XF 2.0 Block specific page only to guests?

[V3NTUS]

Hi,

I'm having some issues as we're getting DDoS attacks and we noticed they're pointing a precise url: /whats-new/

Now, I know I can remove public access to the link by having the "What's New" menu vieweable only to registered users, but it doesn't solve the problem as it simply "hides" it (it can be still accessed via direct url), while I'm looking for a way to require users to be logged in to ACCESS this page.

For the moment, being still under attack and not finding any alternatives, I disabled the access to that page via .htaccess, but of course regular users can't access the page, too, this way, which isn't the ideal solution.

If there was a way to make the .htaccess recognize guests and/or registered members, it might work, but I think there must be a way to completely disable the /whats-new/ for guests via Xenforo Admin Panel.

Any ideas?

Thanks.

 

[V3NTUS]

I came up with this idea:

RewriteEngine on
RewriteCond %{HTTP_COOKIE} !xf_user
RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule xxxxxxx.html [F,L]

where xxxxxxxx.html will be a page which will display the cloudflare I'm Under Attack page (as I'll set that page in the Cloudflare Page Rules to set security as "I'm Under Attack") and which will automatically redirect to the desired page (maybe using a simple javascript) after the cloudflare check will process.

What do you think of this approach?

 

[MySiteGuy]

Would this block google bots from crawling our pages too? Thank you again for your support!

UPDATE

I think it should be somehow updated, as many users reach our site by direct url, including me and all the staff. It might be a good *temporary* solution, but the problem is we're under attack for nearly a week already, so we'd cause many inconveniences to our users (which is anyways the goal of the ddos).

It will block anything without a referring page in the headers, including legit crawlers. But only that one page.

 

[MySiteGuy]

I came up with this idea:

RewriteEngine on
RewriteCond %{HTTP_COOKIE} !xf_user
RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule xxxxxxx.html [F,L]

where xxxxxxxx.html will be a page which will display the cloudflare I'm Under Attack page (as I'll set that page in the Cloudflare Page Rules to set security as "I'm Under Attack") and which will automatically redirect to the desired page (maybe using a simple javascript) after the cloudflare check will process.

What do you think of this approach?

That rewriterule will not accomplish what you want. That RewriteRule tells Apache to block a page named xxxxxxxxx.html. If you're trying to redirect them to another page, you need:

RewriteCond %{HTTP_COOKIE} !xf_user
RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule whats-new https://sitename.com/pageyouwantthemtosee.html [R=303,L]

 

[V3NTUS]

That rewriterule will not accomplish what you want. That RewriteRule tells Apache to block a page named xxxxxxxxx.html. If you're trying to redirect them to another page, you need:

RewriteCond %{HTTP_COOKIE} !xf_user
RewriteCond %{HTTP_REFERER} ^-?$
RewriteRule whats-new https://sitename.com/pageyouwantthemtosee.html [R=303,L]

You're right, your first 2 solutions seems to be more appropriate Any ideas why blocked IPs still show in Apache Status even after 30 minutes? I tried restarting apache but nothing changed. Could it be the Keep-Alive? It's set to just a few seconds, so I find it weird, thanks again and so sorry for the OT.