403 Forbidden error document::: How to do it?

[wige]

Same here. I get the generic Apache 403 error message, along with the note "Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request"

[kgun]

Yes, I know. Possible solutions:

1. Try your first proposal. I noted your remarks regarding possible conflicts with subfolders.
2. Google for additional information.
3. Wait some days here for a solution from someone that has already solved the problem already.

To repeat:

1. The forum has and will have restricted access as long as the negative input from spammers are greater than my benefits and effort to moderate the forum.
2. It is password protected.
3. I want a separate 404, 403 and may be 401 document. The intention with these documents are
   - To give more flexible choices for the surfer than standard server messages.
   - Give additional choices than a pure 404.htm document.

[wige]

I think you have two folders now, one called /errordocs/ which is set to Allow all but does not contain the error documents, and a folder called /errordocuments/ which you mentioned a post or two above. The permissions seem to be correct now - I would recheck the ErrorDocument directives in the root directory.

[kgun]

May be I have made an error above. I have only one subfolder for 40x documents, errordocs.

[kgun]

The best way to learn anything, is to question everything.

I can sign that quote.

Your posts made me think and I came up with a new, hopefully better solution based on what I call hierarchical security and white listing. So long there has not been a single spam post even if the whole world is allowed access. When I have much to do, there are band with problems or I am on holiday, the last line in the .htaccess file,

allow from all

will be commented out

#allow from all

and only the white list allowed access. Simple and efficient solution for a small company with very limited resources.

The solution is described in the second post in this

http://www.webproworld.com/web-progr...tml#post411888

drowning thread.

[kgun]

Here http://www.phpbb.com/community/docs/ is an example from the forum. I have not yet implemented the 403 error page.

But it will contain information like this.

We are a small company with limited resources, so we use what we call hierarchical security (different IP - deny / allow lists). That implies that in periods of:

1. Few spammers signing up.
2. We are not too busy
3. We are not on holiday.
4. The band with limit is not exceeded

the forum will be open to the world.

[kgun]

I looked up the source: Apache Core Features

That solved it. I made it simple.

ErrorDocument 403 "Sorry: We have no capacity to allow you access now. Please, try later.

That line did it.

Now I am looking deeper into this topic.

There is much functionality to learn here: Apache Core Features

I found this quote very interesting:

"If this type of browser check indicates no authority problems, then it is possible that your Web server (or surrounding systems) have been configured to disallow certain patterns of HTTP traffic. In other words, HTTP communication from a well-known Web browser is allowed, but automated communication from other systems is rejected with an 403 error code. This is unusual, but may indicate a very defensive security policy around your Web server".

Source: HTTP Error 403 Forbidden Explained (Recommended reading).

My bolding.

1. Can that be used to disallow bad bots from your site or direct traffic where you want it?
2. Deny access based on pattern recognition, instead of explicitly denying Ip access (difficult to keep that list updated, and your .htaccess file may grow unmanageable and it takes time to be executed if there is too many statements in it).

[wige]

Yes on both counts.

That is the exact system I use on my web site. I have a logging system installed that collects the user agents of all requests, and I compare the number of visits, the number of pages viewed, and several other factors to determine which ones are bad bots. I then serve the bots a 403 error document, which is a very simple plain text error message.

However, I should add that the method I use, and which many webmasters are starting to adopt, is implemented through the web server. Larger sites may implement a similar technology through an IDS (Intrusion Detection System) or an intelligent firewall that applies dynamic analysis to incoming HTTP traffic and stops traffic it deems suspect with a 403 response before that traffic reaches the server. In this method, the server does not have to do any additional processing or use any of it's resources to handle these bad requests. Most likely, this is the type of implementation that the author had in mind when writing the quoted statement.

[kgun]

Thank you for your reply. I should like to see your solution

Denying access based on pattern recognition may also be better since it can deny access from a proxy server.

Related:

1. How to bypass blocked web sites?
2. Proxy servers can dramatically improve performance for groups of users. America Online, MSN and Yahoo, for example, employ an array of proxy servers.
3. Google hacks: Using Google translator, to access it even if restricted.
4. Programming: The proxy pattern.
5. FireFox plugin: SwitchProxy Tool

I am sure that we only scan the surface.

Your related thread: http://www.webproworld.com/search-en...tml#post411890

IMO: Publicity is better than anonymity. A lot of these sites have Google AdSense on them. So GoogleBOT may find them better than my sites

[wige]

My solution is fairly simplistic, and is based on the blocklist .htaccess that you posted a while back. I have a manually created list of bad user agents and bad IPs, which I assign a server variable of no_access to. I then have an Allow Deny directive which denies everything tagged as no_access, as in the following:

BrowserMatch "spamBot" no_access
SetEnvIf Remote_Addr 1.2.3.4 no_access

Order Deny, Allow
Deny from no_access
Allow from all

ErrorDocument 403 "You are a spam bot. I don't like you. No page for you!"

If I wanted to get fancy, I could create a script that nightly analyzes my log for suspicious activity and automatically adds IP addresses or browsers to the .htaccess file on the fly. However, that approach is not one I am ready to take at this time because of the possiblilty of false positives outweighs the extra traffic. As it is there are extremely few bots that make it through between the IP and user agent checks.