SetEnvIf and SetEnvIfNoCase ExamplesJanuary 7th, 2008
« Apache Environment Variables CGI ScriptRedirecting RSS to Feedburner »
SetEnvIf and SetEnvIfNoCase are really useful directives supplied by the mod_setenvif module that allow you to conditionally set environment variables accessible by scripts and apache based on the value of HTTP Headers, Other Variables, and Request information.
For debugging, you may want to use my server environment variable debugging script
Syntax:
SetEnvIf attribute regex [!]env-variable[=value] [[!]env-variable[=value]] ...
These can be used for attribute.
crawl-66-249-70-24.googlebot.com66.249.70.24208.113.183.103GETHTTP/1.1/robots.txtSetEnvIfNoCase Remote_Host "(.*)" HTTP_MY_REMOTE_HOST=$1 SetEnvIfNoCase Remote_Addr "(.*)" HTTP_MY_REMOTE_ADDR=$1 SetEnvIfNoCase Server_Addr "(.*)" HTTP_MY_SERVER_ADDR=$1 SetEnvIfNoCase Request_Method "(.*)" HTTP_MY_REQUEST_METHOD=$1 SetEnvIfNoCase Request_Protocol "(.*)" HTTP_MY_REQUEST_PROTOCOL=$1 SetEnvIfNoCase Request_URI "(.*)" HTTP_MY_REQUEST_URI=$1
Sets REMOTE_HOST to www.askapache.com if Remote_Addr=208.113.183.103. This can be useful if your server doesn’t automatically do a reverse lookup on a remote address, so this way you can tell if the request was internal/from your server.
SetEnvIf Remote_Addr 208\.113\.183\.103 REMOTE_HOST=www.askapache.com
SetEnvIfNoCase ^HOST$ .+ HTTP_MY_HAS_HOST Order Deny,Allow Deny from All Allow from env=HTTP_MY_HAS_HOST
or
SetEnvIfNoCase Host .+ HTTP_MY_HAS_HOST Order Deny,Allow Deny from All Allow from env=HTTP_MY_HAS_HOST
SetEnvIfNoCase ^If-Modified-Since$ "(.+)" HTTP_IF_MODIFIED_SINCE=$1 SetEnvIfNoCase ^If-None-Match$ "(.+)" HTTP_IF_NONE_MATCH=$1 SetEnvIfNoCase ^Cache-Control$ "(.+)" HTTP_CACHE_CONTROL=$1 SetEnvIfNoCase ^Connection$ "(.+)" HTTP_CONNECTION=$1 SetEnvIfNoCase ^Keep-Alive$ "(.+)" HTTP_KEEP_ALIVE=$1 SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1 SetEnvIfNoCase ^Cookie$ "(.+)" HTTP_MY_COOKIE=$1
This is useful in disallowing direct access to interpreters like shell scripts, cgi scripts, and other interpreters. Only works this way if you have a static IP for your server. So the only way to access these files is by instructing the server itself to request the file, using an Action directive or by requesting the file through a .php or other script using curl or wget, or something like fsockopen.
<FilesMatch "\.(cgi|sh|pl)$"> SetEnvIfNoCase Remote_Addr 208\.113\.183\.103 REDIRECT_STATUS Order Deny,Allow Deny from All Allow from env=REDIRECT_STATUS </FilesMatch>
Can be useful if your site is getting hammered by spambots. Some nice examples from around the net are at Fight Blog Spam With Apache… Keep in mind the HTTP_USER_AGENT is directly from the client, so its easy to spoof / change. Instead use mod_security for a much better solution.
SetEnvIfNoCase User-Agent "^Bandit" bad_bot SetEnvIfNoCase User-Agent "^Baiduspider" bad_bot SetEnvIfNoCase User-Agent "^BatchFTP" bad_bot SetEnvIfNoCase User-Agent "^Bigfoot" bad_bot SetEnvIfNoCase User-Agent "^Black.Hole" bad_bot Order Allow,Deny Allow from All Deny from env=bad_bot
This does the opposite of above, allowing ONLY these web robots access. Other than rogue robots, configuring your robots.txt file correctly will keep most robots where you want them.
SetEnvIfNoCase User-Agent .*google.* search_robot SetEnvIfNoCase User-Agent .*yahoo.* search_robot SetEnvIfNoCase User-Agent .*bot.* search_robot SetEnvIfNoCase User-Agent .*ask.* search_robot Order Deny,Allow Deny from All Allow from env=search_robot
« .htaccess Security with MOD_SECURITY | .htaccess Tutorial Index
« Apache Environment Variables CGI ScriptRedirecting RSS to Feedburner »
Tags: Examples, htaccess, SetEnvIf
The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. Tim Berners-Lee
It's very simple -
you read the protocol
and write the code.
-Bill Joy
HTML | DCMI | GRDDL | XOXO | XDMP | XFN | DOM | XML | XHTML 1.1 Strict | CSS 2.1 | W3C | WAI | DISA | ICSI | GIAC | SANS RR | GHOST
Authority: 110 ↑ TOPExcept where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed according to these terms. "Apache" is a trademark of The ASF.
Your article and site is helpful, but the music is rude, annoying, poor design and dis-tasteful. Everyone likes their own music, and usually respect one another’s tastes. Please respect your visitors and let us listen to our own music, not yours. DJ’ing should be left for radio hosts and party’s. Thanks.
[...] the SetEnvIf directive for more details on conditionally setting environment [...]
I would like to be able to make .htaccess directives on a number of sites I have version control systems. I have a copy of the site on my computer hosted on my local apache set to hostname.dev while that site is live on the net as hostname.com or .org.
Right now, I can’t keep the .htaccess file in version control because it differs greatly from my host’s setup (the excellent Dreamhost) with my own setup (Apache2+PHP5 on OSX Leopard on a MBP). I had thought of trying to duplicate Dreamhosts’ environment (just for fun) but, that’s more trouble than it is worth in both fun and profit.
So, I was looking for a way to have environment variables trigger various rules in .htaccess. I found this site (great btw) and I was looking for solution. I was thinking that there would be some way to trigger blocks of commands with directives from server variables. Something along these lines:
DEVELOPMENT (MACBOOK APACHE SETUP) RULES......
PRODUCTION (DREAMHOST) RULES...
[...] SetEnvIf and SetEnvIfNoCase Examples [...]
I think Baidu spider is now legit. I saw a thread at webmasterworld where the baidu techs came and went through why they were ok.