access.html.en revision 488228a03efe42d9f0b03334a4753ce79a6dc5cc
7db058a7846888b8823fca9e8135f395265ef1d8nilgun<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
7db058a7846888b8823fca9e8135f395265ef1d8nilgun<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
7db058a7846888b8823fca9e8135f395265ef1d8nilgun XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7db058a7846888b8823fca9e8135f395265ef1d8nilgun This file is generated from xml source: DO NOT EDIT
7db058a7846888b8823fca9e8135f395265ef1d8nilgun XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7db058a7846888b8823fca9e8135f395265ef1d8nilgun<title>Using mod_rewrite to control access - Apache HTTP Server</title>
7db058a7846888b8823fca9e8135f395265ef1d8nilgun<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
7db058a7846888b8823fca9e8135f395265ef1d8nilgun<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" />
2e545ce2450a9953665f701bb05350f0d3f26275nd<script src="/style/scripts/prettify.js" type="text/javascript">
7db058a7846888b8823fca9e8135f395265ef1d8nilgun<link href="/images/favicon.ico" rel="shortcut icon" /></head>
7db058a7846888b8823fca9e8135f395265ef1d8nilgun<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>
7db058a7846888b8823fca9e8135f395265ef1d8nilgun<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div>
7db058a7846888b8823fca9e8135f395265ef1d8nilgun<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.5</a> > <a href="./">Rewrite</a></div><div id="page-content"><div id="preamble"><h1>Using mod_rewrite to control access</h1>
7db058a7846888b8823fca9e8135f395265ef1d8nilgun<p><span>Available Languages: </span><a href="/en/rewrite/access.html" title="English"> en </a></p>
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung<p>This document supplements the <code class="module"><a href="/mod/mod_rewrite.html">mod_rewrite</a></code>
7db058a7846888b8823fca9e8135f395265ef1d8nilgun<a href="/mod/mod_rewrite.html">reference documentation</a>. It describes
50cb7e2b30597f481fee57bac945190f06ebcc58jortonhow you can use <code class="module"><a href="/mod/mod_rewrite.html">mod_rewrite</a></code> to control access to
7db058a7846888b8823fca9e8135f395265ef1d8nilgunvarious resources, and other related techniques.
7db058a7846888b8823fca9e8135f395265ef1d8nilgunThis includes many examples of common uses of mod_rewrite,
7db058a7846888b8823fca9e8135f395265ef1d8nilgunincluding detailed descriptions of how each works.</p>
7db058a7846888b8823fca9e8135f395265ef1d8nilgun<div class="warning">Note that many of these examples won't work unchanged in your
7db058a7846888b8823fca9e8135f395265ef1d8nilgunparticular server configuration, so it's important that you understand
7db058a7846888b8823fca9e8135f395265ef1d8nilgunthem, rather than merely cutting and pasting the examples into your
50cb7e2b30597f481fee57bac945190f06ebcc58jortonconfiguration.</div>
50cb7e2b30597f481fee57bac945190f06ebcc58jorton<div id="quickview"><ul id="toc"><li><img alt="" src="/images/down.gif" /> <a href="#blocked-inline-images">Forbidding Image "Hotlinking"</a></li>
7db058a7846888b8823fca9e8135f395265ef1d8nilgun<li><img alt="" src="/images/down.gif" /> <a href="#blocking-of-robots">Blocking of Robots</a></li>
c9f4eb2763c1d6ba9a3d26828e1729e476d0bb1epctony<li><img alt="" src="/images/down.gif" /> <a href="#host-deny">Denying Hosts in a Blacklist</a></li>
50cb7e2b30597f481fee57bac945190f06ebcc58jorton<li><img alt="" src="/images/down.gif" /> <a href="#referer-deflector">Referer-based Deflector</a></li>
c9f4eb2763c1d6ba9a3d26828e1729e476d0bb1epctony</ul><h3>See also</h3><ul class="seealso"><li><a href="/mod/mod_rewrite.html">Module documentation</a></li><li><a href="intro.html">mod_rewrite introduction</a></li><li><a href="remapping.html">Redirection and remapping</a></li><li><a href="vhosts.html">Virtual hosts</a></li><li><a href="proxy.html">Proxying</a></li><li><a href="rewritemap.html">Using RewriteMap</a></li><li><a href="advanced.html">Advanced techniques</a></li><li><a href="avoid.html">When not to use mod_rewrite</a></li></ul></div>
7db058a7846888b8823fca9e8135f395265ef1d8nilgun<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
7db058a7846888b8823fca9e8135f395265ef1d8nilgun<h2><a name="blocked-inline-images" id="blocked-inline-images">Forbidding Image "Hotlinking"</a></h2>
7db058a7846888b8823fca9e8135f395265ef1d8nilgun <p>The following technique forbids the practice of other sites
50cb7e2b30597f481fee57bac945190f06ebcc58jorton including your images inline in their pages. This practice is
7db058a7846888b8823fca9e8135f395265ef1d8nilgun often referred to as "hotlinking", and results in
7db058a7846888b8823fca9e8135f395265ef1d8nilgun your bandwidth being used to serve content for someone else's
7db058a7846888b8823fca9e8135f395265ef1d8nilgun <p>This technique relies on the value of the
7db058a7846888b8823fca9e8135f395265ef1d8nilgun <code>HTTP_REFERER</code> variable, which is optional. As
7db058a7846888b8823fca9e8135f395265ef1d8nilgun such, it's possible for some people to circumvent this
7db058a7846888b8823fca9e8135f395265ef1d8nilgun limitation. However, most users will experience the failed
7db058a7846888b8823fca9e8135f395265ef1d8nilgun request, which should, over time, result in the image being
7db058a7846888b8823fca9e8135f395265ef1d8nilgun removed from that other site.</p>
7db058a7846888b8823fca9e8135f395265ef1d8nilgun <p>There are several ways that you can handle this
7db058a7846888b8823fca9e8135f395265ef1d8nilgun situation.</p>
7db058a7846888b8823fca9e8135f395265ef1d8nilgun <p>In this first example, we simply deny the request, if it didn't
7db058a7846888b8823fca9e8135f395265ef1d8nilgun initiate from a page on our site. For the purpose of this example,
7db058a7846888b8823fca9e8135f395265ef1d8nilgun we assume that our site is <code>www.example.com</code>.</p>
17ade6df5ec233536985eb1c130a906c725dd614humbedoohRewriteCond %{HTTP_REFERER} !www.example.com [NC]
17ade6df5ec233536985eb1c130a906c725dd614humbedoohRewriteRule <strong>\.(gif|jpg|png)$</strong> - [F,NC]
4aa603e6448b99f9371397d439795c91a93637eand <p>In this second example, instead of failing the request, we display
17ade6df5ec233536985eb1c130a906c725dd614humbedooh an alternate image instead.</p>
17ade6df5ec233536985eb1c130a906c725dd614humbedoohRewriteCond %{HTTP_REFERER} !www.example.com [NC]
17ade6df5ec233536985eb1c130a906c725dd614humbedoohRewriteRule <strong>\.(gif|jpg|png)$</strong> /images/go-away.png [R,NC]
7db058a7846888b8823fca9e8135f395265ef1d8nilgun <p>In the third example, we redirect the request to an image on some
7db058a7846888b8823fca9e8135f395265ef1d8nilgun other site.</p>
7db058a7846888b8823fca9e8135f395265ef1d8nilgunRewriteCond %{HTTP_REFERER} !www.example.com [NC]
7db058a7846888b8823fca9e8135f395265ef1d8nilgunRewriteRule <strong>\.(gif|jpg|png)$</strong> http://other.example.com/image.gif [R,NC]
7db058a7846888b8823fca9e8135f395265ef1d8nilgun <p>Of these techniques, the last two tend to be the most effective
c9f4eb2763c1d6ba9a3d26828e1729e476d0bb1epctony in getting people to stop hotlinking your images, because they will
7db058a7846888b8823fca9e8135f395265ef1d8nilgun simply not see the image that they expected to see.</p>
50cb7e2b30597f481fee57bac945190f06ebcc58jorton <p>If all you wish to do is deny access to the resource, rather
7db058a7846888b8823fca9e8135f395265ef1d8nilgun than redirecting that request elsewhere, this can be
7db058a7846888b8823fca9e8135f395265ef1d8nilgun accomplished without the use of mod_rewrite:</p>
7db058a7846888b8823fca9e8135f395265ef1d8nilgunSetEnvIf Referer example\.com localreferer
50cb7e2b30597f481fee57bac945190f06ebcc58jorton<FilesMatch \.(jpg|png|gif)$>
7db058a7846888b8823fca9e8135f395265ef1d8nilgun Order deny,allow
7db058a7846888b8823fca9e8135f395265ef1d8nilgun Deny from all
7db058a7846888b8823fca9e8135f395265ef1d8nilgun Allow from env=localreferer
7db058a7846888b8823fca9e8135f395265ef1d8nilgun</FilesMatch>
7db058a7846888b8823fca9e8135f395265ef1d8nilgun </div><div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
7db058a7846888b8823fca9e8135f395265ef1d8nilgun<h2><a name="blocking-of-robots" id="blocking-of-robots">Blocking of Robots</a></h2>
50cb7e2b30597f481fee57bac945190f06ebcc58jorton In this recipe, we discuss how to block persistent requests from
7db058a7846888b8823fca9e8135f395265ef1d8nilgun a particular robot, or user agent.</p>
7db058a7846888b8823fca9e8135f395265ef1d8nilgun <p>The standard for robot exclusion defines a file,
7db058a7846888b8823fca9e8135f395265ef1d8nilgun <code>/robots.txt</code> that specifies those portions of your
7db058a7846888b8823fca9e8135f395265ef1d8nilgun website where you which to exclude robots. However, some robots
d3bd91523e4565551991605fb157fea59c3610e2gryzor do not honor these files.
0d0ba3a410038e179b695446bb149cce6264e0abnd <p>Note that there are methods of accomplishing this which do
727872d18412fc021f03969b8641810d8896820bhumbedooh not use mod_rewrite. Note also that any technique that relies on
cc7e1025de9ac63bd4db6fe7f71c158b2cf09fe4humbedooh the clients <code>USER_AGENT</code> string can be circumvented
0d0ba3a410038e179b695446bb149cce6264e0abnd very easily, since that string can be changed.</p>
ac082aefa89416cbdc9a1836eaf3bed9698201c8humbedooh <p>We use a ruleset that specifies the directory to be
0d0ba3a410038e179b695446bb149cce6264e0abnd identifies the malicious or persistent robot.</p>
727872d18412fc021f03969b8641810d8896820bhumbedooh <p>In this example, we are blocking a robot called
0d0ba3a410038e179b695446bb149cce6264e0abnd <code>/secret/files</code>. You may also specify an IP address
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh range, if you are trying to block that user agent only from the
07dc96d063d49299da433f84b5c5681da9bbdf68rbowen particular source.</p>
7fec19672a491661b2fe4b29f685bc7f4efa64d4ndRewriteCond %{HTTP_USER_AGENT} ^<strong>NameOfBadRobot</strong>
7fec19672a491661b2fe4b29f685bc7f4efa64d4ndRewriteCond %{REMOTE_ADDR} =<strong>123\.45\.67\.[8-9]</strong>
7fec19672a491661b2fe4b29f685bc7f4efa64d4ndRewriteRule ^<strong>/secret/files/</strong> - [<strong>F</strong>]
<p><span>Available Languages: </span><a href="/en/rewrite/access.html" title="English"> en </a></p>
<p class="apache">Copyright 2012 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/directives.html">Directives</a> | <a href="/faq/">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript">