Crazy Advanced Mod_Rewrite Tutorial
« mod_rewrite Fix for Caching Updated FilesProtecting Files with Advanced Mod_Rewrite Anti-Hotlinking »
Are you an advanced mod_rewrite expert or guru? This article is for YOU too! Just make sure to read all the way to the bottom..
The following undocumented techniques and methods will allow you to utilize mod_rewrite at an “expert level” by showing you how to unlock its secrets.
Most if not all web developers and server administrators struggle with Apache mod_rewrite. It’s very tough and only gets a little easier with practice. Until Now! Get ready to explode your learning curve, I figured something out.
Why mod_rewrite is so tough
I have come to the conclusion, after many hours of zenful thought, that the reason mod_rewrite is so tough is pretty obvious, people are trying to apply regular-expressions to URLs and Variables that they don’t really understand. They understand what they want, but they don’t understand what the URLS and Variables are that they are trying to rewrite.
Hit-Or-Miss with mod_rewrite
A lot of the mod_rewrite “experts” and “gurus” floating around the net absolutely know their mod_rewrite, but what separates them from a beginner or novice is for the most part an understanding of what the URLS and Variables look like that are targeted by the regular expressions. Take this simple rewriterule that rewrites requests made without the www to www.
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} !^www\.askapache\.com$ [NC]
RewriteRule .+ http://www.askapache.com%{REQUEST_URI}
Pretty simple right? WRONG. Most people could not figure that out..
Why?
The reason intelligent people can’t figure that out is because they have no idea what HTTP_HOST or REQUEST_URI actually looks like. How can you write a rule for something if you don’t know what it looks like? You can’t.
When Not To Use Mod_Rewrite
Ok so heres an important concept that alot of people haven’t heard. You should only use mod_rewrite’s rewriterule when you use a rewritecond or if you are rewriting internally like my feedcount hack.
If you are simply redirecting one url to another, you should definately be using the much easier mod_alias’s redirect and redirectmatch, which is enabled on most Apache servers.
When To Use Mod_Rewrite
So then, you should only use mod_rewrite’s rewriterule when you are checking against one of the Apache Environment Variables to determine whether to rewrite or not. This is where the Apache Documentation is grossly lacking. They don’t tell you what those variables look like, leaving us completely incapable of creating rewrites based on them. Not anymore.
Mod_Rewrite Environment Variables (The Secret)
Here’s the variables I have found accessible by mod_rewrite (both documented and undocumented). A thing to note is that you can set these variables early in an .htaccess file using SetEnv, RewriteRule, Header, etc.. and they will be accessible at the end of the .htaccess file.
API_VERSIONAUTH_TYPECONTENT_LENGTHCONTENT_TYPEDOCUMENT_ROOTGATEWAY_INTERFACEHTTPSHTTP_ACCEPTHTTP_ACCEPT_CHARSETHTTP_ACCEPT_ENCODINGHTTP_ACCEPT_LANGUAGEHTTP_CACHE_CONTROL
HTTP_CONNECTIONHTTP_COOKIEHTTP_FORWARDEDHTTP_HOSTHTTP_KEEP_ALIVEHTTP_PROXY_CONNECTIONHTTP_REFERERHTTP_USER_AGENTIS_SUBREQORIG_PATH_INFOORIG_PATH_TRANSLATEDORIG_SCRIPT_FILENAME
ORIG_SCRIPT_NAMEPATHPATH_INFOPHP_SELFQUERY_STRINGREDIRECT_QUERY_STRINGREDIRECT_REMOTE_USERREDIRECT_STATUSREDIRECT_URLREMOTE_ADDRREMOTE_HOSTREMOTE_IDENT
REMOTE_PORTREMOTE_USERREQUEST_FILENAMEREQUEST_METHODREQUEST_TIMEREQUEST_URISCRIPT_FILENAMESCRIPT_GROUPSCRIPT_NAMESCRIPT_URISCRIPT_URLSCRIPT_USER
SERVER_ADDRSERVER_ADMINSERVER_NAMESERVER_PORTSERVER_PROTOCOLSERVER_SIGNATURESERVER_SOFTWARETHE_REQUESTTIMETIME_DAYTIME_HOURTIME_MIN
TIME_MONTIME_SECTIME_WDAYTIME_YEARTZUNIQUE_ID
Decoding Mod_Rewrite Variables
So when I realized my problem was that I didn’t know the value of the variable being tested by the RewriteCond, I set out to try and discover how to view those variables.. Keep in mind you can also use RewriteLogging, but its only allowed for root users who can edit the httpd.conf, this is .htaccess.
Setting Environment Variables with RewriteRule
I discovered a multitude of methods to set and view apache environment variables, using various modules and some core tricks, but the method that allows me to view the most environment variables is RewriteRule.. I wanted to use SetEnvIf more, but its just not as powerful as mod_rewrite, due to programming.
This code sets the variable INFO_REQUEST_URI to have the value of REQUEST_URI.
RewriteEngine On
RewriteBase /
RewriteRule .* - [E=INFO_REQUEST_URI:%{REQUEST_URI},NE]
Saving the Apache Variable Values
Now the trick is how to view that environment variable… The method I came up with is nice… We will send the environment variable value in an HTTP Header, as there isn’t much data manipulation/validation so you get an accurate look at the actual value.. At first I tried adding the variable value to a redirection using the query_string.. but a HTTP_USER_AGENT value doesn’t play well as a query_string.
Using RequestHeader in .htaccess
This code takes advantage of the incredible mod_headers apache module to actually ADD a whole new header to YOUR request. Seriously one of the coolest tricks I’ve found yet.. Its almost the same as being able to spoof POST requests! Since Headers can be protected data… especially the HTTP_COOKIE header..
RequestHeader set INFO_REQUEST_URI "%{INFO_REQUEST_URI}e"
Viewing the Variable Values
Now you can use any kind of server-run interpreter like perl, php, ruby, etc., to view all the variable values. All cgi-script handlers like those are able to view request headers..
PHP Code to access Apache Variables
Works even in safe-mode… any interpreter can view HTTP Headers! Note that each of these variables are added as HTTP headers to the request for the script.. kinda confusing.. So each variable sent as a header is prefixed with HTTP_ to denote it was a header.
<?php
header("Content-Type: text/plain");
$INFO=$MISS=array();
foreach($_SERVER as $v=>$r)
{
if(substr($v,0,9)=='HTTP_INFO')
{
if(!empty($r))$INFO[substr($v,10)]=$r;
else $MISS[substr($v,10)]=$r;
}
}
/* thanks Mike! */
ksort($INFO);
ksort($MISS);
ksort($_SERVER);
echo "Received These Variables:\n";
print_r($INFO);
echo "Missed These Variables:\n";
print_r($MISS);
echo "ALL Variables:\n";
print_r($_SERVER);
?>
Time to Get Crazy
Just create the above php file on your site as /test/index.php or whatever, then create /test/.htaccess which should contain the below .htaccess file snippet. Now just request /test/index.php and be amazed! If you’re looking for more general help check out this excellent mod_rewrite cheat sheet.
Ok, so I’ve prepared the .htaccess code you can use to view the values of all these variables. Just add it to a .htaccess file and make a request. For this test I created an index.php file that printed out all the $_SERVER variables, and made requests to it.
RewriteEngine On
RewriteBase /
RewriteRule .* - [E=INFO_API_VERSION:%{API_VERSION},NE]
RewriteRule .* - [E=INFO_AUTH_TYPE:%{AUTH_TYPE},NE]
RewriteRule .* - [E=INFO_CONTENT_LENGTH:%{CONTENT_LENGTH},NE]
RewriteRule .* - [E=INFO_CONTENT_TYPE:%{CONTENT_TYPE},NE]
RewriteRule .* - [E=INFO_DOCUMENT_ROOT:%{DOCUMENT_ROOT},NE]
RewriteRule .* - [E=INFO_GATEWAY_INTERFACE:%{GATEWAY_INTERFACE},NE]
RewriteRule .* - [E=INFO_HTTPS:%{HTTPS},NE]
RewriteRule .* - [E=INFO_HTTP_ACCEPT:%{HTTP_ACCEPT},NE]
RewriteRule .* - [E=INFO_HTTP_ACCEPT_CHARSET:%{HTTP_ACCEPT_CHARSET},NE]
RewriteRule .* - [E=INFO_HTTP_ACCEPT_ENCODING:%{HTTP_ACCEPT_ENCODING},NE]
RewriteRule .* - [E=INFO_HTTP_ACCEPT_LANGUAGE:%{HTTP_ACCEPT_LANGUAGE},NE]
RewriteRule .* - [E=INFO_HTTP_CACHE_CONTROL:%{HTTP_CACHE_CONTROL},NE]
RewriteRule .* - [E=INFO_HTTP_CONNECTION:%{HTTP_CONNECTION},NE]
RewriteRule .* - [E=INFO_HTTP_COOKIE:%{HTTP_COOKIE},NE]
RewriteRule .* - [E=INFO_HTTP_FORWARDED:%{HTTP_FORWARDED},NE]
RewriteRule .* - [E=INFO_HTTP_HOST:%{HTTP_HOST},NE]
RewriteRule .* - [E=INFO_HTTP_KEEP_ALIVE:%{HTTP_KEEP_ALIVE},NE]
RewriteRule .* - [E=INFO_HTTP_MOD_SECURITY_MESSAGE:%{HTTP_MOD_SECURITY_MESSAGE},NE]
RewriteRule .* - [E=INFO_HTTP_PROXY_CONNECTION:%{HTTP_PROXY_CONNECTION},NE]
RewriteRule .* - [E=INFO_HTTP_REFERER:%{HTTP_REFERER},NE]
RewriteRule .* - [E=INFO_HTTP_USER_AGENT:%{HTTP_USER_AGENT},NE]
RewriteRule .* - [E=INFO_IS_SUBREQ:%{IS_SUBREQ},NE]
RewriteRule .* - [E=INFO_ORIG_PATH_INFO:%{ORIG_PATH_INFO},NE]
RewriteRule .* - [E=INFO_ORIG_PATH_TRANSLATED:%{ORIG_PATH_TRANSLATED},NE]
RewriteRule .* - [E=INFO_ORIG_SCRIPT_FILENAME:%{ORIG_SCRIPT_FILENAME},NE]
RewriteRule .* - [E=INFO_ORIG_SCRIPT_NAME:%{ORIG_SCRIPT_NAME},NE]
RewriteRule .* - [E=INFO_PATH:%{PATH},NE]
RewriteRule .* - [E=INFO_PATH_INFO:%{PATH_INFO},NE]
RewriteRule .* - [E=INFO_PHP_SELF:%{PHP_SELF},NE]
RewriteRule .* - [E=INFO_QUERY_STRING:%{QUERY_STRING},NE]
RewriteRule .* - [E=INFO_REDIRECT_QUERY_STRING:%{REDIRECT_QUERY_STRING},NE]
RewriteRule .* - [E=INFO_REDIRECT_REMOTE_USER:%{REDIRECT_REMOTE_USER},NE]
RewriteRule .* - [E=INFO_REDIRECT_STATUS:%{REDIRECT_STATUS},NE]
RewriteRule .* - [E=INFO_REDIRECT_URL:%{REDIRECT_URL},NE]
RewriteRule .* - [E=INFO_REMOTE_ADDR:%{REMOTE_ADDR},NE]
RewriteRule .* - [E=INFO_REMOTE_HOST:%{REMOTE_HOST},NE]
RewriteRule .* - [E=INFO_REMOTE_IDENT:%{REMOTE_IDENT},NE]
RewriteRule .* - [E=INFO_REMOTE_PORT:%{REMOTE_PORT},NE]
RewriteRule .* - [E=INFO_REMOTE_USER:%{REMOTE_USER},NE]
RewriteRule .* - [E=INFO_REQUEST_FILENAME:%{REQUEST_FILENAME},NE]
RewriteRule .* - [E=INFO_REQUEST_METHOD:%{REQUEST_METHOD},NE]
RewriteRule .* - [E=INFO_REQUEST_TIME:%{REQUEST_TIME},NE]
RewriteRule .* - [E=INFO_REQUEST_URI:%{REQUEST_URI},NE]
RewriteRule .* - [E=INFO_SCRIPT_FILENAME:%{SCRIPT_FILENAME},NE]
RewriteRule .* - [E=INFO_SCRIPT_GROUP:%{SCRIPT_GROUP},NE]
RewriteRule .* - [E=INFO_SCRIPT_NAME:%{SCRIPT_NAME},NE]
RewriteRule .* - [E=INFO_SCRIPT_URI:%{SCRIPT_URI},NE]
RewriteRule .* - [E=INFO_SCRIPT_URL:%{SCRIPT_URL},NE]
RewriteRule .* - [E=INFO_SCRIPT_USER:%{SCRIPT_USER},NE]
RewriteRule .* - [E=INFO_SERVER_ADDR:%{SERVER_ADDR},NE]
RewriteRule .* - [E=INFO_SERVER_ADMIN:%{SERVER_ADMIN},NE]
RewriteRule .* - [E=INFO_SERVER_NAME:%{SERVER_NAME},NE]
RewriteRule .* - [E=INFO_SERVER_PORT:%{SERVER_PORT},NE]
RewriteRule .* - [E=INFO_SERVER_PROTOCOL:%{SERVER_PROTOCOL},NE]
RewriteRule .* - [E=INFO_SERVER_SIGNATURE:%{SERVER_SIGNATURE},NE]
RewriteRule .* - [E=INFO_SERVER_SOFTWARE:%{SERVER_SOFTWARE},NE]
RewriteRule .* - [E=INFO_THE_REQUEST:%{THE_REQUEST},NE]
RewriteRule .* - [E=INFO_TIME:%{TIME},NE]
RewriteRule .* - [E=INFO_TIME_DAY:%{TIME_DAY},NE]
RewriteRule .* - [E=INFO_TIME_HOUR:%{TIME_HOUR},NE]
RewriteRule .* - [E=INFO_TIME_MIN:%{TIME_MIN},NE]
RewriteRule .* - [E=INFO_TIME_MON:%{TIME_MON},NE]
RewriteRule .* - [E=INFO_TIME_SEC:%{TIME_SEC},NE]
RewriteRule .* - [E=INFO_TIME_WDAY:%{TIME_WDAY},NE]
RewriteRule .* - [E=INFO_TIME_YEAR:%{TIME_YEAR},NE]
RewriteRule .* - [E=INFO_TZ:%{TZ},NE]
RewriteRule .* - [E=INFO_UNIQUE_ID:%{UNIQUE_ID},NE]
RequestHeader set INFO_API_VERSION "%{INFO_API_VERSION}e"
RequestHeader set INFO_AUTH_TYPE "%{INFO_AUTH_TYPE}e"
RequestHeader set INFO_CONTENT_LENGTH "%{INFO_CONTENT_LENGTH}e"
RequestHeader set INFO_CONTENT_TYPE "%{INFO_CONTENT_TYPE}e"
RequestHeader set INFO_DOCUMENT_ROOT "%{INFO_DOCUMENT_ROOT}e"
RequestHeader set INFO_GATEWAY_INTERFACE "%{INFO_GATEWAY_INTERFACE}e"
RequestHeader set INFO_HTTPS "%{INFO_HTTPS}e"
RequestHeader set INFO_HTTP_ACCEPT "%{INFO_HTTP_ACCEPT}e"
RequestHeader set INFO_HTTP_ACCEPT_CHARSET "%{INFO_HTTP_ACCEPT_CHARSET}e"
RequestHeader set INFO_HTTP_ACCEPT_ENCODING "%{INFO_HTTP_ACCEPT_ENCODING}e"
RequestHeader set INFO_HTTP_ACCEPT_LANGUAGE "%{INFO_HTTP_ACCEPT_LANGUAGE}e"
RequestHeader set INFO_HTTP_CACHE_CONTROL "%{INFO_HTTP_CACHE_CONTROL}e"
RequestHeader set INFO_HTTP_CONNECTION "%{INFO_HTTP_CONNECTION}e"
RequestHeader set INFO_HTTP_COOKIE "%{INFO_HTTP_COOKIE}e"
RequestHeader set INFO_HTTP_FORWARDED "%{INFO_HTTP_FORWARDED}e"
RequestHeader set INFO_HTTP_HOST "%{INFO_HTTP_HOST}e"
RequestHeader set INFO_HTTP_KEEP_ALIVE "%{INFO_HTTP_KEEP_ALIVE}e"
RequestHeader set INFO_HTTP_MOD_SECURITY_MESSAGE "%{INFO_HTTP_MOD_SECURITY_MESSAGE}e"
RequestHeader set INFO_HTTP_PROXY_CONNECTION "%{INFO_HTTP_PROXY_CONNECTION}e"
RequestHeader set INFO_HTTP_REFERER "%{INFO_HTTP_REFERER}e"
RequestHeader set INFO_HTTP_USER_AGENT "%{INFO_HTTP_USER_AGENT}e"
RequestHeader set INFO_IS_SUBREQ "%{INFO_IS_SUBREQ}e"
RequestHeader set INFO_ORIG_PATH_INFO "%{INFO_ORIG_PATH_INFO}e"
RequestHeader set INFO_ORIG_PATH_TRANSLATED "%{INFO_ORIG_PATH_TRANSLATED}e"
RequestHeader set INFO_ORIG_SCRIPT_FILENAME "%{INFO_ORIG_SCRIPT_FILENAME}e"
RequestHeader set INFO_ORIG_SCRIPT_NAME "%{INFO_ORIG_SCRIPT_NAME}e"
RequestHeader set INFO_PATH "%{INFO_PATH}e"
RequestHeader set INFO_PATH_INFO "%{INFO_PATH_INFO}e"
RequestHeader set INFO_PHP_SELF "%{INFO_PHP_SELF}e"
RequestHeader set INFO_QUERY_STRING "%{INFO_QUERY_STRING}e"
RequestHeader set INFO_REDIRECT_QUERY_STRING "%{INFO_REDIRECT_QUERY_STRING}e"
RequestHeader set INFO_REDIRECT_REMOTE_USER "%{INFO_REDIRECT_REMOTE_USER}e"
RequestHeader set INFO_REDIRECT_STATUS "%{INFO_REDIRECT_STATUS}e"
RequestHeader set INFO_REDIRECT_URL "%{INFO_REDIRECT_URL}e"
RequestHeader set INFO_REMOTE_ADDR "%{INFO_REMOTE_ADDR}e"
RequestHeader set INFO_REMOTE_HOST "%{INFO_REMOTE_HOST}e"
RequestHeader set INFO_REMOTE_IDENT "%{INFO_REMOTE_IDENT}e"
RequestHeader set INFO_REMOTE_PORT "%{INFO_REMOTE_PORT}e"
RequestHeader set INFO_REMOTE_USER "%{INFO_REMOTE_USER}e"
RequestHeader set INFO_REQUEST_FILENAME "%{INFO_REQUEST_FILENAME}e"
RequestHeader set INFO_REQUEST_METHOD "%{INFO_REQUEST_METHOD}e"
RequestHeader set INFO_REQUEST_TIME "%{INFO_REQUEST_TIME}e"
RequestHeader set INFO_REQUEST_URI "%{INFO_REQUEST_URI}e"
RequestHeader set INFO_SCRIPT_FILENAME "%{INFO_SCRIPT_FILENAME}e"
RequestHeader set INFO_SCRIPT_GROUP "%{INFO_SCRIPT_GROUP}e"
RequestHeader set INFO_SCRIPT_NAME "%{INFO_SCRIPT_NAME}e"
RequestHeader set INFO_SCRIPT_URI "%{INFO_SCRIPT_URI}e"
RequestHeader set INFO_SCRIPT_URL "%{INFO_SCRIPT_URL}e"
RequestHeader set INFO_SCRIPT_USER "%{INFO_SCRIPT_USER}e"
RequestHeader set INFO_SERVER_ADDR "%{INFO_SERVER_ADDR}e"
RequestHeader set INFO_SERVER_ADMIN "%{INFO_SERVER_ADMIN}e"
RequestHeader set INFO_SERVER_NAME "%{INFO_SERVER_NAME}e"
RequestHeader set INFO_SERVER_PORT "%{INFO_SERVER_PORT}e"
RequestHeader set INFO_SERVER_PROTOCOL "%{INFO_SERVER_PROTOCOL}e"
RequestHeader set INFO_SERVER_SIGNATURE "%{INFO_SERVER_SIGNATURE}e"
RequestHeader set INFO_SERVER_SOFTWARE "%{INFO_SERVER_SOFTWARE}e"
RequestHeader set INFO_THE_REQUEST "%{INFO_THE_REQUEST}e"
RequestHeader set INFO_TIME "%{INFO_TIME}e"
RequestHeader set INFO_TIME_DAY "%{INFO_TIME_DAY}e"
RequestHeader set INFO_TIME_HOUR "%{INFO_TIME_HOUR}e"
RequestHeader set INFO_TIME_MIN "%{INFO_TIME_MIN}e"
RequestHeader set INFO_TIME_MON "%{INFO_TIME_MON}e"
RequestHeader set INFO_TIME_SEC "%{INFO_TIME_SEC}e"
RequestHeader set INFO_TIME_WDAY "%{INFO_TIME_WDAY}e"
RequestHeader set INFO_TIME_YEAR "%{INFO_TIME_YEAR}e"
RequestHeader set INFO_TZ "%{INFO_TZ}e"
RequestHeader set INFO_UNIQUE_ID "%{INFO_UNIQUE_ID}e"
Mod_Rewrite Variables Decoded!
[API_VERSION] => 20020903:12 [AUTH_TYPE] => Digest [DOCUMENT_ROOT] => /home/user/www_root/askapache.com [HTTPS] => off [HTTP_ACCEPT] => text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 [HTTP_COOKIE] => PHPSESSID=752ee6d56e15f305233e30045987e5ce568c034; __qca=1176541225-59967328-5223185; [HTTP_HOST] => www.askapache.com [HTTP_REFERER] => http://www.askapache.com/protest/index.php?askapache=awesomeness&you=rock [HTTP_USER_AGENT] => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16 [IS_SUBREQ] => false [QUERY_STRING] => e=404 [REMOTE_ADDR] => 22.162.144.211 [REMOTE_HOST] => 22.162.144.211 [REMOTE_PORT] => 4511 [REMOTE_USER] => administrator [REQUEST_FILENAME] => /home/user/www_root/askapache.com/protest/index.php [REQUEST_METHOD] => GET [REQUEST_URI] => /protest/index.php [SCRIPT_FILENAME] => /home/user/www_root/askapache.com/protest/index.php [SCRIPT_GROUP] => daemonu [SCRIPT_USER] => askapache [SERVER_ADDR] => 208.113.134.190 [SERVER_ADMIN] => webmaster@askapache.com [SERVER_NAME] => www.askapache.com [SERVER_PORT] => 80 [SERVER_PROTOCOL] => HTTP/1.1 [SERVER_SOFTWARE] => Apache/2.0.61 (Unix) PHP/4.4.7 mod_ssl/2.0.61 OpenSSL/0.9.7e mod_fastcgi/2.4.2 DAV/2 [THE_REQUEST] => GET /protest/adf HTTP/1.1 [TIME] => 20080820014309 [TIME_DAY] => 20 [TIME_HOUR] => 01 [TIME_MIN] => 43 [TIME_MON] => 08 [TIME_SEC] => 09 [TIME_WDAY] => 3 [TIME_YEAR] => 2008
Request using HTTPS
[API_VERSION] => 20020903:12 [AUTH_TYPE] => Digest [DOCUMENT_ROOT] => /home/user/www_root/askapache.com [HTTPS] => on [HTTP_ACCEPT] => text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 [HTTP_COOKIE] => PHPSESSID=752ee6d56e15f305233e30045987e5ce568c034; __qca=1176541225-59967328-5223185; [HTTP_HOST] => www.askapache.com [HTTP_REFERER] => http://www.askapache.com/protest/index.php?askapache=awesomeness&you=rock [HTTP_USER_AGENT] => Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16 [IS_SUBREQ] => false [QUERY_STRING] => hi=you&whats=&you [REMOTE_ADDR] => 22.162.144.211 [REMOTE_HOST] => 22.162.144.211 [REMOTE_PORT] => 4605 [REMOTE_USER] => administrator [REQUEST_FILENAME] => /home/user/www_root/askapache.com/protest/index.php [REQUEST_METHOD] => GET [REQUEST_URI] => /protest/index.php [SCRIPT_FILENAME] => /home/user/www_root/askapache.com/protest/index.php [SCRIPT_GROUP] => daemonu [SCRIPT_USER] => askapache [SERVER_ADDR] => 208.113.134.190 [SERVER_ADMIN] => webmaster@askapache.com [SERVER_NAME] => www.askapache.com [SERVER_PORT] => 443 [SERVER_PROTOCOL] => HTTP/1.1 [SERVER_SOFTWARE] => Apache/2.0.61 (Unix) PHP/4.4.7 mod_ssl/2.0.61 OpenSSL/0.9.7e mod_fastcgi/2.4.2 DAV/2 [THE_REQUEST] => GET /protest/index.php?hi=you&whats=&you HTTP/1.1 [TIME] => 20080820015016 [TIME_DAY] => 20 [TIME_HOUR] => 01 [TIME_MIN] => 50 [TIME_MON] => 08 [TIME_SEC] => 16 [TIME_WDAY] => 3 [TIME_YEAR] => 2008
Emulating ErrorDocuments with Mod_Rewrite
The ErrorDocument directive is helpful because an errordocument is called differently then a normal file, and it contains special variables to help an admin debug.
I’ve wanted to use a RewriteCond + a RewriteRule to cause an Apache ErrorDocument to be displayed for a long time… I finally figured it out. Simply use the HTTP STATUS CODE trick in combination with a simple RewriteRule to trigger an Apache ErrorDocument.
This code emulates the internal 404 process Apache goes through.. If the file is not found it requests the /test/trigger-error/404 internally which triggers the 404 ErrorDocument.
ErrorDocument 404 /test/errordocument/404.html
Redirect 404 /test/trigger-error/404
RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} !=404
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule .* /test/trigger-error/404 [L]
Big Deal.. you might say… well consider that this works with any status code, and using this method you now have the power to trigger any errordocument page based on any kind of rewritecond. I’ll be writing about some practical uses for this powerful method in the coming weeks, but heres a good example now so you can see how it can be used.
This bit of code Triggers the 505 HTTP Version Not Supported When a request is made to the server with a protocol other than 1.1.
ErrorDocument 505 /test/errordocument/505.html
Redirect 505 /test/trigger-error/505
RewriteEngine On
RewriteBase /
RewriteCond %{ENV:REDIRECT_STATUS} !=505
RewriteCond %{THE_REQUEST} !^[A-Z]{3,9}\ /.*\ HTTP/(0\.9|1\.0|1\.1) [NC]
RewriteRule .* /test/trigger-error/505 [L]
YES! I realize I didn’t explain that very well, I didn’t realize it was that complicated.. I wanted to go into how to use these advanced tricks and methods to achieve some really cool stuff, but explaining just this little bit took me awhile and I’m out of page space!
So play around with this and I’ll post back some of the untapped sicknesses you can give a website with such powerful methods at your disposal.
Ralf S. Engelschall
/* * URL Rewriting Module * * This module uses a rule-based rewriting engine (based on a * regular-expression parser) to rewrite requested URLs on the fly. * * It supports an unlimited number of additional rule conditions (which can * operate on a lot of variables, even on HTTP headers) for granular * matching and even external database lookups (either via plain text * tables, DBM hash files or even external processes) for advanced URL * substitution. * * It operates on the full URLs (including the PATH_INFO part) both in * per-server context (httpd.conf) and per-dir context (.htaccess) and even * can generate QUERY_STRING parts on result. The rewriting result finally * can lead to internal subprocessing, external request redirection or even * to internal proxy throughput. * * This module was originally written in April 1996 and * gifted exclusively to the The Apache Software Foundation in July 1997 by * * Ralf S. Engelschall * rse engelschall.com * www.engelschall.com */
« mod_rewrite Fix for Caching Updated Files
Protecting Files with Advanced Mod_Rewrite Anti-Hotlinking »
Similar Reads
- 301 Redirect with mod_rewrite or RedirectMatch
- Crazy Cache WordPress Plugin Released
- Speed up your site with Caching and cache-control
- Apache HTTPD and Module API Versions
- .Htaccess rewrites, Mod_Rewrite Tricks and Tips
- Redirect index.php to root
- .htaccess mod_rewrite rewrite examples
- htaccess HTTPS / SSL Tips, Tricks, and Hacks
- Smart HTTP and HTTPS .htaccess Rewrite
- htaccess Tricks for Webmasters
- .htaccess – Wikipedia
- Rewrite underscores to hyphens for SEO URL
- Apache HTTPD Google CSE
- PHP htaccess tips and tricks
- .htaccess trick to show Alternate CSS file based on IP
- 301 Redirect Cheatsheet
- mod_rewrite Fix for Caching Updated Files
- Manipulating HTTP Headers with htaccess
- Website SEO Score Tool
Tags: advanced, askapache, cheatsheet, howto, htaccess, htaccess rewrite, mod_rewrite, tutorial
My Picks
- THE Mod_Rewrite Cheatsheet
- AskApache .bash_profile
- Elite Log Viewing
- THE Ultimate Htaccess
- Intense Windows Speed
- DNS: Round Robin Speed
- Fsockopen: Nuts
Related Articles
- 301 Redirect with mod_rewrite or Redi
- Crazy Cache WordPress Plugin Released
- Speed up your site with Caching and c
- Apache HTTPD and Module API Versions
- .Htaccess rewrites, Mod_Rewrite Trick
- Redirect index.php to root
- .htaccess mod_rewrite rewrite example
- htaccess HTTPS / SSL Tips, Tricks, an
- Smart HTTP and HTTPS .htaccess Rewrit
- htaccess Tricks for Webmasters
- Rewrite underscores to hyphens for SE
Newest Posts
- Update: Best Free Online Banking
- Firefox Add-ons for Web Developers
- Optimizing Servers and Processes for Speed with ionice, nice, ulimit
Random
Donate
Please consider donating to support active development of the free software and articles here.
Good Causes
The power of the Web is in its universality. Access by everyone regardless of disability is an essential aspect. Tim Berners-Lee
Reader Comments
-
AskApache ~
soma
-
Fahed ~
In case this throws a 500 for anyone, make sure that mod_headers is loaded:
LoadModule headers_module modules/mod_headers.so
-
Okay, this looks very good. I got it to work and display all the variables.
But what I *really* wanted was a way to print out the variables while accessing my problematic reference. That is, this prints out the variables using a specific URL request. Namely, test/index.php … or whatever the name given to it was. But I want to see what’s going on for the specific URL I am trying to debug. Is there a way from within the .htaccess file ALONE that I can print out the various variables?
-
Kudos. I love your style of writing– very cheesy infomercial style. Entertaining, informative, and it’s not even 3am!
-
I am new to apache mod_rewrite. I have a question here.
I would like to put an user defined variable in the RewriteRule, and the variable is retrieved from database. Is this possible? -
AskApache ~
@Michal
Actually HTTP_ACCEPT_LANGUAGE, HTTP_ACCEPT, HTTP_HOST, HTTP_COOKIE, and a couple more variables are created by apache just for later referencer. In fact, HTTP_ACCEPT_LANGUAGE is an alias of
%{HTTP:Accept-Language}, but note that the %HTTP array holds the actual header strings, and some processing is done on it to create the HTTP_ variables. you can actualy access ANY header with the %HTTP variable, which is very neat because you can use that and the RequestHeader directive as a data-channel/proxy… its crazy!RewriteRule .* - [E=INFO_UNIQUE_ID:%{UNIQUE_ID},NE] RequestHeader set INFO_API_VERSION "%{INFO_API_VERSION}e"I didn’t explain in my post but basically this lets you examine the incoming request headers from the user (like Accept-Language) and then MODIFY their request headers before apache sees it. So if I were you I would perform regex on their incoming accept-language header, then modify their actual request to the real asset.
-
Thanks for great post, I didn’t know it is possible to “decode mod rewrite variables’ in this way!
I also found that
%{HTTP_ACCEPT_LANGUAGE}in .htaccess files for making multilingual websites doesn’t work. However there is other way to read browser setting of prefferred language in order to make a localization of the site using Apache mod rewrite.Fortunately we can access every header sent by the browser using
%{HTTP:header}, so the solution is not%{HTTP_ACCEPT_LANGUAGE}but:%{HTTP:Accept-Language}. I write more about this on my blog post: mod rewrite and HTTP_ACCEPT_LANGUAGE -
For some reason, I’m getting a 500 error. When I take out the “RequestHeader” portions of the .htaccess file, it actually brings me to the test/index.php file.
Is there some configuration in my config file I need to do to allow RequestHeader code in .htaccess?
-
Your php code isn’t showing completely. For some reason, WordPress (or whatever) is interpreting your piece of quoted php code (index.php), and cuts off part of it. I can see in the source that you have:
$r) { if(substr($v,0,9)=='HTTP_INFO') { if(!empty($r))$INFO[substr($v,10)]=$r; else $MISS[substr($v,10)]=$r; } } /* thanks Mike! */ ksort($INFO); ksort($MISS); ksort($_SERVER); echo "Received These Variables:\n"; print_r($INFO); echo "Missed These Variables:\n"; print_r($MISS); echo "ALL Variables:\n"; print_r($_SERVER);However, the <?php is still being interpreted. The web page only lists from $r) onward. Maybe it’s my firefox browser?
-
Dan Nedelko ~
Nice tutorial. Love this blog and your plugins are actual real plugins that are useful for everything.
Cheers,
Dan -
An excellent article just what I was looking for.
However I found one minor problem!Time to Get Crazy: I copied this into an .htaccess file.
PHP Code to access Variables: Ran this code from a test page.
The key values displayed were numeric and not the expected parameters.
It looks as if the following lines do not preserve keys:
sort($INFO); sort($MISS); sort($_SERVER);
After changing the above to:
ksort($INFO); ksort($MISS); ksort($_SERVER);
Worked like a charm, for the first time I can explore the variables I am working with.
-
Ian Beck ~
Wow! This is a fantastic resource! The lack of knowledge about exactly what the format of the RewriteCond variables was has been holding me back with mod_rewrite since I started trying to use it. Thank you so much for publishing this the day before I (once again) went on a search for this information!
-
At first I thought this was just another mod_rewrite tutorial but it’s way better. Thanks for the great tip!
-
Nice. Will check that out. Look forward to your posts in a month or two then :)
-
AskApache ~
@ Anup
Yes the
[F]flag is extremely helpful.. You should also check out the various mod_rewrite anti-cracking/exploits code snippets that are used in the WP Plugin I develop, a lot of good ones there.Check back in a month or two as I will have a lot more mod_rewrite/.htaccess code snippets to fight SQL injection among other annoyances.
-
How timely, especially the bit on “Emulating ErrorDocuments with Mod_Rewrite”. I have been trying to do that last night with little luck. On a friend’s site, they are getting a ton of SQL injection attempts (though their site doesn’t use a database!) so I was hoping for a .htaccess only solution to force the 403 error document when we detect these. I came across the [F] flag, which I will try this evening, but your section looks like it will work, too.
It's very simple - you read the protocol and write the code. -Bill Joy
HTML | DCMI | GRDDL | XOXO | XDMP | XFN | DOM | XML | XHTML 1.1 Strict | CSS 2.1 | W3C | TLDP | WAI | DISA | ICSI | GIAC | SANS RR | GHOST | DEFCON | NIST | DHS CYBER | NIST
↑ TOPExcept where otherwise noted, content on this site is licensed under a Creative Commons Attribution 3.0 License, just credit with a link.
This site is not supported or endorsed by The Apache Software Foundation (ASF). All software and documentation produced by The ASF is licensed. "Apache" is a trademark of The ASF. HTTPD based on NCSA HTTPd
Yeh… this is crazy advanced! Pretty awesome though.