SetEnvIf and SetEnvIfNoCase Examples

SetEnvIf and SetEnvIfNoCase are really useful directives supplied by the mod_setenvif module that allow you to conditionally set environment variables accessible by scripts and apache based on the value of HTTP Headers, Other Variables, and Request information.

« .htaccess Security with MOD_SECURITY | .htaccess Tutorial Index

For debugging, you may want to use my server environment variable debugging script

• Unique mod_setenvif Variables
• Populates HTTP_MY_ Variables with mod_setenvif variable values
• Set REMOTE_HOST to HTTP_HOST
• Allows only if HOST Header is present in request
• Add values from HTTP Headers
• Set the REDIRECT_STATUS for Interpreter Security

Syntax: SetEnvIf attribute regex [!]env-variable[=value] [[!]env-variable[=value]] ...

Unique mod_setenvif Variables

These can be used for attribute.

Remote_Host

the hostname (if available) of the client making the request - crawl-66-249-70-24.googlebot.com

Remote_Addr

IP address of the client making the request - 66.249.70.24

Server_Addr

IP address of the server on which the request was received - 208.113.183.103

Request_Method

name of the method being used - GET

Request_Protocol

name and version of the protocol with which the request was made - HTTP/1.1

Request_URI

the resource requested on the HTTP request line — generally the portion of the URL following the scheme and host portion without the query string - /robots.txt

Populates HTTP_MY_ Variables with mod_setenvif variable values

SetEnvIfNoCase Remote_Host "(.*)" HTTP_MY_REMOTE_HOST=$1
SetEnvIfNoCase Remote_Addr "(.*)" HTTP_MY_REMOTE_ADDR=$1
SetEnvIfNoCase Server_Addr "(.*)" HTTP_MY_SERVER_ADDR=$1
SetEnvIfNoCase Request_Method "(.*)" HTTP_MY_REQUEST_METHOD=$1
SetEnvIfNoCase Request_Protocol "(.*)" HTTP_MY_REQUEST_PROTOCOL=$1
SetEnvIfNoCase Request_URI "(.*)" HTTP_MY_REQUEST_URI=$1

Set REMOTE_HOST to HTTP_HOST

Sets REMOTE_HOST to www.askapache.com if Remote_Addr=208.113.183.103. This can be useful if your server doesn’t automatically do a reverse lookup on a remote address, so this way you can tell if the request was internal/from your server.

SetEnvIf Remote_Addr 208\.113\.183\.103 REMOTE_HOST=www.askapache.com

Allows only if HOST Header is present in request

SetEnvIfNoCase ^HOST$ .+ HTTP_MY_HAS_HOST
Order Deny,Allow
Deny from All
Allow from env=HTTP_MY_HAS_HOST

or

SetEnvIfNoCase Host .+ HTTP_MY_HAS_HOST
Order Deny,Allow
Deny from All
Allow from env=HTTP_MY_HAS_HOST

Add values from HTTP Headers

SetEnvIfNoCase ^If-Modified-Since$ "(.+)" HTTP_IF_MODIFIED_SINCE=$1
SetEnvIfNoCase ^If-None-Match$ "(.+)" HTTP_IF_NONE_MATCH=$1
SetEnvIfNoCase ^Cache-Control$ "(.+)" HTTP_CACHE_CONTROL=$1
SetEnvIfNoCase ^Connection$ "(.+)" HTTP_CONNECTION=$1
SetEnvIfNoCase ^Keep-Alive$ "(.+)" HTTP_KEEP_ALIVE=$1
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
SetEnvIfNoCase ^Cookie$ "(.+)" HTTP_MY_COOKIE=$1

Set the REDIRECT_STATUS for Interpreter Security

This is useful in disallowing direct access to interpreters like shell scripts, cgi scripts, and other interpreters. Only works this way if you have a static IP for your server. So the only way to access these files is by instructing the server itself to request the file, using an Action directive or by requesting the file through a .php or other script using curl or wget, or something like fsockopen.

<FilesMatch "\.(cgi|sh|pl)$">
SetEnvIfNoCase Remote_Addr 208\.113\.183\.103 REDIRECT_STATUS
 
Order Deny,Allow
Deny from All
Allow from env=REDIRECT_STATUS
</FilesMatch>

Block Bad Bots

Can be useful if your site is getting hammered by spambots. Some nice examples from around the net are at Fight Blog Spam With Apache

Keep in mind the HTTP_USER_AGENT is directly from the client, so its easy to spoof / change. Instead use mod_security for a much better solution.

SetEnvIfNoCase User-Agent "^Bandit" bad_bot
SetEnvIfNoCase User-Agent "^Baiduspider" bad_bot
SetEnvIfNoCase User-Agent "^BatchFTP" bad_bot
SetEnvIfNoCase User-Agent "^Bigfoot" bad_bot
SetEnvIfNoCase User-Agent "^Black.Hole" bad_bot
 
Order Allow,Deny
Allow from All
Deny from env=bad_bot

Allow Search robots

This does the opposite of above, allowing ONLY these web robots access. Other than rogue robots, configuring your robots.txt file correctly will keep most robots where you want them.

SetEnvIfNoCase User-Agent .*google.* search_robot
SetEnvIfNoCase User-Agent .*yahoo.* search_robot
SetEnvIfNoCase User-Agent .*bot.* search_robot
SetEnvIfNoCase User-Agent .*ask.* search_robot
 
Order Deny,Allow
Deny from All
Allow from env=search_robot

htaccess Guide Sections

• htaccess tricks for Webmasters
• HTTP Header control with htaccess
• PHP on Apache tips and tricks
• SEO Redirects without mod_rewrite
• mod_rewrite examples, tips, and tricks
• HTTP Caching and Site Speedups
• Authentication on Apache
• htaccess Security Tricks and Tips
• SSL tips and examples
• Variable Fun (mod_env) Section
• .htaccess Security with MOD_SECURITY
• SetEnvIf and SetEnvIfNoCase Examples

« .htaccess Security with MOD_SECURITY | .htaccess Tutorial Index

SetEnvIf -SetEnvIfNoCase -mod_setenvif

Related Articles

• Fight Blog Spam with Apache
• Apache Variable Fun in htaccess
• htaccess Tricks for Webmasters
• Apache Environment Variables CGI Script
• Allowing Access From 1 static IP and Deny the rest
• Debug apache log files from php
• Security with Apache htaccess Tutorial
• Fresh .htaccess Examples: Cookies, Variables, Custom Headers