How To Keep a Web Site Local?

Cornwallis writes "The universal accessibility of the Internet is one of its attractions. But what do you do when you don't want your board to be Slashdotted? Back in the day it was great to run a local BBS where friends and neighbors could dial in using their 9600-baud modems to pick up mail or share games or stories. Now, my Web-based board gets slammed by people from all over the world who have no reason to access it, can't possibly take advantage of the locally focused services it offers, and generally take up my time because I have to block their accounts or explain to them why they can't have access. This despite the fact that the board explains quite clearly that it is for local use only and couldn't possibly be of interest to them. Other than putting thousands of entries in my hosts file to block IP ranges, what options do I have to restrict access to locals only? Or isn't that feasible?"

.htaccess

[Norsefire]

order allow,deny
deny from all
allow from iprange
allow from iprange
allow from iprange
etc. etc.

There are websites all over the internet that allow you to do country-by-IP-range lookups.

You could also do;

ErrorDocument 403 "Sorry, this website is only available to people living in .

(Yes, no final quotation mark).

Or don't worry, what does it hurt if people who aren't benefiting from a website visit it?

Re:.htaccess

ErrorDocument 403 "Sorry, this website is only available to people living in .

Or "This is a local website for local people. There's nothing for you here."

Or don't worry, what does it hurt if people who aren't benefiting from a website visit it?

They covet the precious things.

Re:.htaccess

[fractoid]

Or "This is a local website for local people. There's nothing for you here."

Thankyou! I was hoping someone would say this. ;) Bad login attempts should lead to an error page saying "What's all this shouting? We'll have no trouble here!"

Re:.htaccess

For any Americans wondering what their mad cousins, from across the pond, are talking about: http://www.youtube.com/watch?v=zOGAAlHzF4o

Re:.htaccess

[Haeleth]

There are websites all over the internet [google.com] that allow you to do country-by-IP-range lookups.

You could also do;

ErrorDocument 403 "Sorry, this website is only available to people living in .

And then brace yourself, because you're going to get an earful from the next local person who tries to catch up with her friends back home while she's on holiday, only to be told that she's banned because she's "not local".

Re:.htaccess

[andy.ruddock]

Or allow access to all registered users, but only allow "local" access to the signup page.

Re:.htaccess

[cbiltcliffe]

Or "This is a local website for local people. There's nothing for you here."

You are in a maze of twisty little web pages, all alike.

Re:.htaccess

[tttonyyy]

iptables -A INPUT -s ! 192.168.0.0/16 -j DROP

That should keep those pesky non-locals out. ;)

Re:.htaccess

[JWSmythe]

I'm on the 10.0.0.0 network, you insensitive clod! :)

Re:.htaccess

[BotnetZombie]

With twelfty sub-pages in the store, and twelfty links on each, what more do you need?

Re:.htaccess

[jsiren]

iptables -A INPUT -s ! 127.0.0.0/8 -j DROP

That should keep those pesky non-locals out. ;)

There, fixed that for you.

Re:.htaccess

[Hordeking]

Or, more likely, he doesn't want to pay for bandwidth and cpu usage for people who have nothing to do with what his server offers.

The big problem, however, with restriction-by-location is that users who are away from home but still want to check the board are going to be restricted.

Here's a solution: Only let them reguster if their IP is local. Local accessors need not be logged in, however, in order to use the site from a non-local IP, they must log in with their pre-established credentials.

It won't stop visitors to your home page, but it will cut down on a lot of other usage of your server.

Re:.htaccess

[Kazoo+the+Clown]

What about when local people are just out of town but would like to access local services? For example, someone might want to use a local service to schedule a local meeting in LA while they are out of town on business in New York...

Good question, but...

...I doubt Slashdot can make a good assessment without taking a look at the site. Mind posting the URL?

Re:Good question, but...

[MichaelSmith]

I'll ask 4chan to help. Looks like a big job.

Why use a tech solution?

[Macthorpe]

Get some paper, pin it up around the neighbourhood with a private key. Ensure that people can't create an account or access the boards without the private key.

Am I missing something? Why use an overly technical solution when some paper and pens will fix the whole thing?

Re:Why use a tech solution?

[jschen]

I agree that this probably should not be solved purely on the technology end of things. One of the great things about the Internet is that one can access things from most anywhere. Your website may cater to locals, but you need to consider the possibility that someone who is generally local to the area but currently elsewhere might want to access the site. That's a pretty serious problem for filtering based on geography.

Re:Why use a tech solution?

[Jurily]

That's a pretty serious problem for filtering based on geography.

No kidding. Basically, anyone who thinks geography-based filtering is a good idea should be shot. Imagine moving 2000 miles, then being told by some braindead webdesigner you can't talk to your friends anymore.

Re:Why use a tech solution?

[1u3hr]

No kidding. Basically, anyone who thinks geography-based filtering is a good idea should be shot. Imagine moving 2000 miles, then being told by some braindead webdesigner you can't talk to your friends anymore.

Happens to me a lot. I'm in Hong Kong. I find some US ISPs (like AOL) bounce my mail solely based on my location. And much media (even some on Youtube) is blocked geographically. Even some porn sites block me.... And other sites insist on giving me Chinese versions of their web pages, with no option to choose English. Highly irritating to go to Google.com and find myself redirected to Google.com.hk. (Yes, I have workarounds now, still annoying.)

Link plz

Give us a link to the board, we need to have a look at it before we can properly assess the best way to 'keep it local'.

MaxMind + PHP?

[shri]

If you use PHP, consider getting Maxmind and filter on its city / country databases.

Why you gotta be like that?

[QuantumG]

You have no idea what is of use to other people. Maybe they're thinking of visiting your local area. Maybe they have friends that live there. Maybe they're thinking of setting up a similar board for their own area and want to know how yours is going. Put down your ego for a minute.

Re:Why you gotta be like that?

[Yvanhoe]

Maybe they are locals who happen to be visiting Japan...
If you put a website on internet, then want to restrict its geographical zone of use, you are doing something wrong. You can make a community group by selecting the individuals but that is about it.

Moot?

I'd put good money on this being 4chan

Local Capthca

[jannic]

Implement something similar to a captcha: Ask questions only people from your neighborhood can answer. Make sure the answers are not too easily found by using google.

local knowedge

[1u3hr]

We have a forum for our village.

A couple of years ago we started to get a lot of people signing up from China, India, Russia etc and then posting spam. So now, to register with the forum you have to answer a question that requires you have some local knowledge. That gets rid of most automatic signups. And secondly, the accounts are not activated automatically but have to be approved by an administrator. So we delete those with spammy URLs in their signatures ("Buy WOW gold" seems to be a common variety). In a small community, the number of real local people siging up is a few per week. Maybe a couple of spammers get past that in a month, and then their posts and accounts are quickly deleted.

Re:local knowedge

[Richard+Fairhurst]

I run our town website. 1,000 registered users but very, very little spam - over seven years I think I can count the amount of spam from China and Russia on the fingers of one hand.

Two reasons. One: a completely bespoke system, hand-crafted from finest dodgy Perl and inefficient SQL. Put simply, if you're not running phpBB or something well-known like that, they're simply less likely to find you. These guys search for phrases like "powered by punBB" to find targets.

Two: postings in the news, events and ad sections require approval before they go live. Postings in the forum don't - but you can only get access to the forum by clicking through a JavaScript "I agree not to be a dick" page, which sets a cookie (yeah, I know, accessibility yadda yadda). So, again, they're less likely to find it because it doesn't show up on Google. (Oh yeah, not having frickin' Googlebot hammer the server is a plus, too.)

I realise this isn't an option for everyone, but the OP sounds reasonably tech-savvy so should be able to do similar.

Re:Easier option

[Frosty+Piss]

Really only two choices: GeoID and Registered Only, with a valid matching pair of city/zipcode (city/zip databases are widely available).

Re:Easier option

[X0563511]

Best to only apply this restriction to account creation. Requiring them to be local when they make the account is entirely understandable, but blocking them from logging in while traveling is not.

You can automate it

[an.echte.trilingue]

While it does involve having thousands of addresses, this kind of thing is pretty easy to automate, given what your goals are. For example, I use this tool to determine which country my visitors are in and display the relevant contact information (show the French address to people in France, the Belgian one to people in Belgium, etc). I have a cron job set up to update the database once a week; it is fully automatic and very reliable.

If you need to be more specific, this guy has a php class that can supposedly give you information as specific as city, or you can write your own using the db you can download here, although I can't personally vouch for either. You could also parse the hostnames in your server and only allow service providers in your area.

Also, google code has a really good tutorial for a client side application if your server is limited in its capabilities.

Either way, it sounds from the summary like you have access to a database of ip address ranges you want to allow. Just set up a cron job to download it and parse it.

Re:You can automate it

[xaxa]

Implementing something like this brings problems if there's no way to get around it. For instance, many multinational companies have only one point of presence on the Internet, which can be shared by offices in different countries. At the last one I worked at, the PoP was in France, so even thought I was in England many websites would appear in French, and a few "UK only" services didn't work.
Same with people on holiday, or people who use a mobile phone to access the web.

If the website really isn't interesting for non-locals why do they want to look anyway?

I found a website for people in my local area to debate local issues, the only requirement is to provide a postcode when you sign up. I don't know if it's checked, and it's easy to make one up anyway, but I doubt it's a problem anyway, who cares about the library shutting an hour earlier on Thursdays and the graffiti on the bus shelter, except the people living there?

Re:Who are locals?

[Z00L00K]

Have a credibility check page - like checking if someone knows about a local detail that's known by the locals.

"What was the color of the church at Elm Street before 2004?"

And you may want to be careful with IP address filtering since that can result in unexpected disadvantages when a local is out traveling.

Callback/SMS

[hab136]

One previously common method of authentication was call-back. You give the site your phone number, then then site calls you (and you press a digit, or answer with your modem).

Nowadays the equivilent is SMS. When they sign up, have them put in their cell number to receive an SMS, then require them to enter that code to continue. You can send SMSes via email for most carriers, so no equipment on your end. Only allow SMSes to your area code and local carriers. For people without cell phones, have them enter their landline phone number and then have a human call them.

People travel.

[Futurepower(R)]

Yes, exactly: "... you may want to be careful with IP address filtering since that can result in unexpected disadvantages when a local is out traveling."

Don't expect that your users stay in one place.

Do expect that they sometimes travel to other countries.

Re:People travel.

[azaris]

Don't expect that your users stay in one place. Do expect that they sometimes travel to other countries.

I was going to suggest this, then realized his users are likely to be Americans.

Re:People travel.

[Haeleth]

Even Americans travel. Suppose his website's in Florida: he presumably wouldn't want Alaskans using it, because they're even further from being "local" than many foreigners. So any regional blocking would be at the state level, or possibly even the city level. And that means travellers wouldn't have to be abroad to be inconvenienced.

Re:People travel.

[WindBourne]

Do expect that they sometimes travel to other countries.
I was going to suggest this, then realized his users are likely to be Americans. The funny thing is, that this is true of all large countrys citizens that do not live near a border. For example, how many ppl in France, German, or even England go into Africa? Or America? Or Australia? All of the Michigan , Wisconson, Minnesota folks I know HAVE been into Canada. Likewise, all the West Texas, NM, Southern CO, AZ, Southern Nevada, Southern CA ppl that I know have also hit Mexico. The ppl that have never been out of the country tend to be those in the middle. Of course, they have all traveled more than 1000KM away. And the simple fact is, that for us Coloradoans, we see major cultural differences . The difference between a West Canadian vs East Candian has about the same difference; Love their country, but different mind sets.

What is funny, is that it get the average EU person to travel similar differences would mean that they travel from Western europe into just east of middle Africa, or that they go into the middle east, OR that they go into central africa. How many do that? Damn few. And South Americans do even less traveling.

Re:Hmmm....

[davmoo]

And it sounds like you've never had to pay for things like bandwidth and server space out of your own pocket. Maybe he wants to keep it small because that's what he can afford. Information may want to be free, but the infrastructure to host it never is.

A few issues

[Canazza]

Your local audience may leave the area (either on holiday or to live) but still want to talk to people back home. This means that blanket IP Range blocking is out of the question.
What I suggest is restrict viewing the website to people who are logged in. A default splash page for those not logged in could be shown that's minimal in graphics and text, containing just the log-in form and a 'register here'.

To stop unwanted people registering a new account, you could to a blanket IP ban on the registration page ONLY, meaning that a local person can register at home, and then roam to wherever and still access the site.

someone mentioned earlier this library for blocking a range of IP's by country and this PHP class that can do it too.
Just use them on the registration page and set up a redirect for those who are not logged in (regardless of location) and you should have a nice walled in forum.

Referrals Only

[Secret+Rabbit]

Set-up account registration such that you can only get an account if you were referred by an existing user. You know, since you already have a good sized user base (you do, yes?). It isn't unreasonable as long as you're keeping things local. Most people should know one another, or know someone who knows someone.

But, honestly, why are you even explaining yourself to these people. An email solely with RTFM in it with a link to the page the explains what the site is about is more than enough. Seriously, stop feeding the help vampires.

Information wants to be free

Copyright doesn't exist. You don't have the rights to keep your information for yourself. You MUST share it with all us and everybody as the rights to copy and use it.

or so I have been told here on slashdot.

PS. Apple users suck.

Re:Information wants to be free

[pipatron]

And you seem to be one of those that doesn't understand what "Information wants to be free" means, and how the question in the article actually shows one of the ideas behind that sentence.

The meaning with "Information wants to be free" is that it is very very difficult to contain information. You can't stop it from spreading, even if you would like to. It doesn't matter if you don't want it to be free or open, it will spread anyway.

Blocking some people from a website is also bound to fail, maybe not for the same reason, but for similar reasons, information will flow around blocks, as longs as someone wants to access it.

Re:Easier option

Best to only apply this restriction to account evolution.

Fixed that for y... wait, what?

Google Invitation

[Dan+East]

Use an invitation system like Google did for GMail. Each existing user would have a dozen or so invites. They enter the recipient's email address in a form on your site, and it sends a welcome email with an invite code. Those codes could only be used one time each. Locally you could spread invite codes far and wide on your hardcopy flyers, business cards, etc, with another set of codes that allowed multiple use - say 500-1000 uses per code. When that bulk code starts running low, create a new code and post new flyers. Eventually you'll get the local saturation you desire, and those public codes could be reduced so they can only be used 50-100 times before expiring. The idea is if they get into the hands of a spambot there will only be a limited number of accounts they can create.

When a public code runs out, your website can say something like "This code has expired. You will find the latest code posted at the community bulletin board at the local post office."

Basically your advertising will be word of mouth (where the invite codes come in), or via local hardcopy posters, flyers and business cards (bulk codes). I believe the invite system would serve as a form of viral advertising in and of itself (which is probably a major reason why Google went that route).

Anyway, that's how I'd do it.

Non-local trolling would be blocked?

[Mathinker]

> who cares about the library shutting an hour earlier on Thursdays and the
> graffiti on the bus shelter, except the people living there?

It might be fun to troll even if you don't live there. If only local access were allowed, then the population of possible trolls would be much smaller.

Like everything else it's a tradeoff between the benefits, and the disadvantages (in this case, probably the main disadvantage is blocking access to some people who should have it).

Re:Non-local trolling would be blocked?

[PIBM]

The easy solution would be to only apply the limitation on account creation. Just have to prove once that you live in the area!

Be carefull with GeoIP stuff

Remember, locals come from all over the world. Can you think of a time when you need local news more then when you are away from home? Just keeping out visitors because some geolocation outfit made some guess about their IP range is gonna hurt a lot of innocent people. And does IP based geolocation even work with mobile phones? If you considder your forum delicate and in need of easy access for locals then frustrating even some of them some of the time will hurt.

If its a forum you can decide to give *more* access to the kind of locals you want, instead of trying to give less to the visitors you dont like. I would try having online trivia quizzes about local events. Then you can give those who score well and have historically contributed interesting post moderating powers.

You can also demand referrals from current members at signup. Kinda like google did when it started gmail. I like the idea of plastering private keys around the neighborhood. Maybe you could use business cards, each with a different unique number and good for one account. If people know someone in the area a unique number will make their way, but if they dont then they are out of luck. Even back in the BBS days some boards were hard to get in. I remember typing up and "application" for access to a board, and then being voted into the community by a couple of regulars. Voting out people who figured "I hav l0adz of pr0n to tr4de" would get them in was kinda fun.

If its just bandwidth thats the problem then I would really considder just paying for the bandwidth someway. Maybe small local businesses would like to advertise cheaply but think adwords ads are for people with a website rather than brick and mortar store? Maybe you can serve more intrusive ads to those without a local IP? Or... just find a way to pay for the extra bandwidth! Bandwidth can be so insanely cheap these days

www

[hobbit]

Now, my Web-based board gets slammed by people from all over the world

Have you never wondered what "www" stands for?