You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by John Michael <jo...@acadiacom.net> on 2001/01/19 09:21:28 UTC
basic auth and mod-rewrite
I have a probem with bot script and brute force attacks. I wrote a script
that stops about 95% of attacks. However, there a still a couple of guys
out there that do ip spoofing.
I tried using .htaccess file like it is below hoping that the rewrite
directives from mod-rewrite would require the user to come from a certain
page first. That is why I put the rewrite stuff at the top. However, it
does not. It still ask for user credentials and then the rewrite stuff
kicks in.
Finally, my question. How can I get the .htaccess file to do the
mod-rewrite directives first and then do user authentication. This would
stop bot scripts that at least didn't have the HTTP_REFERER env. variable
set correctly. Is it possible.
######## my .htaccess file below starts here #######################
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://mydomain.com/login/ [NC]
RewriteRule /* http://mydomain.com/ [R,L]
AuthUserFile /path/to/my/password/file/.htpasswd
AuthGroupFile /dev/null
AuthName 'Protected Area'
AuthType Basic
<Limit GET PUT POST>
require valid-user
</Limit>
#added for unhurler
ErrorDocument 401 /cgi-bin/unhurler/unhurler.pl
################ ends here #######################################
Thanks in advance
--
John Michael