Apache subscription Referer rules
(I think I asked this a few months back, but I couldn't locate any emails on it)
What is the Apache rule syntax for rejecting subscription linking that doesn't come from the same domain/site?
tia,
-Jim P.
Jim Popovitch via Mailman-Users writes:
(I think I asked this a few months back, but I couldn't locate any emails on it)
What is the Apache rule syntax for rejecting subscription linking that doesn't come from the same domain/site?
Don't know what you need exactly, but mod_rewrite can be used for similar purposes:
https://httpd.apache.org/docs/2.4/rewrite/access.html
There's also a pointer in that page to "SetEnvIf refer" which may be usable.
HTH
Steve
On 10 Jan 2020, at 10:52, Jim Popovitch via Mailman-Users wrote:
(I think I asked this a few months back, but I couldn't locate any emails on it)
What is the Apache rule syntax for rejecting subscription linking that doesn't come from the same domain/site?
First step:
Header always set Referrer-Policy "same-origin"
This assures (to the degree that browsers comply with directives provided in headers) that legitimate internal links and sub-resource loads have a Referer header (see https://en.wikipedia.org/wiki/HTTP_referer) which you can use.
The next step is to read https://httpd.apache.org/docs/2.4/rewrite/access.html#blocked-inline-images and adapt the example to your site.
-- Bill Cole bill@scconsult.com or billcole@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not For Hire (currently)
On Tue, 2020-01-14 at 00:19 -0500, Bill Cole wrote:
On 10 Jan 2020, at 10:52, Jim Popovitch via Mailman-Users wrote:
(I think I asked this a few months back, but I couldn't locate any emails on it)
What is the Apache rule syntax for rejecting subscription linking that doesn't come from the same domain/site?
First step:
Header always set Referrer-Policy "same-origin"
This assures (to the degree that browsers comply with directives provided in headers) that legitimate internal links and sub-resource loads have a Referer header (see https://en.wikipedia.org/wiki/HTTP_referer) which you can use.
The next step is to read https://httpd.apache.org/docs/2.4/rewrite/access.html#blocked-inline-images and adapt the example to your site.
Mod_Rewrite is "too heavy" for something this simple. I couldn't recall the specifics, but your mod_rewrite link actually mentioned the way to do something similar without mod_rewrite. From that, I extrapolated this (which I haven't been able to test yet):
SetEnvIfNoCase Referer "https://.*/mailman/listinfo/" ListInfoReferer SetEnvIfNoCase Request_Protocol "POST" HttpPostProto <FilesMatch "^/mailman/subscribe/"> Require env ListInfoReferer Require env HttpPostProto </FilesMatch>
thoughts?
-Jim P.
Jim Popovitch via Mailman-Users writes:
Mod_Rewrite is "too heavy" for something this simple.
It's only too heavy if it actually has an unacceptable impact on system load. That said, I like the SetEnvIf* approach better.
SetEnvIfNoCase Referer "https://.*/mailman/listinfo/" ListInfoReferer
I see three possible issues with the regexp. First, evidently you're handling multiple domains. You might want to include that the referral comes from the same domain (I don't know how to do it offhand, though -- that might justify the "heavier" mod_rewrite approach?) Second, I think I've seen referrals that are relative to the base URL in the logs. You might want to check that the referer (sp? I would write "referrer" but I don't know if that's correct) in this context is always a full URL. Third, if as I suspect the ".*" is intended to match just the authority component (domain) of the URL, you may wish to change that to "[^/]*" or perhaps "[^/]+". (I don't think I've ever seen a "https:///..." URL with no domain -- that can't be validated by SSL without a domain!)
thoughts?
I haven't checked the command syntax. It seems to me SetEnvIf expresses the intent better than mod_rewrite does, and I did a little thinking about when you would want the extra flexibility that mod_rewrite allows, and didn't come up with anything, for what that's worth.
Steve
participants (3)
-
Bill Cole
-
Jim Popovitch
-
Stephen J. Turnbull