Discussion:
the order of Rewrite commands in an .htaccess file
(too old to reply)
super70s
2016-07-02 03:08:57 UTC
Permalink
To make a long story short I have added some Rewrite commands to my
.htaccess file to help prevent another hack of my site, which happened a
few weeks ago.

I'm just wondering if it matters if I group all the RewriteRule's
together and Rewrite Cond's together, or does it particularly matter?

Currently the file looks something like this. The first four are from
the original file, and the others are the ones I just added:

RewriteEngine on
RewriteRule ^category(.*).html$ index.php?page=category&category_id=$1
[L]
RewriteRule ^article(.*).html$ index.php?page=article&article_id=$1 [L]
RewriteRule ^page_(.*).html$ index.php?pagedb=$1 [L]
RewriteRule ^index.html$ index.php
RewriteCond %{QUERY_STRING} proc/self/environ [OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Would it be best to move that Rewrite Rule at the very end (which was
one of the hack prevention commands I found online, along with all those
Rewrite Cond's) up with the other four original Rewrite Rules at the top?

Or group all the RewriteCond's at the top, before all the RewriteRule's?
It seems this is the way it's done in all the examples I looked at.
Doc O'Leary
2016-07-02 15:48:33 UTC
Permalink
For your reference, records indicate that
Post by super70s
I'm just wondering if it matters if I group all the RewriteRule's
together and Rewrite Cond's together, or does it particularly matter?
I’m not sure the question makes sense. Rule order matters, and rule
conditions only apply to the first rule that follows them. I’m not
sure what you think you will accomplish if you “group” things as you
propose.
Post by super70s
Would it be best to move that Rewrite Rule at the very end (which was
one of the hack prevention commands I found online, along with all those
Rewrite Cond's) up with the other four original Rewrite Rules at the top?
Well, I’d say it’d be best to stop using PHP. Otherwise, it is
generally a good practice to put the most restrictive rules first,
especially if they stop the rewriting process with an [L].
Post by super70s
Or group all the RewriteCond's at the top, before all the RewriteRule's?
It seems this is the way it's done in all the examples I looked at.
You need to understand *why* the examples you see work the way they do.
Just copy-pasting directives and then shuffling them all around is a
recipe for disaster.
--
"Also . . . I can kill you with my brain."
River Tam, Trash, Firefly
super70s
2016-07-03 19:35:07 UTC
Permalink
Post by Doc O'Leary
For your reference, records indicate that
Post by super70s
I'm just wondering if it matters if I group all the RewriteRule's
together and Rewrite Cond's together, or does it particularly matter?
I’m not sure the question makes sense. Rule order matters, and rule
conditions only apply to the first rule that follows them. I’m not
sure what you think you will accomplish if you “group” things as you
propose.
Post by super70s
Would it be best to move that Rewrite Rule at the very end (which was
one of the hack prevention commands I found online, along with all those
Rewrite Cond's) up with the other four original Rewrite Rules at the top?
Well, I’d say it’d be best to stop using PHP.
PHP is at least a lot better than WordPress, the platform I was using
when the nasty malware hack happened.
Post by Doc O'Leary
Otherwise, it is generally a good practice to put the most restrictive rules
first, especially if they stop the rewriting process with an [L].
I think I'll move that last RewriteRule up with the other RewriteRules
then (and before RewriteRule ^index.html$ index.php).
Post by Doc O'Leary
Post by super70s
Or group all the RewriteCond's at the top, before all the RewriteRule's?
It seems this is the way it's done in all the examples I looked at.
You need to understand *why* the examples you see work the way they do.
Just copy-pasting directives and then shuffling them all around is a
recipe for disaster.
The author had descriptions of what all of those last 7 do commented
out, but I just removed them...

# proc/self/environ? no way!
RewriteCond %{QUERY_STRING} proc/self/environ [OR]

# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]

# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*(.*) [OR]

# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]

# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|[|\%[0-9A-Z]{0,2}) [OR]

# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|[|\%[0-9A-Z]{0,2})

# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]

Loading...