1. Forum
  2. Usenet
  3. COMP.INFOSYSTEMS.WWW.SERV

  • the order of Rewrite commands in an .htaccess file

    From super70s@21:1/5 to All on Fri Jul 1 22:08:57 2016
    To make a long story short I have added some Rewrite commands to my
    .htaccess file to help prevent another hack of my site, which happened a
    few weeks ago.

    I'm just wondering if it matters if I group all the RewriteRule's
    together and Rewrite Cond's together, or does it particularly matter?

    Currently the file looks something like this. The first four are from
    the original file, and the others are the ones I just added:

    RewriteEngine on
    RewriteRule ^category(.*).html$ index.php?page=category&category_id=$1
    [L]
    RewriteRule ^article(.*).html$ index.php?page=article&article_id=$1 [L] RewriteRule ^page_(.*).html$ index.php?pagedb=$1 [L]
    RewriteRule ^index.html$ index.php
    RewriteCond %{QUERY_STRING} proc/self/environ [OR]
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
    RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]

    Would it be best to move that Rewrite Rule at the very end (which was
    one of the hack prevention commands I found online, along with all those Rewrite Cond's) up with the other four original Rewrite Rules at the top?

    Or group all the RewriteCond's at the top, before all the RewriteRule's?
    It seems this is the way it's done in all the examples I looked at.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Doc O'Leary@21:1/5 to [email protected] on Sat Jul 2 15:48:33 2016
    For your reference, records indicate that
    super70s <[email protected]d> wrote:

    I'm just wondering if it matters if I group all the RewriteRule's
    together and Rewrite Cond's together, or does it particularly matter?

    I’m not sure the question makes sense. Rule order matters, and rule conditions only apply to the first rule that follows them. I’m not
    sure what you think you will accomplish if you “group” things as you propose.

    Would it be best to move that Rewrite Rule at the very end (which was
    one of the hack prevention commands I found online, along with all those Rewrite Cond's) up with the other four original Rewrite Rules at the top?

    Well, I’d say it’d be best to stop using PHP. Otherwise, it is
    generally a good practice to put the most restrictive rules first,
    especially if they stop the rewriting process with an [L].

    Or group all the RewriteCond's at the top, before all the RewriteRule's?
    It seems this is the way it's done in all the examples I looked at.

    You need to understand *why* the examples you see work the way they do.
    Just copy-pasting directives and then shuffling them all around is a
    recipe for disaster.

    --
    "Also . . . I can kill you with my brain."
    River Tam, Trash, Firefly

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From super70s@21:1/5 to [email protected] on Sun Jul 3 14:35:07 2016
    In article <nl8noh$oso$[email protected]>,
    Doc O'Leary <[email protected]> wrote:

    For your reference, records indicate that
    super70s <[email protected]d> wrote:

    I'm just wondering if it matters if I group all the RewriteRule's
    together and Rewrite Cond's together, or does it particularly matter?

    I’m not sure the question makes sense. Rule order matters, and rule conditions only apply to the first rule that follows them. I’m not
    sure what you think you will accomplish if you “group” things as you propose.

    Would it be best to move that Rewrite Rule at the very end (which was
    one of the hack prevention commands I found online, along with all those Rewrite Cond's) up with the other four original Rewrite Rules at the top?

    Well, I’d say it’d be best to stop using PHP.

    PHP is at least a lot better than WordPress, the platform I was using
    when the nasty malware hack happened.

    Otherwise, it is generally a good practice to put the most restrictive rules first, especially if they stop the rewriting process with an [L].

    I think I'll move that last RewriteRule up with the other RewriteRules
    then (and before RewriteRule ^index.html$ index.php).

    Or group all the RewriteCond's at the top, before all the RewriteRule's?
    It seems this is the way it's done in all the examples I looked at.

    You need to understand *why* the examples you see work the way they do.
    Just copy-pasting directives and then shuffling them all around is a
    recipe for disaster.

    The author had descriptions of what all of those last 7 do commented
    out, but I just removed them...

    # proc/self/environ? no way!
    RewriteCond %{QUERY_STRING} proc/self/environ [OR]

    # Block out any script trying to set a mosConfig value through the URL RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

    # Block out any script trying to base64_encode crap to send via URL
    RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]

    # Block out any script that includes a <script> tag in URL
    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]

    # Block out any script trying to set a PHP GLOBALS variable via URL
    RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]

    # Block out any script trying to modify a _REQUEST variable via URL
    RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})

    # Send all blocked request to homepage with 403 Forbidden error!
    RewriteRule ^(.*)$ index.php [F,L]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)