Проверьте этот вопрос (хотя очень только относится к IIS6), и взгляните на Менеджера по вопросам согласований безопасности Сервера 2008 года, чтобы создать и применить политику локальной защиты.
What we've actually ended up doing is as follows:
RewriteCond %{REMOTE_HOST} !A.B.C.(D|E)
RewriteCond %{HTTP_HOST}==%{HTTP_REFERER} !^(.*?)==https?://\1/ [NC]
RewriteCond %{HTTP_REFERER} !https?://referring.domain.com/ [NC]
RewriteRule ^ https://referring.domain.com/path/to/login/script [R,L]
The first RewriteCond
(and several more lines like it) mean that developers and the client are not restricted by this referrer check (as it's really tiresome to have to go there first before going to our site).
The second RewriteCond
is a work of genius to check if the referrer is the same as the Host:
in the request. This is based on terrye's answer to SO#7398191: Generic mod_rewrite referrer check — because mod_rewrite
only does variable interpolation in the test string, you can't have a line reading
RewriteCond %{HTTP_HOST} !^https?://%{HTTP_REFERER}/ [NC]
as it simply won't do that check.
Apparently we're "never" gonna need to allow any other referrers. If we did, I guess I'd just have to set that last RewriteCond
line to end [NC,OR]
and chain some more conditions along.
All working nicely. Thanks for your help, everyone!
Я думаю, что карта будет чувствительна к регистру, а также вам необходимо извлечь имя хоста из Referer
. Я вообще не тестировал это, но что-то вроде этого может сработать:
RewriteMap deflector txt:/path/to/deflector.map
RewriteMap lc int:tolower
RewriteCond %{HTTP_REFERER} ^https?://([^:/?]+)
RewriteCond ${lc:%1} (.+)
RewriteCond ${deflector:%1|NOT-FOUND} =NOT-FOUND
RewriteRule ^ http://example.com/ [L]
Не возитесь с необычными кодами ответа; значение по умолчанию 302.