#
# SetEnvIf rules for blocking external referrers
#
# This will block *anyone* who didn't click in from the
# domain name or IP address that is specified. IF used correctly,
# this will block password attacks and other script kiddie tricks.
#
# If they are blocked,
# they get a 403 error (see the mod_perl 403 handler on my site
# for a nifty way to make money from these losers).
#
# Usage:
# Change the first two lines to reflect the IP and DNS name
# of the site you are protecting.
# Change "<Directory /www/protected/directory/>" to the path
# to the directory you are protecting (the UNIX path). This would
# typically be your members area or whatever. The idea here is that "real"
# users would click a link from a page in your site on this domain to get
# into the protected area. When they click that link, they have a referer
# that would equal "mysite.com" or whatever. If they don't, they're not
# a real person driving a web browser- some kind of bot or script kiddie
# app.
#
# Add this to your httpd.conf, access.conf, or put it in a .htaccess file
# within the directory you want to protect. Putting it in httpd.conf has some
# performance advantages on heavily loaded sites.
#
# Requires a modern apache (1.3.x) that was compiled with
# mod_setenvif
#

SetEnvIfNoCase Referer http://127\.0\.0\.1 right_url
SetEnvIfNoCase Referer http://www\.mysite\.com right_url
<Directory /www/protected/directory/>
order deny,allow
deny from all
allow from env=right_url
</Directory>