On Tue, 2020-01-14 at 00:19 -0500, Bill Cole wrote: > On 10 Jan 2020, at 10:52, Jim Popovitch via Mailman-Users wrote: > > > (I think I asked this a few months back, but I couldn't locate any > > emails on it) > > > > What is the Apache rule syntax for rejecting subscription linking that > > doesn't come from the same domain/site? > > First step: > > Header always set Referrer-Policy "same-origin" > > This assures (to the degree that browsers comply with directives > provided in headers) that legitimate internal links and sub-resource > loads have a Referer header (see > https://en.wikipedia.org/wiki/HTTP_referer) which you can use. > > The next step is to read > https://httpd.apache.org/docs/2.4/rewrite/access.html#blocked-inline-images > and adapt the example to your site. >
Mod_Rewrite is "too heavy" for something this simple. I couldn't recall the specifics, but your mod_rewrite link actually mentioned the way to do something similar without mod_rewrite. From that, I extrapolated this (which I haven't been able to test yet): SetEnvIfNoCase Referer "https://.*/mailman/listinfo/" ListInfoReferer SetEnvIfNoCase Request_Protocol "POST" HttpPostProto <FilesMatch "^/mailman/subscribe/"> Require env ListInfoReferer Require env HttpPostProto </FilesMatch> thoughts? -Jim P. ------------------------------------------------------ Mailman-Users mailing list Mailman-Users@python.org https://mail.python.org/mailman/listinfo/mailman-users Mailman FAQ: http://wiki.list.org/x/AgA3 Security Policy: http://wiki.list.org/x/QIA9 Searchable Archives: http://www.mail-archive.com/mailman-users%40python.org/ Unsubscribe: https://mail.python.org/mailman/options/mailman-users/archive%40jab.org