| Lee H. Marzke on 15 Dec 2017 13:37:57 -0800 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] My domain's .htaccess file is giving me fits |
Perhaps it's time to switch providers ?
For a trial, I migrated one of my Linux boxes from my local vSphere rack to an AWS t2.small instance.
The new AWS instances have EBS storage instead of ephemeral, and it seems to work pretty
well. I believe AWS blocks many attacks for you by default. Note I'm running 2 Plone
instances behind Apache2 load balancer ( mostly because Plone thruput is so slow ) and have
no web blocking in effect at all, with no issues on domain. Previously I ran everything through
a pfSense firewall with no specific web blocking and have not had any issues in 10 years.
The performance is fantastic, but AWS provides no console access. So problems that keep you from booting are difficult to fix. I guess
you would have to mount that image into another running VM and fix it's config.
Note I'm not recommending AWS over others, I'm just using this for my own training because so
many clients here the hype and want to migrate to AWS.
Lee
----- Original Message -----
> From: george@georgesbasement.com
> To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
> Cc: "George Langford" <george@georgesbasement.com>
> Sent: Friday, December 15, 2017 2:49:13 PM
> Subject: Re: [PLUG] My domain's .htaccess file is giving me fits
> Hello PLUG -
>
> The saga continues ... my ISP has thrown up its hands in frustration and
> replies to my questions with the IT equivalent of the cockkroach letter
> ...
> Risking some repetition, here is my current situation; stopping HEAD
> requests is straightened out OK. The following is what caused my ISP to
> freeze further service assistance:
>
>> In September my shared server's Apache software was upgraded to Apache
>> 2.4, but I was never informed until long afterwards, and no attempt was
>> made to provide information about the changes that the upgrade would
>> bring.
>
>> Much of the syntax needed for effective use of the .htaccess file has
>> been
>> changed. Hotlink protection is a good example. The code I was using
>> prior
>> to the changeover looked like this:
>
>>> RewriteEngine on
>>> RewriteCond %{HTTP_REFERER} ^http://(www\.)resizing\.info/ [NC,OR]
>>> RewriteCond %{HTTP_REFERER} ^http://resizing\.info/ [NC,OR]
>> ... snippage of a couple hundred lines ...
>>> RewriteCond %{HTTP_REFERER} ^http://(www\.)1sm\.info/ [NC]
>>> RewriteCond %{HTTP_REFERER} !^$
>>> RewriteRule \.(jpeg|jpg|JPG|JPEG|bmp|BMP)$ - [F]
>
>> This code worked, although there were a few domains that evaded it
>> somehow.
>> It blocked specific hotlinkers; benign folks who included proper
>> attribution
>> were implicitly allowed to continue. Whenever I added a hotlinker to my
>> .htaccess file and uploaded that .htaccess file to my server, a reload
>> of
>> the offending page got a "403 forbidden" response, right on my PC's
>> screen.
>
>> Now comes Apache 2.4 and the recommended procedure to block hotlinkers
>> has
>> been inverted: See:
>> https://www.inmotionhosting.com/support/website/protecting-files/hotlink-protect-htaccess
>
>> This code blocks _all_ hotlinking, whether benign or not:
>
>>> RewriteEngine on
>>> RewriteCond %{HTTP_REFERER} !^$
>>> RewriteCond %{HTTP_REFERER} !^http://(www\.)?my-website.com/.*$ [NC]
>>> RewriteRule \.(jpg|jpeg|gif|png|bmp)$
>>> http://www.my-website.com/restricted.html [R,L]
>
>> Here is the page on which I based my attempt to block specific
>> hotlinkers:
>> https://httpd.apache.org/docs/2.4/rewrite/access.html#blocked-inline-images
>
>> The following lines from the above link use Apache 2.4 syntax to block
>> _all_ hotlinkers:
>
>>> RewriteEngine on
>>> RewriteCond "%{HTTP_REFERER}" "!^$"
>>> RewriteCond "%{HTTP_REFERER}" "!www.example.com" [NC]
>>> RewriteRule "\.(gif|jpg|png)$" "/images/go-away.png" [R,NC]
>
>> Below I am implicitly allowing benign hotlinking, but attempting to
>> block
>> the folks who don't provide proper attribution. I started by removing
>> the "!" negation symbol:
>
>>> RewriteEngine on
>>> RewriteCond "%{HTTP_REFERER}" "^$"
>>> RewriteCond "%{HTTP_REFERER}" "www.hotlinker01.info" [NC,OR]
>> ... snippage of hundreds of domains ...
>>> RewriteCond "%{HTTP_REFERER}" "hotlinker02.com" [NC]
>>> RewriteRule "\.(jpeg|jpg|png|JPG|JPEG|bmp|BMP|gif)$"
>>> "/images/Provide_Attribution.gif"
>
>> While my version doesn't cause "500" errors, it doesn't block the
>> hotlinkers, either.
>
> Best regards,
> George Langford
> ___________________________________________________________________________
> Philadelphia Linux Users Group -- http://www.phillylinux.org
> Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
> General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
--
"Between subtle shading and the absence of light lies the nuance of iqlusion..." - Kryptos
Lee Marzke
IT Consultant, VMware, VCenter, SAN storage, infrastructure, SW CM
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug