Some notes on rewrites in Apache .htaccess files

Since I keep rediscovering this every so often, here's what I know about rewrite rules in .htaccess files so that I can just read it here the next time around.

Some basics:

  • you need a 'RewriteEngine on' statement, even if the rewrite engine is already on in the main configuration.

  • the 'URLs' that you match against in RewriteRule are relative to the directory the .htaccess is in. However, Apache variables like %{REQUEST_FILENAME} that you use in RewriteCond are the full real URLs, not URLs relative to the directory. This makes sense, but does mean one has to keep track of it all.

Suppose that you want to have a 'directory' that is actually a CGI-BIN. There are two ways to do this:

  • make an actual directory, and put a .htaccess in it that has:
    RewriteRule ^(.*)$ /cgis/my-cgi/$1 [PT]

    Apache itself will then handle generating a redirect for people who ask for the directory without the trailing slash; your CGI-BIN does not have to worry about it.

  • put a .htacces in the directory that is one level up. This should have something like:
    RewriteRule ^foo$ /cgis/my-cgi [PT]
    RewriteRule ^foo/(.*)$ /cgis/my-cgi/$1 [PT]

    Your CGI will have to generate the redirect when people ask for the directory without the trailing slash (or, well, do whatever you want with their requests); Apache won't do anything special for you.

It is common to implement the latter approach with a single rewrite rule:

RewriteRule ^foo(.*)$ /cgis/my-cgi/$1 [PT]

However, this is incorrect because it matches too much; it will send any URL in that directory that starts with foo off to your CGI-BIN, including things like a request for 'foobar'.

(You may not care about this. I do, partly because I don't like handing my CGIs URLs that they're not actually supposed to be handling.)

PS: the very similar looking destination '/cgis/my-cgi$1' is very much not what you want; in fact, I believe that it's a security risk, as I think it means that Apache can be tricked into running things like '/cgis/my-cgi.old' with a suitable request.

(4 comments.)

These are my WanderingThoughts
(About the blog)

GettingAround
Full index of entries
Recent comments

This is part of CSpace, and is written by ChrisSiebenmann.

* * *

Atom feeds are available; see the bottom of most pages.

This is a DWiki.
(Help)

Categories: links, linux, programming, python, snark, solaris, spam, sysadmin, tech, unix, web

Search:
Written on 19 May 2009.
(Previous | Next)
Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.
Last modified: Tue May 19 00:37:56 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.