Forum

Deny request with specified referrer.

Anonym0us
17 March 2013, 08:29
Hiawatha version: v8.5

It's possible to deny request and ban client if request contains specified string?
Hugo Leisink
17 March 2013, 16:05
You can if it is in the URL (via the UrlToolkit) or in the request body (via DenyBody option).
Anonym0us
17 March 2013, 20:43
Thanks, I will try it
Anonym0us
19 March 2013, 11:59
Can you help me with DenyBody?

How must look DenyBody string to deny users from http://example.com?
Hugo Leisink
19 March 2013, 12:04
What do you mean with "users from http://example.com"?
Anonym0us
19 March 2013, 12:05
Fast

If request have "example.com" in referrer header, ban user (BanOnDeniedBody).
Anonym0us
19 March 2013, 12:19
I cannot get any expression work. Even "^.*$".
Hugo Leisink
19 March 2013, 14:16
The DenyBody can only be used for the request body. The referer header is located in the HTTP header.

Please note that any (security) check for the referer header can easily be surpassed.
Anonym0us
19 March 2013, 19:07
Okay... So how to control referrer? I need reduce load at fileserver, because here appears requests from some unwanted clients. Can it be done without PHP?

"referer header can easily be surpassed." - I know, but clients does not fake their referrers.

Thanks
Hugo Leisink
20 March 2013, 10:08
There are multiple ways. Which one is best for you I don't know. You can use HTTP authentication, limit access based on IP, limit download speed, simultaneous connections from one IP.
Anonym0us
20 March 2013, 13:05
Clients is limited, so I cannot use anything of this. I can do action based only by referrer. Maybe you will add some features like as URL Toolkit, but for referrers? Redirect, Deny, Rewrite, Ban and other, but referrer used to match requests instread of URL. It can be used, for example, to redirect user to German site version if user visited our page by link from any site in .de domain zone. Also here already a ImageReferer feature, why not make same for any files?
Hugo Leisink
20 March 2013, 19:27
Redirecting users that came from a .de website to a specific part of the website is a kind of functionality that should be inside the webapplication, not in the webserver.
Da JoJo
20 March 2013, 22:46
It is not in the role of the webserver to do this actions. referrer can be captured with php or html or java and from there routed within the website you made. same for geo-location.
server works on IP and zone level not on contentlevel. i.e. the webserver can tell you what ip you use and what technics come with that but it cannot tell you where you came from. this is hold in variables passed to the site (script that runs on client machine). from here you can tell your script to handle this variable. what u want comes down to something like a html page u made that is able to directly alter the configfile of the server.. u see it make no sense. allthough with a lot of trickery it can be done.
Hugo Leisink
21 March 2013, 10:29
I don't understand the point you are trying to make... if you are trying to make any...
Anonym0us
21 March 2013, 11:26
"Redirecting users that came from a .de website to a specific part of the website is a kind of functionality that should be inside the webapplication, not in the webserver." - okay
But I still wanna "Referrer Toolkit" functionality...

Thanks anyway
Anonym0us
21 March 2013, 11:32
Other possible use is protection from IFrame DDoS. Apache can do it with mod_rewrite, based on referrer :/
I hope that this feature will appear in Hiawatha
Da JoJo
21 March 2013, 11:39
yup apache does it but it is not the correct way to do this. who uses iframes nowadays lol... that is so last century. :/
Anonym0us
21 March 2013, 11:42
Da JoJo - recently VK.COM (popular russian social network) successfully DDoSed one website related to captcha solving. So IFrame DDoS is alive.
Anonym0us
21 March 2013, 11:47
I need reduce server load caused by unwanted clients (they act completely same as normal, so IP connection limit and request limit will not work). I do not want use PHP or other CGI things, it will increase CPU usage. Hiawatha is great w/s, it already have nice load reducing and security features, but it should have ability to manage requests by referrer.
Hugo Leisink
21 March 2013, 12:12
Ok, I will see what I can do with the referrer check.
Da JoJo
21 March 2013, 12:19
captcha solving with iframe ? wow. i wonder how that comes lol
but wouldnt putting this in hiawatha increase the cpu load for hiawatha too ?
i mean perhaps it seems hiawatha could handle this faster, but still this is no solution to this problem you experiencing.
captcha is made from pictures right ? perhaps you can rewrite it to make use of cache and ImageReferer = hostname[, hostname, ...]:<alternative image>
and use the cross-site protection.
Anonym0us
22 March 2013, 17:13
Hugo Leisink - thanks!

Da JoJo - "captcha solving with iframe ?" - no! It was website which supports spammers (with providing captcha solving)! And it was DDoSed by social network using iFrames.

Also, what is better?
1. PHP enabled, using script to control referrer. We need php enabled ONLY for it :/
2. Hiawatha can eat little amount of CPU when this possible feature is enabled. No PHP daemon running.
Hugo Leisink
23 March 2013, 12:42
I've been thinking about the referrer thing, but I'm not really fond of having such an application specific thing in Hiawatha. I understand you don't want to run PHP for only this single thing. How about you creating a FastCGI application in C? It's as fast as having it inside Hiawatha and Hiawatha remains clean of this application specific feature. You can use this example as a starter.
Anonym0us
25 March 2013, 07:48
Okay

"application specific thing" - ImageReferer is application specific thing too
Why not?
Anonym0us
25 March 2013, 07:57
Maybe do not make it referer-specific? Make it able to manage requests by matching both header name and content. It can be useful to deal with some bots, using specific header. Also it can replace DenyBot functionality (controlling UserAgent) with more options.

If no, why?
Hugo Leisink
25 March 2013, 15:03
Download 9.0-beta3 and look for the UrlToolkit Header option in the manual page. Is this what you want?
Anonym0us
26 March 2013, 17:40
Great! Compiling it now

Thanks!
This topic has been closed.