3

When we want to block bots, spam referrers using .htaccess file, some websites use following code syntax:

Order allow,deny
Allow from all
Deny from env=spambot

But some websites tell that we need to use different codes for different Apache versions:

#For Apache 2.2
<IfModule !mod_authz_core.c>
<IfModule mod_authz_host.c>
    Order allow,deny
    Allow from all
    Deny from env=spambot
</IfModule>
</IfModule>

# For Apache 2.4
<IfModule mod_authz_core.c>
<RequireAll>
    Require all granted
    Require not env spambot
</RequireAll>
</IfModule>

Now I want to which cone is correct or both are correct?

2 Answers2

1

we need to use different codes for different Apache versions

This.

The syntax changed from Apache 2.2 to 2.4. However, the old (Apache 2.2) syntax was kept (in fact, it was moved to a different module: mod_access_compat) for backwards compatibility only - so it still "works". But it is deprecated and is likely to be removed in future versions. So, code on Apache 2.4 should use the Require ... syntax.

Scruffy Paws
  • 103
MrWhite
  • 13,016
  • Thanks for your reply. If I use the second piece of code fully, is it ok? Is there any change needed? –  Aug 28 '17 at 12:13
  • I mean both codes for apache 2.2 and apache 2.4 as given in second code paragraph. –  Aug 28 '17 at 12:26
  • 1
    That code looks OK. But it's not complete on its own... spambot would need to be defined somewhere. However, you wouldn't normally use both... you would just use the appropriate directives for your server version. Unless this code is intended to work on both servers? Any new server should be using Apache 2.4 these days, if not it should be upgraded. – MrWhite Aug 28 '17 at 14:37
  • Thanks. "spambot" is already defined using SetEnvIfNoCase Referer spamdomain\.com spambot=yes line.

    I checked and my Apache version is Apache/2.4.23 (Unix), so should I use the code given after # For Apache 2.4 line? Is it fine to use?

    Again if I keep both codes #For Apache 2.2 and #For Apache 2.4, will it not work? Will it cause any issues?

     –  Aug 28 '17 at 15:20
  • 1
    If you code this just for one version of Apache then you don't need the <IfModule> wrappers. Maintaining additional code when you don't need it is just additional work (and more chance for error). – MrWhite Aug 28 '17 at 15:37
  • So should I use only <RequireAll> Require all granted Require not env spambot </RequireAll> line without <IfModule mod_authz_core.c> line? Also is <RequireAll></RequireAll> tag is necessary? –  Aug 28 '17 at 15:40
  • What will this .htaccess code do? Will it show 403 forbidden page to users which come from the blocked referrer or will it do something else? I'm asking this because when I used this SetEnvIfNoCase code, I was able to open my website from a blocked referrer without any problem. But when I tried with RewriteCond %{HTTP_REFERER} domain\.com [NC], my website was showing 403 forbidden page to blocked referrer successfully. –  Aug 28 '17 at 18:13
  • 1
    Yes, the <RequireAll> container is required in this example, otherwise <RequireAny> will be implied and access will be granted unconditionally. That code should do as you say, "show 403 forbidden page to users which come from the blocked referrer". In fact, this would be preferable to using mod_rewrite, which could conflict (and be overridden) with other directives/.htaccess files. – MrWhite Aug 28 '17 at 23:39
  • Thanks but SetEnvIfNoCase method is not working for me. I'm checking with a Chrome extension which allows us to use custom referrer and if I use mod_rewrite method, Chrome shows 403 forbidden error page but if I use SetEnvIfNoCase method, my webpage opens normally. What thing am I doing wrong? –  Aug 29 '17 at 06:22
  • Not sure, you'd need to start another question and include your complete .htaccess code. Is this all in .htaccess, or do you have access to the server config? – MrWhite Aug 29 '17 at 07:16
  • My .htaccess file contains lots of code. But after your comment, I removed all code and kept only default Wordpress code and this SetEnvIfNoCase code but still same issue. I have uploaded the code of my .htaccess file at following link:

    link

     –  Aug 29 '17 at 07:35
  • I have posted a new question:

    link

     –  Aug 29 '17 at 08:13
0

Disable complete access to any folder, Inside the folder add the code in .htaccess

# Apache 2.4
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>

Apache 2.2


<IfModule !mod_authz_core.c>
    Order Allow,Deny
    Deny from all
</IfModule>
Ajendra Panwar
  • 101
  • As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center. – djdomi Feb 27 '24 at 19:55