Forum

Hiawatha version: v8.5

It's possible to deny request and ban client if request contains specified string?

You can if it is in the URL (via the UrlToolkit) or in the request body (via DenyBody option).

Thanks, I will try it

Can you help me with DenyBody?

How must look DenyBody string to deny users from http://example.com?

What do you mean with "users from http://example.com"?

Fast

If request have "example.com" in referrer header, ban user (BanOnDeniedBody).

I cannot get any expression work. Even "^.*$".

The DenyBody can only be used for the request body. The referer header is located in the HTTP header.

Please note that any (security) check for the referer header can easily be surpassed.

Okay... So how to control referrer? I need reduce load at fileserver, because here appears requests from some unwanted clients. Can it be done without PHP?

"referer header can easily be surpassed." - I know, but clients does not fake their referrers.

Thanks

There are multiple ways. Which one is best for you I don't know. You can use HTTP authentication, limit access based on IP, limit download speed, simultaneous connections from one IP.

Clients is limited, so I cannot use anything of this. I can do action based only by referrer. Maybe you will add some features like as URL Toolkit, but for referrers? Redirect, Deny, Rewrite, Ban and other, but referrer used to match requests instread of URL. It can be used, for example, to redirect user to German site version if user visited our page by link from any site in .de domain zone. Also here already a ImageReferer feature, why not make same for any files?

Redirecting users that came from a .de website to a specific part of the website is a kind of functionality that should be inside the webapplication, not in the webserver.

It is not in the role of the webserver to do this actions. referrer can be captured with php or html or java and from there routed within the website you made. same for geo-location.
server works on IP and zone level not on contentlevel. i.e. the webserver can tell you what ip you use and what technics come with that but it cannot tell you where you came from. this is hold in variables passed to the site (script that runs on client machine). from here you can tell your script to handle this variable. what u want comes down to something like a html page u made that is able to directly alter the configfile of the server.. u see it make no sense. allthough with a lot of trickery it can be done.

I don't understand the point you are trying to make... if you are trying to make any...

"Redirecting users that came from a .de website to a specific part of the website is a kind of functionality that should be inside the webapplication, not in the webserver." - okay
But I still wanna "Referrer Toolkit" functionality...

Thanks anyway

Other possible use is protection from IFrame DDoS. Apache can do it with mod_rewrite, based on referrer :/
I hope that this feature will appear in Hiawatha

yup apache does it but it is not the correct way to do this. who uses iframes nowadays lol... that is so last century. :/

Da JoJo - recently VK.COM (popular russian social network) successfully DDoSed one website related to captcha solving. So IFrame DDoS is alive.

I need reduce server load caused by unwanted clients (they act completely same as normal, so IP connection limit and request limit will not work). I do not want use PHP or other CGI things, it will increase CPU usage. Hiawatha is great w/s, it already have nice load reducing and security features, but it should have ability to manage requests by referrer.

Ok, I will see what I can do with the referrer check.

captcha solving with iframe ? wow. i wonder how that comes lol
but wouldnt putting this in hiawatha increase the cpu load for hiawatha too ?
i mean perhaps it seems hiawatha could handle this faster, but still this is no solution to this problem you experiencing.
captcha is made from pictures right ? perhaps you can rewrite it to make use of cache and ImageReferer = hostname[, hostname, ...]:<alternative image>
and use the cross-site protection.

Hugo Leisink - thanks!

Da JoJo - "captcha solving with iframe ?" - no! It was website which supports spammers (with providing captcha solving)! And it was DDoSed by social network using iFrames.

Also, what is better?
1. PHP enabled, using script to control referrer. We need php enabled ONLY for it :/
2. Hiawatha can eat little amount of CPU when this possible feature is enabled. No PHP daemon running.

I've been thinking about the referrer thing, but I'm not really fond of having such an application specific thing in Hiawatha. I understand you don't want to run PHP for only this single thing. How about you creating a FastCGI application in C? It's as fast as having it inside Hiawatha and Hiawatha remains clean of this application specific feature. You can use this example as a starter.

Okay

"application specific thing" - ImageReferer is application specific thing too
Why not?

Maybe do not make it referer-specific? Make it able to manage requests by matching both header name and content. It can be useful to deal with some bots, using specific header. Also it can replace DenyBot functionality (controlling UserAgent) with more options.

If no, why?

Download 9.0-beta3 and look for the UrlToolkit Header option in the manual page. Is this what you want?

Great! Compiling it now

Thanks!