn't allow blah.com/
in the authentication part, but treated it as a host/path when
it saw the forward slash (/).
Unless I'm missing something, we actually want to gobble up
anything up to and including @ before going any further:
RewriteCond %{HTTP_REFERER} !^http://(.*@)?([a-z0-9-]+\.)*yourdomain.com(:[0-9]+)?(/.*)?$ [NC]

(([a-z0-9-]+\.)+)? ?

Maybe ([a-z0-9-]+\.)* ?

For those who don't catch the difference,
I had a typo where I said "optionally with a subdomain"
rather than "optionally with subdomains".
His fix for my typo was to say:
(([a-z0-9-]+\.)+)?
ergo "one or more subdomains, repeated one or zero times"
Simpler, we say "with or without subdomains":
([a-z0-9-]+\.)*

raymor · 2005-03-28, 03:27 PM

BTW, regarding the hyphen and the multiple subdomains guess
I should have pasted from my own old page from years ago and
I wouldn't have forgotten those:

http://216.239.63.104/search?q=cache...htaccess&hl=en

2005-03-28, 02:24 PM	#1
cd34 a.k.a. Sparky Join Date: Sep 2004 Location: West Palm Beach, FL, USA Posts: 2,396	you are correct, your method is faster. with 20 concurrent threads, 100k requests, no keepalives, .46 seconds faster and 3.4 tps faster. oddly, at 20/10k/no keepalives, the margin tilts the opposite direction and is just as slim. Although, I tested Apache2/mpm-prefork, not Apache1. When I benchmarked Apache1.3 last spring, there was a considerable difference edging towards having separate lines. However, with the config file in the virtual host rather than being read from .htaccess, and turning Override's off, it narrows down to .16 seconds faster and less than 1.1 tps faster. Granted this was just a seat-of-the-pants quick benchmark using ab, with all 5 tests run 5 times and the lowest score taken. Each used a referrer that required every rule to be evaluated. So, current wisdom would suggest this: Slightly corrected to remove two typos: RewriteCond %{HTTP_REFERER} !^http://([a-z0-9]+\.)?yourdomain.com(/.)?$ [NC] this disallows RFC compliant hostnames that have a - in them, fixing the regexp to allow that makes it a bit more complex since the leading character cannot be a -, but, lets skip that for now and allow - anywhere in the hostname and allow for the port designation which some edge proxy servers like to insert. We might also consider allowing _ which was not in the original specs, but, Microsoft supported it, and it was later adopted. This rule also doesn't allow for the new International characters, but, if someone is using those, they can change the regexp. RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)?yourdomain.com(:[0-9]+)?(/.)?$ [NC] This disallows subdomain.subdomain.yourdomain.com, which might be part of the + typo in the earlier post. RewriteCond %{HTTP_REFERER} !^http://(([a-z0-9-]+\.)+)?yourdomain.com(:[0-9]+)?(/.)?$ [NC] So, Raymor, does the above rule seem sufficient for as many cases as possible? Offhand, I can think of one really simple way to circumvent this -- Firefox pops a warning, but IE seems to have no problem with it. I've run that rule against a regression test to make sure that it appears to behave exactly the way I would expect and intend it to work and short of the one possible regexp match which could be very easily implemented on fuskers side, it seems fairly complete. Now, of course we're back to the age old problem of Google/Yahoo's hotlinking image search. By doing the rules this way, we are only allowing the listed domains to be able to hotlink. If the rule is sufficiently loose to allow google/yahoo, a slight url change on fusker's side will make all of this for naught. __________________ SnapReplay.com a different way to share photos - iPhone & Android Last edited by cd34; 2005-03-28 at 02:31 PM.. Reason: removed bbcode/url*

2005-03-28, 03:27 PM	#4
raymor The only guys who wear Hawaiian shirts are gay guys and big fat party animals Join Date: Jan 2004 Posts: 178	BTW, regarding the hyphen and the multiple subdomains guess I should have pasted from my own old page from years ago and I wouldn't have forgotten those: http://216.239.63.104/search?q=cache...htaccess&hl=en __________________ Ray Morris support@bettercgi.com Strongbox/Throttlebox & more TXDPS #A14012

2005-03-28, 02:37 PM	#2
Torn Rose "Faith is believing what you know ain't so." ~ Mark Twain Join Date: Aug 2003 Location: Portland, Oregon Posts: 4,806	slide rulers at twenty paces?