[Mailman-Users] Apache subscription Referer rules
Jim Popovitch
jimpop at domainmail.org
Tue Jan 14 10:14:51 EST 2020
On Tue, 2020-01-14 at 00:19 -0500, Bill Cole wrote:
> On 10 Jan 2020, at 10:52, Jim Popovitch via Mailman-Users wrote:
>
> > (I think I asked this a few months back, but I couldn't locate any
> > emails on it)
> >
> > What is the Apache rule syntax for rejecting subscription linking that
> > doesn't come from the same domain/site?
>
> First step:
>
> Header always set Referrer-Policy "same-origin"
>
> This assures (to the degree that browsers comply with directives
> provided in headers) that legitimate internal links and sub-resource
> loads have a Referer header (see
> https://en.wikipedia.org/wiki/HTTP_referer) which you can use.
>
> The next step is to read
> https://httpd.apache.org/docs/2.4/rewrite/access.html#blocked-inline-images
> and adapt the example to your site.
>
Mod_Rewrite is "too heavy" for something this simple. I couldn't recall
the specifics, but your mod_rewrite link actually mentioned the way to
do something similar without mod_rewrite. From that, I extrapolated
this (which I haven't been able to test yet):
SetEnvIfNoCase Referer "https://.*/mailman/listinfo/" ListInfoReferer
SetEnvIfNoCase Request_Protocol "POST" HttpPostProto
<FilesMatch "^/mailman/subscribe/">
Require env ListInfoReferer
Require env HttpPostProto
</FilesMatch>
thoughts?
-Jim P.
More information about the Mailman-Users
mailing list