PHP, subdomain redirect, iFrame/Include help?

[unlimitedphoenix23]

I recently made someone a bit too angry during a rant and on a blogging website (Tumblr) and now they've been spamming my site. So my idea is to simply filter their IP address.
Since I have no access to the .htaccess there, I set up an A record so it'll link back to mine as blog. for the subdomain, but still, I don't know what to do from there.

Under /blog2/index.php (for testing purposes), I can use this for the IP filter.

PHP Code:

<?php
// The blacklisted ips.
$denied_ips = array(
            'xxx.xxx.xxx.xxx'
        );
function getUserIP()
{
     if (!empty($_SERVER['HTTP_CLIENT_IP']))
    {
      $ip=$_SERVER['HTTP_CLIENT_IP'];
    }
     elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR']))
    {
      $ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
    }
    else
    {
      $ip=$_SERVER['REMOTE_ADDR'];
    }
    return $ip;
}
$visitorIp = getUserIP();
 
$status = array_search($visitorIp, $denied_ips);
 
if($status !== false)
    {
    header("Location: http://tumblr.com");
    exit;
    }
?>

That works fine, however the blog is located on blog. and using any redirect script I've tried so far (meta tags, javascript, or this [whatever this is] <!--#if*expr="${REMOTE_ADDR}*=*/^xxx.xxx.xxx.xxx/"*-->) hasn't worked for me at all. Unless there's some other way to have this redirect, I don't see much that I can do.

I may be doing .htaccess incorrectly but as far as I'm aware, it should look like this:

redirect 301 /old/old.htm http://www.you.com/new.htm

however, I'm not sure if I can replace /old/old.htm with the blog's address, and the new page with the one that I want to redirect to.

And as far as I know, blocking users with .htaccess should look like

Code:

order allow,deny
deny from xxx.xxx.xxx.xxx
allow from all

I'm stumped, and I've looked everywhere I could go for this.

---------- Post added at 02:55 PM ---------- Previous post was at 01:20 PM ----------

Never mind everyone.
I found an easy way to do this.
Create a second Tumblr blog, and rename it to the main blog. Add a meta redirect to link to the php ip filter, which checks the blacklisted ips and then if it's not on the list, redirects to the main blog (which is renamed to the 2nd).
Works now :]

[stardom]

In the security section of your cPanel, you should see IP Deny Manager. Simple put the spammers IP in and then click submit. It should block them from accessing any of your websites hosted from within that cPanel. Hope this helps.

[vv.bbcc19]

If you want to block An IP Address with .htaccess :
There may be times where you want to refuse access to certain robots or human visitors to your web site.

1. Basic .htaccess file

order allow,deny
deny from 127.0.0.1
allow from all

This will refuse all GET and POST requests made by IP address 127.0.0.1, an error message is shown instead.

2. More options

To block multiple IP addresses, list them one per line.

order allow,deny
deny from 127.0.0.1
deny from 127.0.0.2
deny from 127.0.0.3
allow from all

You can also block an entire IP block/range. Here we will not specify the last octet in the .htaccess file.

deny from 127.0.0

This will refuse access for any user with an address in the 127.0.0.0 to 127.0.0.255 range.

Instead of using numeric addresses, domain names (and subdomain names) can be used to ban users.

deny from isp_name.com

It bans users with a remote hostname ending in isp_name.com. This would stop all users connected to the internet via isp_name.com from viewing your site.

Using .htaccess to block an entire range or name is likely to lock out innocent users. Use with caution.

[unlimitedphoenix23]

@stardom: Unfortunately, I don't see an IP Deny Manager. I only see 'Password Protect Directories', 'HotLink Protection', and 'Leech Protection'.

@vv.bbcc19: I already listed this and tried this, but it doesn't work. I also don't appreciate automatic pasted answers which don't help you or myself either.

And unfortunately, the thought hit me after I went to sleep that users could easily skip the process and go to the final site at the end and skip the filter, so I need something that can possibly create a cookie then see if it exists, or at least check the last referring url.

[misson]

Your code shows you've got the reason why Apache's host authentication isn't working: because of the load balancing setup X10 uses, the remote address accessible to Apache (in REMOTE_ADDR &c.) is for the reverse proxy rather than for the visitor. Somewhere the REMOTE_ADDR gets updated by the time PHP comes into it, so it has the client's IP in $_SERVER['REMOTE_ADDR'] (but not in $_ENV['REMOTE_ADDR']).

You can get the IP of the computer that sent the request using the X_FORWARDED_FOR or X_REAL_IP environment variables (which come from the X-Forwarded-For and X-Real-Ip HTTP headers). In your .htaccess, try:

Code:

RewriteEngine on
RewriteBase /

RewriteCond %{ENV:X_FORWARDED_FOR} (^|\D)xxx\.xxx\.xxx\.xxx(\D|$)
# or:
#RewriteCond %{ENV:X_REAL_IP} ^xxx\.xxx\.xxx\.xxx$
RewriteRule ^ - [F]

In addition to the environment variables, you can access the HTTP headers in the RewriteCond with (e.g.) %{HTTP:X-Forwarded-For}. The difference between X-Forwarded-For and X-Real-Ip seems to be that the proxy adds the address from any X-Forwarded-For that comes from the client, but replaces X-Real-Ip.

Note that this will only work until the perp gets assigned a new IP address by their ISP. They can also easily use a proxy to get around your block, unless the proxy sets (and you match against) X-Forwarded-For.

A comment moderation plugin wouldn't be as easy to get around, though it would mean more work for you.

And unfortunately, the thought hit me after I went to sleep that users could easily skip the process and go to the final site at the end and skip the filter, so I need something that can possibly create a cookie then see if it exists, or at least check the last referring url.

Any scheme that depends on input from the client can be defeated.

[maxzateam53]

Thank