adric.net

Rewrite
Login

I've set up a little lab to try and practice or just debug RewriteRules since I have so much trouble with even the simplest ones not working. So far, I'm losing sanity and haven't learned anything, but we shall see...

Lab start

On nat17 I added the virtual host: rewrite.nat17.nationalnet.com . I added to it's virt block:
## RewriteLog /web/sites/ben/rewrite.log RewriteLogLevel 9

which enables Rewrite logging and cranks it to 11, basically. Very noisy as you'll see.

In that virt we have a tiny index.shtml, an image file from nasa, and the .htaccess. The index.shtml file links the image file twice, once through it's name and once through a symlink that doesn't have a file extension. That way it won't be blocked by the rewrite rules. The http://rewrite.nat17.nationalnet.com/index.shtml page is accessible from a browser but the real fun is in hitting it with wget using spoofed referrers: wget --referer="yomama" http://rewrite.nat17.nationalnet.com/index.shtml -q -O junk The htaccess file is where the action is. After we enable SSI and the RewriteEngine we've got some RewriteRules blocks, one that I tried on nat1735 (based on the docs in Apache) and one that I snagged from Tomas (near here). Mine had been the cause of 501 Internal Server Errors, as apache error log confirms: ... .htaccess: RewriteCond: bad flag delimiters And in fact it seems to hate all of the RewriteCond lines in that block except maybe the blank one.. but the Tomas ones run cleanly.

meanwhile on hustlercash

These rules work. And I by work I mean block image loading and do not make apache crash: #default allow, but deny these hotlinkers RewriteCond %{HTTP_REFERER} http://hao.88cccc.com OR RewriteCond %{HTTP_REFERER} http://dog.newlcyl.com OR RewriteCond %{HTTP_REFERER} http://tube.freexxxpasses.com OR RewriteCond %{HTTP_REFERER} http://members.members-here.com RewriteRule .*JjPpGg$|.*GgIiFf$ - f

Interestingly, putting OR on that last RewriteCond made the images on hustlercash.com not load , until I reverted it. Later on I've added more than 100 of these, and they haven't stopped coming up with new ones *sigh*

bad flag delimiters

The sum of Google results seems to be that this Rewrite error is bad whitespace, bad (nonUnix) linefeeds or mismatched [ ] in the rule. At least http://wiki.answers.com/Q/What_causes_the_error_.htaccess_RewriteCond_bad_flag_delimiters_when_blocking_user_agents_using_.htaccess one http://www.usenet-forums.com/apache-web-server/42882-bad-flag-delimiters-rewrite-cond.html thread reports that retyping or reformatting the lines fixes it, and so far, redoing the eol characters seems to make some of the RewriteCond lines pass muster...

finally, some logs

Although the loss of sanity has still overwhelmed any discoveries, it was quite nice to actually see the log entries that explain what it is doing... Running
nat17:# wget --referer

"yomama" http://rewrite.nat17.nationalnet.com/image_euv_press.jpg -q -O junk nat17:# wget --referer

"ojisan" http://rewrite.nat17.nationalnet.com/image_euv_press.jpg -q -O junk
against
RewriteCond %{HTTP_REFERER} !^ojisan$ NC
RewriteCond %{HTTP_REFERER} !^.*SOMEDOMAIN.TLD.*$ NC
RewriteRule .*JjPpGg$|.*GgIiFf$ - f
logs
66.115.130.17 - - 27/Apr/2008:04:24:59 -0400 rewrite.nat17.nationalnet.com/sid#80df4b4rid#82c7e3c/initial (3) per-dir /web/sites/ben/rewrite.nat17.nationalnet.com/ strip per-dir prefix: /web/sites/ben/rewrite.nat17.nationalnet.com/image_euv_press.jpg -> image_euv_press.jpg
66.115.130.17 - - 27/Apr/2008:04:24:59 -0400 rewrite.nat17.nationalnet.com/sid#80df4b4rid#82c7e3c/initial (3) per-dir /web/sites/ben/rewrite.nat17.nationalnet.com/ applying pattern '.*JjPpGg$|.*GgIiFf$' to uri 'image_euv_press.jpg'
66.115.130.17 - - 27/Apr/2008:04:24:59 -0400 rewrite.nat17.nationalnet.com/sid#80df4b4rid#82c7e3c/initial (4) RewriteCond: input

'ojisan' pattern='!^ojisan$'

> not-matched 66.115.130.17 - - 27/Apr/2008:04:24:59 -0400 rewrite.nat17.nationalnet.com/sid#80df4b4rid#82c7e3c/initial (1) per-dir /web/sites/ben/rewrite.nat17.nationalnet.com/ pass through /web/sites/ben/rewrite.nat17.nationalnet.com/image_euv_press.jpg 66.115.130.17 - - 27/Apr/2008:04:25:20 -0400 rewrite.nat17.nationalnet.com/sid#80df4b4rid#82c7e3c/initial (3) per-dir /web/sites/ben/rewrite.nat17.nationalnet.com/ strip per-dir prefix: /web/sites/ben/rewrite.nat17.nationalnet.com/image_euv_press.jpg -> image_euv_press.jpg 66.115.130.17 - - 27/Apr/2008:04:25:20 -0400 rewrite.nat17.nationalnet.com/sid#80df4b4rid#82c7e3c/initial (3) per-dir /web/sites/ben/rewrite.nat17.nationalnet.com/ applying pattern '.*JjPpGg$|.*GgIiFf$' to uri 'image_euv_press.jpg' 66.115.130.17 - - 27/Apr/2008:04:25:20 -0400 rewrite.nat17.nationalnet.com/sid#80df4b4rid#82c7e3c/initial (4) RewriteCond: input

'yomama' pattern='!^ojisan$' => matched 66.115.130.17 - - 27/Apr/2008:04:25:20 -0400 rewrite.nat17.nationalnet.com/sid#80df4b4rid#82c7e3c/initial (4) RewriteCond: input='yomama' pattern='!^.*SOMEDOMAIN.TLD.*$'

> matched 66.115.130.17 - - 27/Apr/2008:04:25:20 -0400 rewrite.nat17.nationalnet.com/sid#80df4b4rid#82c7e3c/initial (2) forcing '/web/sites/ben/rewrite.nat17.nationalnet.com/image_euv_press.jpg' to be forbidden
The default AND of rules is apparently desirable when default-deny (whitelisting) your matches, as making these OR allowed apache to shortcut to the F when anything failed the first match. It seems to have to pass all of them to run the end rule, but failing only one will shortcut and not apply the rule ... and because are rules are negative, that actually works right: Run
nat17:# wget --referer

"http://ojisama.org.jp" http://rewrite.nat17.nationalnet.com/image_euv_press.jpg -q -O junk nat17:# wget --referer

"http://ojisan.org.jp" http://rewrite.nat17.nationalnet.com/image_euv_press.jpg -q -O junk
on something like
RewriteCond %{HTTP_REFERER} !^http://ojisan.org.jp$ NC
RewriteCond %{HTTP_REFERER} !^http://.*SOMEDOMAIN.TLD.*$ NC
RewriteRule .*JjPpGg$|.*GgIiFf$ - f
and get (now with enhanced readability)
nat17:# tail -f ../rewrite.log | grep -v favicon | cut -d' ' -f8- |sed -e 's,\.*\,,g'
 strip per-dir prefix: /web/sites/ben/rewrite.nat17.nationalnet.com/image_euv_press.jpg -> image_euv_press.jpg
$' to uri 'image_euv_press.jpg'
RewriteCond: input

'http://ojisama.org.jp' pattern='!^http://ojisan.org.jp$' => matched RewriteCond: input='http://ojisama.org.jp' pattern='!^http://.*SOMEDOMAIN.TLD.*$'

> matched forcing '/web/sites/ben/rewrite.nat17.nationalnet.com/image_euv_press.jpg' to be forbidden strip per-dir prefix: /web/sites/ben/rewrite.nat17.nationalnet.com/image_euv_press.jpg -> image_euv_press.jpg applying pattern '\.(gif|jpg|swf|flv|png)$' to uri 'image_euv_press.jpg' RewriteCond: input

'http://ojisama.org.jp' pattern='!^http://ojisan.org.jp$' => matched RewriteCond: input='http://ojisama.org.jp' pattern='!^http://.*SOMEDOMAIN.TLD.*$'

> matched forcing '/web/sites/ben/rewrite.nat17.nationalnet.com/image_euv_press.jpg' to be forbidden strip per-dir prefix: /web/sites/ben/rewrite.nat17.nationalnet.com/image_euv_press.jpg -> image_euv_press.jpg applying pattern '\.(gif|jpg|swf|flv|png)$' to uri 'image_euv_press.jpg' RewriteCond: input

'http://ojisan.org.jp' pattern='!^http://ojisan.org.jp$'

> not-matched pass through /web/sites/ben/rewrite.nat17.nationalnet.com/image_euv_press.jpg strip per-dir prefix: /web/sites/ben/rewrite.nat17.nationalnet.com/image_euv_press.jpg -> image_euv_press.jpg applying pattern '\.(gif|jpg|swf|flv|png)$' to uri 'image_euv_press.jpg' RewriteCond: input

'http://ojisan.org.jp' pattern='!^http://ojisan.org.jp$'

> not-matched pass through /web/sites/ben/rewrite.nat17.nationalnet.com/image_euv_press.jpg

Smash case

In {{Ticket|161667|Subdirectory of any Case}} cust requested that whatever case the folder is typed in that it go to the same place. Ended up with this:
in /web/sites/hustler/hustlermagazine.com on nat1731, .htaccess:
RewriteEngine on
#RewriteCond %{REQUEST_URI} ^/winadate/.*$ NC
RewriteCond %{REQUEST_URI} !^/winadate.*$
RewriteRule ^WwIiNnAaDdAaTtEe(.*) /winadate$1 L,NC

#VideoChallenge for 161667 RewriteCond %{REQUEST_URI} !^/videochallenge.*$ RewriteRule ^VvIiDdEeOoCcHhAaLlLlEeNnGgEe(.*) /videochallenge$1 L,NC

and I want to know why that first line doesn't work, or if it can be made to.

Trying this:

##DiffCasE RewriteCond %{REQUEST_URI} ^/DiffCasE/.*$ NC RewriteRule ^DdIiFfFfCcAaSsEe(.*) /DiffCasE$1 L,NC

Seem to reliably generate this server error. It's looping?

Fri Aug 15 22:40:06 2008 error client 66.115.128.132 mod_rewrite: maximum number of internal redirects reached. Assuming configuration error. Use 'RewriteOptions MaxRedirects' to increase the limit if neccessary.

Tickets and Alerts

#tickets RewriteCond %{REQUEST_URI} ^https://www.mynatnet.com/tickets/$ RewriteRule ^https://www.mynatnet.com/tickets/\d{6}$ https://www.mynatnet.com/accounting/accounts.php?action

viewTicket&&ticket[id]

$1 L #alerts RewriteCond %{REQUEST_URI} ^http://www.mynatnet.com/alerts/$ RewriteRule ^https://www.mynatnet.com/alerts/\d{6,7}$ https://www.mynatnet.com/accounting/accounts.php?action

viewAlert&&alert[id]

$1 L

That tighten down those regexes quite a bit, like having a count of digits.