From ec8dfd67591a7603ac9ddd9edd9e3900052a24ee Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Mon, 16 Feb 2026 22:48:37 +0000
Subject: [PATCH] Block bogus referers

---
 cookbooks/web/templates/default/apache.frontend.erb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/cookbooks/web/templates/default/apache.frontend.erb b/cookbooks/web/templates/default/apache.frontend.erb
index c89e60511..c48f454fe 100644
--- a/cookbooks/web/templates/default/apache.frontend.erb
+++ b/cookbooks/web/templates/default/apache.frontend.erb
@@ -116,10 +116,18 @@ ErrorLog /var/log/apache2/error.log
   RewriteCond %{HTTP_USER_AGENT} "GoogleAssociationService"
   RewriteRule "^/\.well-known/assetlinks\.json$" - [R=429,L]
 
+  #
   # Drop faulty Cloudflare POST /cdn-cgi/rum submissions reaching us
+  #
   RewriteCond %{REQUEST_METHOD} =POST
   RewriteRule ^/cdn-cgi/rum$ - [F,L]
 
+  #
+  # Block bogus referers
+  #
+  RewriteCond %{HTTP_REFERER} "^https://<%= Regexp.escape(node[:fqdn]) %>/"
+  RewriteRule . - [F,L]
+
   #
   # Force special MIME type for crossdomain.xml files
   #
-- 
2.39.5