Home > Net >  .htaccess check header and domain conditions as chain
.htaccess check header and domain conditions as chain

Time:04-08

Sorry this might be an easy one. I'd like to check if both matches. The value of my header and the HTTP_REFERER

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?alloweddomain.com [NC]
RewriteCond %{HTTP:X-SomeHeader} !somekey
RewriteRule ^ - [F]

Otherwise I'd like to block the User.

The header check works nicely, and the documents are only served when it is correct. However the HTTP_REFERER seems to be ignored. The resources are even served when it is nor present. F.e with curl. How do I need to change the conditions that both must match?

CodePudding user response:

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?alloweddomain.com [NC]
RewriteCond %{HTTP:X-SomeHeader} !somekey
RewriteRule ^ - [F]

This is currently checking that both do not match. If the Referer header is not present, but somekey is passed then the request is not blocked.

You need an OR flag on the first condition. ie. If either do not match then block the request. For example:

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?alloweddomain.com [NC,OR]
RewriteCond %{HTTP:X-SomeHeader} !=somekey
RewriteRule ^ - [F]

You also need the = operator on the second CondPattern for an exact match, otherwise you are checking whether somekey exists anywhere in the passed header.

OR, reverse the logic:

RewriteCond %{HTTP_REFERER} ^http(s)?://(www\.)?alloweddomain.com [NC]
RewriteCond %{HTTP:X-SomeHeader} =somekey
RewriteRule ^ - [S=1]
RewriteRule ^ - [F]

If both match then the following rule that blocks the request is skipped.

  • Related