search

jvdmr / mod_evasive

Apache mod_evasive module
GNU General Public License v2.0
15 stars 8 forks source link

Allow in `<If>` and `<LocationMatch>` context #28

Open nisbet-hubbard opened 1 month ago

nisbet-hubbard commented 1 month ago

Many thanks for forking and continuing developing this most useful module!

Currently, mod_evasive can’t be used inside <If> or <LocationMatch>. A situation where we often want the capability of mod_evasive, however, is on dynamic pages which can’t be cached.

It’d be really nice if this module can work with such path-based conditional logic.

Jamie-Landeg-Jones commented 3 weeks ago

I think my desire is the same:

I have one site which can load 100's of images per page. They are static, and I don't mind those. My wish is for mod_evasive to just affect the cgi generation.

So, I don't know if a DosWhitelistMIME image/* would be easy to add, but if not, LocationMatch would do the job!

nisbet-hubbard commented 2 weeks ago

Our workaround for now is to issue a JS challenge through Cloudflare for requests not coming from known bots and not having a referer header. Price: small non-interactive delay for human visitors.

Jamie-Landeg-Jones commented 2 weeks ago

I got around the problem by moving all the images to a different virtual host, and modifying the html appropriately - you can have separate mod_evasive settings for virtual hosts.

No offence, but I hate the JS challenge stuff, even more so as the particular site I'm referring to is intentionally a no-JS-required site!

nisbet-hubbard commented 2 weeks ago

moving all the images to a different virtual host, and modifying the html appropriately

That's clever!

Veering off the topic a bit, I'd also love to hear what you would use for email obfuscation, sans JS.

Jamie-Landeg-Jones commented 2 weeks ago

Thanks! As for email obfuscation, I don't do it. I just rely on my email servers (which I also run) to filter spam.

It's not ideal, but it works for me. One thing I'll never do is "blackhole" an email - if my system thinks it's spam, it will be rejected at source. If it can't do that, it will be delivered. Nothing worse than legitimate mail getting lost without either sender or receiver knowing.

I use spamhaus blocklists, and block some dodgy domains manually. If things get bad, I deliver non-whitelisted email to a different email box, I can then periodically go through that and if there is legitimate mail, move it to the main mailbox, which then also whitelists the address.

Wouldn't things be easier if all people were nice? :-)

P.S. I'm not against JS itself, but I consider that if possible, it an enhancer, not a requirement.

Again, this isn't a criticism of people who do use it - I understand the frustration driving people to its use for both email protection, dos protection, and other stuff, I just prefer to avoid it myself if possible.