I manage a site and other domains are being forwarded to it. (example: baddomain owned by somebody else forwards to client good domain) Is there a way in the .htaccess tools I can restrict the site to only load if it is from our good domain or restrict to our IP only. I tried to block the bad domain, but this month there are just different domains forwarding to it.
#31572 Restrict by domain name or IP
Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket
Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.
Environment Information
Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a
Latest post by webiedesign on Tuesday, 23 July 2019 20:03 CDT
Tuesday, 23 July 2019 13:33 CDT
webiedesign
Tuesday, 23 July 2019 15:45 CDT
nicholas
Akeeba Staff
Manager
Please note that you are asking for generic assistance with Apache configuration. This is outside the scope of our support. Moreover, you are not clear about what your problem is. What you describe can be read as three completely different issues. I am going to give you some pointers below but that's the extent of the help I can provide.
If malicious domain X forwards to your domain Y (the client's address bar displays domain Y after visiting site X) you cannot prevent the redirection. In theory you can check the HTTP Referer header (one "r", I know it's wrong English, that's how the HTTP standard has it...) with a .htaccess rule but I'd argue that a malicious actor could just as well spoof that header. Also note that the IP you would see in this case is the IP address of the client, not the IP address of the malicious server doing the redirection. This would be a nonsensical mode of attack because the malicious domain does not see the traffic between the client and your site.
If malicious domain Y proxies its requests to your domain Y (the client's address bar displays domain X and domain X has a different IP address than domain Y in their DNS A record) you will of course get the IP address of the remote server. Even though you could write a .htaccess rule that would be the wrong way to go about it for performance reasons: .htaccess rules are parsed on every single request to every single resource on the page, even static content! What would make more sense is using your operating system firewall to deny connections from the malicious server's IP address. This attack mode makes perfect sense; the malicious domain acts as a proxy and can observe all the traffic between the client and your site.
If malicious domain X points to the same IP address as your domain Y (the client's address bar displays domain X and both domain X and domain Y have the same IP address in their DNS A record) then this is something you have to configure at the Apache level. The typical way to handle it is to have a default site in Apache that throws a 403 Forbidden error and a virtual host with hostname matching to serve the real sites your server is supposed to handle. This attack mode makes little sense except for spamming / blackhat SEO reasons.
I hope this information helps.
If malicious domain X forwards to your domain Y (the client's address bar displays domain Y after visiting site X) you cannot prevent the redirection. In theory you can check the HTTP Referer header (one "r", I know it's wrong English, that's how the HTTP standard has it...) with a .htaccess rule but I'd argue that a malicious actor could just as well spoof that header. Also note that the IP you would see in this case is the IP address of the client, not the IP address of the malicious server doing the redirection. This would be a nonsensical mode of attack because the malicious domain does not see the traffic between the client and your site.
If malicious domain Y proxies its requests to your domain Y (the client's address bar displays domain X and domain X has a different IP address than domain Y in their DNS A record) you will of course get the IP address of the remote server. Even though you could write a .htaccess rule that would be the wrong way to go about it for performance reasons: .htaccess rules are parsed on every single request to every single resource on the page, even static content! What would make more sense is using your operating system firewall to deny connections from the malicious server's IP address. This attack mode makes perfect sense; the malicious domain acts as a proxy and can observe all the traffic between the client and your site.
If malicious domain X points to the same IP address as your domain Y (the client's address bar displays domain X and both domain X and domain Y have the same IP address in their DNS A record) then this is something you have to configure at the Apache level. The typical way to handle it is to have a default site in Apache that throws a 403 Forbidden error and a virtual host with hostname matching to serve the real sites your server is supposed to handle. This attack mode makes little sense except for spamming / blackhat SEO reasons.
I hope this information helps.
Nicholas K. Dionysopoulos
Lead Developer and Director
🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!
Tuesday, 23 July 2019 20:03 CDT
webiedesign
Thanks, my host supplied me code to add to my htaccess that works after the redirect. For anybody finding this thread here is the solution:
SetEnvIfNoCase Referer "baddomain1.com" bad_referer
SetEnvIfNoCase Referer "baddomain2.com" bad_referer
SetEnvIfNoCase Referer "baddomain3.com" bad_referer
Order Allow,Deny
Allow from ALL
Deny from env=bad_referer
To clarify, domains my client does not own are being forwarded to my clients site causing confusion and unwanted traffic.
SetEnvIfNoCase Referer "baddomain1.com" bad_referer
SetEnvIfNoCase Referer "baddomain2.com" bad_referer
SetEnvIfNoCase Referer "baddomain3.com" bad_referer
Order Allow,Deny
Allow from ALL
Deny from env=bad_referer
To clarify, domains my client does not own are being forwarded to my clients site causing confusion and unwanted traffic.