1

I notice that my .htaccess file contains 

<Files 403.shtml>
order allow,deny
allow from all
</Files>

Which allows the 403 error page, 403.shtml, to be viewed by addresses that are specified on a "deny from" line.

Rather than showing an error page, I would just like to show the home page of the (SEF-enabled joomla) site (not any other pages). My feeble attempt was:

<directory />
order allow,deny
allow from all
<directory>

But that just made the server unhappy.

What is the correct way to do this?

Jimmy
  • 147
  • 2
  • 9
  • So, to clarify: you'd like for someone to get redirected to the home page when they would normally get a 403 error page? – Shane Madden May 09 '12 at 20:14
  • Exactly. I use 'deny from' to block IPs that submit spam forms, but they can access the home page all they want. I also just redirect to the home page for other HTTP errors. It's simple enough, just using ErrorDocument. However, using ErrorDocument to redirect to the home page for a 403 due to a 'deny from' results in a redirect loop. – Jimmy May 09 '12 at 22:52
  • Where are you putting the `Deny from` directives to block the spammers? Need to know where it is to tell you how to override it. Also - do you only want to grant them access to the home page, or are there other resources loaded by the home page (images, CSS, javascript) that should be allowed, too? It might be more appropriate to just block them from the forms (or from sending `POST` requests, for instance). – Shane Madden May 10 '12 at 03:08
  • The 'deny from' lines are the last thing in the .htaccess file. They are actually added with HostGator's IPDeny Manager web UI. Yes, you are right, the home page would need (images, CSS, javascript). Maybe you are right, that deny from may not be the right way to stop the spammers. – Jimmy May 10 '12 at 14:30
  • Well, if you can put the deny in a location that only applies to form submissions, then that would work. If you want the homepage to work, though, it's doable.. is there any method to where the resources that the home pages loads are located, like maybe `/static`? Or can we just allow all of the files with certain extensions, like `.jpg` and `.css`. What works best for your site? – Shane Madden May 10 '12 at 15:23
  • This being a joomla web site, I don't know how to specify allow/deny for specific pages... all pages try to load /index.php , so obviously I can't base the allow/deny on that, as in the example for 403.shtml. How can I use the SEF URL? – Jimmy May 11 '12 at 13:27
  • What does a full URL look like for the form submission? Or maybe we should just go with blocking all POST requests. – Shane Madden May 11 '12 at 15:46
  • Yes, I would be happy with blocking all post submissions – Jimmy May 11 '12 at 20:04

2 Answers2

2

Wrap your Deny directives in a Limit block, so that the 403 only kicks in when the spammer sends a POST request.

<Limit POST>
    Deny from 192.0.2.0/24
    Deny from 10.0.2.1
    # etc
</Limit>

This can be done either in the current location of the Deny directives (the htaccess file) or in your <Directory /> block.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
1

I think you need to change it to:

<Directory>
order allow,deny
allow from all
</Directory>
George
  • 500
  • 4
  • 19
  • 40