htaccess Customized 403 Forbidden page not always working
I have a custom 403 page that works when I want to block specific pages, but it doesn't work when I want to match a specific HTTP_REFERER.
With the specific HTTP_REFERER I get the regular 403, To test the HTTP_REFERER I added a link on another site "mysite.com" towards this project, when I click on the link I get the server 403 response:
But I open my test page "forbidden-test" I do get my customized forbidden.php page
This is what I have in the htaccess, form the following example only RewriteRule ^forbidden-test$ - [F] works by showing my customized 403 page:
Options All -Indexes
# prevent folder listing
IndexIgnore *
RewriteEngine on
RewriteCond %{HTTP_REFERER} \
... (there are many here)
mysite\.com|\
[L,NC]
RewriteRule .* - [F]
#spam blacklist end
RewriteCond %{HTTP_USER_AGENT} \
12soso|\
192\.comagent|\
1noonbot|\
1on1searchbot|\
3de\_search2|\
3d\_search|\
3g\ bot|\
... (there are many here)
zyte\
[NC]
RewriteRule .* - [F]
#bad bots end
#Forbidden Test
RewriteRule ^forbidden-test$ - [F]
#ERRORS
RewriteRule ^forbidden/?$ forbidden.php [L,QSA]
ErrorDocument 403 /forbidden
Any thoughts? Thanks
Pay attention to what that default error message is actually saying:
Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.
Access to your custom error document is blocked. The internal request for that, goes through all of the rewriting again; and because the referrer of the original request is (still) wrong, access to your 403 document is forbidden now.
You need to add an exception to this referrer check, so that it allows access to your error document.
Easiest way here is probably to just put a rule at the very top, to do nothing, when this particular document is requested:
RewriteRule ^forbidden\.php$ - [L]
The - is a “non-rewrite”, it simply does nothing. The [L] flag is important here, to say “don’t process any other rules in this round.”
Also, since your error document seems to be a PHP script, you should define it like this directly,
ErrorDocument 403 /forbidden.php
Otherwise, this needs an extra round of rewriting, from /forbidden to /forbidden.php, and there is really no good reason for that.
- Maven project version inheritance - do I have to specify the parent version?
- Azure API Managment User Assigned Identity Custom Domain KeyVault
- node.js - Is there any proper way to parse JSON with large numbers? (long, bigint, int64)
- How to detect events in an Azure Devops Board extension
- My code is not printing the correct values
- How can I make a calculator ask the user if they want to perform another calculation in Java?
- When did C allow casting constants and variables to struct for assignment?
- Annotate columns, with metadata in SQL
- Why in C can I initialize more values than the size of an array?
- why am i getting http error code 500 when i am sending a rest request
- SwiftUI align custom subviews
- Redirecting after chosing an option in select tag
- How to solve COM Exception Class not registered (Exception from HRESULT: 0x80040154 (REGDB_E_CLASSNOTREG))?
- JAVA LDAP ERROR javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C09075A
- Using c to create a file and write+read to it, what went wrong?
- Angular material datepicker arrow color
- Remove "Choose an option" from variable product dropdowns in Woocommerce 3
- How to configure HorizontalPodAutoscaler?
- CQRS and Event Sourcing Difference
- Can I throttle a function without dropping function calls in JS?
- FirebaseCommandException: An error occured on the Firebase CLI when attempting to run a command
- How can I avoid 'cannot read property of undefined' errors?
- Safari <input type="file" accept="video/*"> ignores mp4 files
- How to make type-annotation-only type assertions?
- Is there any simple way to benchmark Python script?
- Class not registered Error
- oAuth2.0: Why need "authorization-code" and only then the token?
- Eclipse doesn't copy Lombok's @Delegate from record to generated class
- Microsoft Azure: How to create sub directory in a blob container
- Does new int[] return the address of the first element in the array or the address of the entire array?