RewriteEngine On

# Exclude ACME challenge
RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge
RewriteRule ^ - [L]

# Whitelist your IP
RewriteCond %{REMOTE_ADDR} ^XX\.XXX\.XX\.XXX$
RewriteRule .* - [L]

# Allow known bots
RewriteCond %{HTTP_USER_AGENT} (Baiduspider|Polyring) [NC]
RewriteRule .* - [L]

# Allow access to errors folder
RewriteCond %{REQUEST_URI} ^/errors/
RewriteRule .* - [L]

# Allow access to specific RSS feeds
RewriteCond %{REQUEST_URI} ^/feeds/blog\.php$ [OR]
RewriteCond %{REQUEST_URI} ^/feeds/combined\.php$ [OR]
RewriteCond %{REQUEST_URI} ^/social/rss/index\.php$ [OR]
RewriteCond %{REQUEST_URI} ^/rss\.php$ [OR]
RewriteCond %{REQUEST_URI} ^/robots\.txt$ [OR]
RewriteCond %{REQUEST_URI} ^/public/feeds/feed\.opml$
RewriteRule .* - [L]

# Block common scraping libraries
RewriteCond %{HTTP_USER_AGENT} (python|okhttp|libwww|Go-http-client|Apache-HttpClient|curl) [NC]
RewriteRule .* - [F,L]

# Block unidentified bots: empty UA or Accept
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_ACCEPT} ^$
RewriteRule .* - [F,L]

# Inline 403 message for humans
ErrorDocument 403 /errors/403.txt