May be a noob question but I'm just starting playing around with apache and have not found a precise answer yet.
I am setting up a web app using url-rewriting massively, to show nice urls like [mywebsite.com/product/x] instead of [mywebsite.com/app/controllers/product.php?id=x].
However, I can still access the required page by typing the url [mywebsite.com/app/controllers/product.php?id=x]. I'd like to make it not possible, ie. redirect people to an error page if they do so, and allow them to access this page with the "rewritten" syntax only.
What would be the easiest way to do that? And do you think it is a necessary measure to secure an app?
In your PHP file, examine the $_SERVER['REQUEST_URI'] and ensure it is being accessed the way you want it to be.
There is no reason why this should be a security issue.
RewriteCond %{REDIRECT_URL} ! ^/app/controllers/product.php$
RewriteRule ^app/controllers/product.php$ /product/x [R,L]
RewriteRule ^product/(.*)$ /app/controllers/product.php?id=$1 [L]
The first rule will redirect any request to /app/controllers/product.php with no REDIRECT_URL variable set to the clean url. The Rewrite (last rule) will set this variable when calling the real page and won't be redirected.
Related
I have a page at example.com/themizer.php, but I want it to appear that it's actually located at example.com/themizer/ (or example.com/themizer/index.php) for all practical purposes. I know how to basically make an alias for it with mod_rewrite, but how do I make it appear that users are being redirected to that alias? Example: a user requests example.com/themizer.php and the address in their browser turns into example.com/themizer/ without actually redirecting. Is this possible?
With server-sided configuration, you can only accomplish this with a redirect. This does not necessarily need to be a problem. Just make sure that the urls on your site point to the fancy url and not to the internal url. Otherwise you generate a lot of requests that have to be redirected, instead of just redirecting the odd request that came in in an other way (e.g. through an external old url or old bookmark). You do it like this:
#External redirect
RewriteCond %{THE_REQUEST} ^GET\ /themizer\.php\ HTTP
RewriteRule ^themizer\.php$ /themizer/ [R,L]
#Internal rewrite
RewriteRule ^themizer/?$ themizer.php [L]
If you really must, you can use javascript to 'push' a new window state into the history, updating the address bar. This causes the "go to previous page" button in your browser to contain bogus though. In other words: Going to the previous page does not work as expected, which I would not recommend since there is a better option available. You can do it with the following javascript statement in browsers that support it:
window.history.pushState( null, document.title, "/themizer" );
ok I previously had some issues setting up a wild card redirect to strip parameters from an old url format that were non-seo friendly to our root. With the help of stackoverflow we've got it corrected and working but now I am experiencing issues with index.php?
Im seeing tons of duplicate urls in the engines using this url format index.php?cPath=# and Google is stressing me because they think its duplicate index pages.
I tried setting up this redirect in our htaccess but no go. It won't strip out the parameters or redirect it just duplicates the page with a valid 200 response.
RewriteRule ^index.php/.*$ /? [R=301,NE,NC,L]
I want to redirect anything with index.php?cPath=# to our root domain. Any ideas on how i can tackle this 301 redirect using a mod_rewrite on apache?
I've also just noticed that our site has another issue with this url format:
domain.com/?cPath=#...
so now I also need to write a rewrite for domain.com/?cPath=# I don't know where this one popped up from but I can see its going to cause issues hence the valid 200 response code it gives. The engines are really going to love me for this one.
I am using Magento 1.6.2.0 on a shared host running Litespeed web server, and I have begun investigating ways to speed up page loads. Currently I am using Pingdom to look at requests and it appears that I am losing an entire second from the get-go when I type my URL without the www. The browser redirects to the www page, it's just that it takes so long. Is this something I can fix? I presume that I can change Magento's base-url to not include the www, but then I presume I'll have the same delay when going to the www url instead.
I took a look at the link you gave, and I indeed see an about 1 second delay before I receive a 302 redirect to the URL with www. prepended. Not entirely coincidentally, the actual page HTML also takes quite long (about 1.7 seconds) to load.
This is a fairly common issue with large web applications: to return even a simple response like a redirect, the entire application must load and run its startup code. Couple this with a not so fast shared webserver that isn't optimized for that one application, and you can get quite slow page load times. It's nothing unique to Magento; I've seen the same effect with MediaWiki myself, and I expect that it happens with other applications too.
The obvious solution is just to avoid redirects: as long as you make sure all your URLs have the right hostname, the extra delay due to wrong hostnames will not appear. Magento itself will presumably take care of this for its own URLs, but if you have any other code (or static pages) that link to your Magento URLs, make sure they use the right hostname.
You can also sign up for Google Webmaster Tools (and similar tools for other search engines) and configure your preferred domain there (it's under Site configuration → Settings) so that Google will automatically prepend www. to any links to your site it indexes.
You can (and should) also try to reduce Magento's startup time in general. This will speed up not only redirects, but all other page loads as well. I'm not familiar enough with Magento to be able to give much detailed advice on this, but the obvious first step for any massive PHP application is to make sure you're using a PHP accelerator such as APC.
Finally, the fastest way to redirect visitors to the correct hostname is to make your webserver send the redirect directly without ever invoking Magento at all. The details on how to do this depend on the server software you're using, but apparently LiteSpeed supports the same RewriteRule syntax as Apache's mod_rewrite, so you should be able to do this just by adding the following lines to your main .htaccess file:
Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} !^www\.mmmspeciosa\.com$ [NC]
RewriteRule ^(.*)$ http://www.mmmspeciosa.com/$1 [R=301,L]
(By the way, I'm using HTTP 301 permanent redirects here instead of the HTTP 302 temporary redirects Magento seems to be using. This is not only more appropriate according to the HTTP standard, but also works better with search engines, which treat a 301 redirect as an indication to index the target URL instead of the source of the redirect. If this redirect type is not configurable in Magento, I would consider it a bug. If it is configurable, you should set it to 301.)
I'm trying to implement persistent URLs under Apache and I'm having trouble getting the URL passed back from the RewriteMap to remain hidden. That is, if I have the PURL:
http://www.mysite.com/psearch?purl=12345
and the mapped value for it is:
http://www.mysite.com/search?name=test&type=test2
I want the PURL to be the URL displayed in the browser address bar. Unfortunately, it keeps displaying the site that the PURL maps to instead. My rule is the following:
RewriteCond %{REQUEST_URI} /psearch(/)*$
RewriteMap mapper prg:/scripts/rewritetest.pl
RewriteRule ^/(.*)$ ${mapper:$1} [L]
All the mapper does right now is return a URL for a test page on the system, since I'm trying to get the address hiding working. And I know I'm not grabbing the parameters right now, I'm just trying to get the test running using the psearch keywork, and will add the rest later if it's possible to hide the address.
Any help is appreciated, Thanks!
Turns out the problem was that I was returning the full URL, which forced a full redirect. Passing back just the REQUEST_URI portion made things work.
Forcing the headers to expire also helped, since things were getting cached that were obscuring when something was working properly.
Using the following Rewrite rule:
RewriteRule ^page.html$ /secretpage.php [L]
Is there anyway someone can know that the page being served now is /secretpage.php on the server?
I am not asking if someone can get to this page alone by typing it in the URL line, but rather if someone can know about the rewrite that was made on the server side.
Thanks,
Joel
No, unless you make that rewrite an external redirect, the rewrite is only done internally. An external redirect happens either explicitly by using the R flag or implicitly when an absolute URL is used as substitution (although there are some further restrictions).
But the substition is still accessible when requesting it directly. So your rule will only add a way to access secretpage.php and it is then accessible by both /page.html and /secretpage.php.
I don't think it's possible as it's the server which perform rewriting. Anyway request's headers don't let see anything.