I have a custom 403 page that works when I want to block specific pages, but it doesn't work when I want to match a specific HTTP_REFERER.
With the specific HTTP_REFERER I get the regular 403, To test the HTTP_REFERER I added a link on another site "mysite.com" towards this project, when I click on the link I get the server 403 response:
But I open my test page "forbidden-test" I do get my customized forbidden.php page
This is what I have in the htaccess, form the following example only RewriteRule ^forbidden-test$ - [F]
works by showing my customized 403 page:
Options All -Indexes
# prevent folder listing
IndexIgnore *
RewriteEngine on
RewriteCond %{HTTP_REFERER} \
... (there are many here)
mysite\.com|\
[L,NC]
RewriteRule .* - [F]
#spam blacklist end
RewriteCond %{HTTP_USER_AGENT} \
12soso|\
192\.comagent|\
1noonbot|\
1on1searchbot|\
3de\_search2|\
3d\_search|\
3g\ bot|\
... (there are many here)
zyte\
[NC]
RewriteRule .* - [F]
#bad bots end
#Forbidden Test
RewriteRule ^forbidden-test$ - [F]
#ERRORS
RewriteRule ^forbidden/?$ forbidden.php [L,QSA]
ErrorDocument 403 /forbidden
Any thoughts? Thanks
Pay attention to what that default error message is actually saying:
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Access to your custom error document is blocked. The internal request for that, goes through all of the rewriting again; and because the referrer of the original request is (still) wrong, access to your 403 document is forbidden now.
You need to add an exception to this referrer check, so that it allows access to your error document.
Easiest way here is probably to just put a rule at the very top, to do nothing, when this particular document is requested:
RewriteRule ^forbidden\.php$ - [L]
The -
is a “non-rewrite”, it simply does nothing. The [L]
flag is important here, to say “don’t process any other rules in this round.”
Also, since your error document seems to be a PHP script, you should define it like this directly,
ErrorDocument 403 /forbidden.php
Otherwise, this needs an extra round of rewriting, from /forbidden to /forbidden.php, and there is really no good reason for that.