Open Source

SolutionBase: Implement mod_rewrite procedures to improve server-client interaction

Using Apache's mod_rewrite module, you can evaluate site usage and enhance security through client identification, among other things. Here's how it works.

Apache's powerful mod_rewrite module enables you to rewrite URLs on the fly, providing dynamic site content modification, enhanced security through client identification, and site usage evaluation, among other capabilities.

In a nutshell, URL rewriting is a method for implementing session tracking. The concept is simple, though its implementation has broad and flexible benefits. Storing each inbound client HTTP request in a server log file creates a data repository that allows the server administrator to reconstruct in detail every individual client-server session. The collective data can be used to analyze site usage and performance. On top of these benefits, storing session IDs by client can serve as an ad hoc user security check system.

In an earlier article, Use mod_rewrite to handle URLs on Apache servers," we examined how Apache's mod_rewrite module can assist you in setting up a URL-rewrite facility on your server. Configuring this module, and using directives to define URL rewrite rules and conditions, sets up and fine-tunes the URL rewrite mechanism. You can go further by implementing very specific procedures to enhance your security and analysis capabilities through URL manipulation. Here's how.

Rewriting pages and extensions

The following procedures assume RewriteEngine is set to on. Apache provides detailed documentation on the various options and parameters for the directives used in the examples below.

Rewriting file extensions

Here's a simple process for modifying the extensions of files in URLs:

RewriteRuleï¿?ï¿? ^(.*)\.html$ï¿?ï¿? $1.htmï¿?ï¿? [R]

In this example, all file extensions of *.html are replaced with the file extension *.htm.

Rewrite one page to another

You can work the other side of the filename in the same manner, replacing one page name with another:

RewriteRuleï¿?ï¿? ^name1\.html$ï¿?ï¿? name2.html

In this example, the filename name1.html was replaced with name2.html. What's great about this trick is that the user never sees it. The URL can contain a false Web page name, and the rule above will substitute the correct one. This overcomes one of the security objections to URL rewritingï¿?that visible URLs on the client browser offer information that can be used for malicious intrusion.

If you add [R] to the same directive, the user will see the modified URL rather than the original:

RewriteRuleï¿?ï¿? ^name1\.html$ï¿?ï¿? name2.htmlï¿? ï¿?[R]

Restrict access to secure HTTP connections

You can use URL modification to restrict server directories to secure HTTP connections. This is common on sites using SSL/TLS, the preferred security protocol for encrypted transactions. Put the following rules into the document root parent directory, in .htaccess:

RewriteCondï¿? %{SERVER_PROTOCOL}ï¿? !^https
RewriteRuleï¿?ï¿? test/ï¿?ï¿? -ï¿?ï¿? [F]ï¿?ï¿?

Direct a client into a virtual directory

All client requests accessing Web scripts default to the script's document root. You may want otherwise. You can send the client into a virtual root directory with the following command:

RewriteRuleï¿?ï¿? ^/$ï¿?ï¿? /virtual/root/ï¿?ï¿? [R]ï¿?

This keeps the document root directory secure without hampering the user.

Direct a client to a remote server

If users need to access server directories for any reason, such as storage of their own proprietary files, you might want to have those directories on a server other than the one hosting the Web site through which the client gains access. This security precaution is wise and easily achieved.

You can make the transfer to a remote server visible or invisible to the user. The rule for implementing this transfer is:

RewriteRuleï¿?ï¿? ^/~(.+)ï¿?ï¿? http://www.mydirectory.com/~$1

Handling IP addresses

You can tighten server security by restricting access to IP addresses. You can deny specific remote hosts' entry into your server's Web sites with mod_rewrite rules. Use these commands in virtual host context rather than with .htaccess if you want them to be applied server-wide. Similarly, it's possible to restrict clients with certain IP addresses from accessing specific files and directories.

Denying site access to an IP address

The rule for access denial is a simple test (as in the SERVER_PROTOCOL example above) based on a rewrite condition, where 123.456.7.890 is the address to be blocked:

RewriteCondï¿?ï¿? %{REMOTE_ADDR}ï¿?ï¿? ^123\.456\.7\.890$RewriteRuleï¿?ï¿? .*ï¿?ï¿? -ï¿?ï¿? [F]

Denying file access to an IP address

When restricting access to specific files, you may want to have the directive be site-wide for a particular remote IP address or limited to specific directories. If you want the directive to be site-wide, keep the rules in the virtual host context. If you want to make the restriction directory-specific, put the rules in the .htaccess file, where 123.456.7.890 is the address to be restricted, and filename.html is the file to which access will be denied:

RewriteCond%{REMOTE_ADDR}ï¿?ï¿?ï¿? ^123\.456\.7\.890$RewriteRule.^filename\.html$ï¿?ï¿? -ï¿?ï¿? [F]

Denying directory access to an IP address

Finally, you can deny a remote IP address access to a specific directory. By definition, this is not a site-wide restriction, so the condition and rule must go into .htaccess rather than virtual host context:

RewriteBaseï¿?ï¿? /RewriteCondï¿?ï¿? %{REMOTE_ADDR}ï¿?ï¿? ^123\.456\.7\.890$RewriteRuleï¿?ï¿? .* -ï¿?ï¿? [F]ï¿?ï¿?

Note: In applying any of the IP address restrictions above, you may want to block access to particular remote hosts rather than IP addresses. If so, substitute {REMOTE_HOST} for {REMOTE_ADDR} in the examples above, and substitute the host name for the IP address in the condition parameter.

About Scott Robinson

Scott Robinson is a 20-year IT veteran with extensive experience in business intelligence and systems integration. An enterprise architect with a background in social psychology, he frequently consults and lectures on analytics, business intelligence...

Editor's Picks

Free Newsletters, In your Inbox