htaccess Elite

.htaccess tutorial


All times are UTC [ DST ]





Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: RewriteRule does not allow environment variables in cookie f
PostPosted: 08 Oct 2007 17:07 
Offline

Joined: 30 Jan 2007 11:20
Posts: 33
I ended up replacing it with the following configuration options, which achieve what I want:

Code:
# These SetEnvIf statements get evaluated per request, before the
    # Rewrite* statements. The Header statement sets a cookie to
    # remember the visitor's original referrer until the visitor submits the
    # contact form.
    SetEnvIf Request_Method ".*" set_referrer_url_from_http_referer
    SetEnvIf Referer "^$" !set_referrer_url_from_http_referer
    SetEnvIf Referer "^http://(www\.)?mydomain\.com"
!set_referrer_url_from_http_referer
    SetEnvIf Request_URI "^/vanity_url/" !set_referrer_url_from_http_referer
    Header add Set-Cookie "original_referrer_url=%{HTTP_REFERER}e;
domain=.mydomain.com" env=set_referrer_url_from

    # The Rewrite* statements are needed to handle the case when
    # vanity URLs are used. Vanity URLs are of the form
    # www.mydomain.com/abc. A vanity URL of the form /(abc) gets remapped
    # to /vanity_url/abc.html, etc.... The original referrer information is
    # also retained, which is important because if we simply did it in the
    # SetEnvIf and Header section above, the referrer would be lost because
    # the rewrite causes an internal redirect, which causes the referrer
    # HTTP header to be lost.
    RewriteEngine on
    RewriteBase /
    RewriteCond "/home/mydomain/www/public_html/vanity_url/$1.html" -s
    RewriteCond "%{HTTP_REFERER}" "^http://(.+)$"
    RewriteRule "^([a-zA-Z0-9]+)$" "vanity_url/$1.html"
[CO=original_referrer_url:%1:.mydomain.com,L]

    RewriteCond "/home/mydomain/www/public_html/vanity_url/$1.html" -s
    RewriteRule "^([a-zA-Z0-9]+)$" "vanity_url/$1.html" [L]


When I said the original configuration setting did not work, I meant that it did
not set the cookie as I wanted. Regardless, now I have my problem resolved in a
good way. however, I think cookie flag of the RewriteRule directive does not
allow environment variables. If it were consistent, you would think that the
cookie flag should allow environment variables.


Top
 Profile  
 
 Post subject:
PostPosted: 08 Oct 2007 17:12 
Offline

Joined: 30 Jan 2007 11:20
Posts: 33
Code:
Apache reverse proxy and iNotes - Here's how you can do it.
Posted by Josh Tibbs on 18.Sep.03 at 03:38 PM using a Web browser
Category: iNotes -- iNotes Web AccessRelease: 5.0.10Platform: Windows 2000


Hi Mike and everybody else,

I'm using Redhat 9, Apache 2, Domino 5.0.10 on Win 2k, IIS.

Here's how I did it. My servers are all Domino for IIS with Basic auth only turned on in IIS. The cinapp1 server is the main app server with the portalish page. The portal page also serves a second purpose of setting a cookie with the user's server name (derived from Domino Directory and set with Computed Text JavaScript) that is used by mod_rewrite in Apache to rewrite requests to the user's correct server. The proxy itself uses basic auth over SSL (actually it's all over SSL) and authenticates users against Win2K AD (mod_auth_kerb). The browser then offers the credentials on each request because all requests are going to the same realm/server from the browser perspective.

There are a few problems still, though. 302 redirects are dog slow. I work around a few of them with mod_rewrite. Sometimes pages seem to stall. Haven't figured that out yet. There may be more efficient ways to do these rules and there may be junk rules left in this config. I'm a mod_rewrite n00b. Suggestions welcome.

# Config file for domain webmail

#Use a virtual host on port 80. Redirects to 443 for SSL.
<VirtualHost *:80>
ServerName webmail.domain.com
Redirect / https://webmail.domain.com
</VirtualHost>


<VirtualHost *:443>
ServerName webmail.domain.com
#SSL Stuff
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateKeyFile /etc/httpd/conf/webmail.domain.com.key
SSLCertificateFile /etc/httpd/conf/webmail.domain.com.crt

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

#Fix the redirects. Forwards are handled by mod_rewrite and [P]
ProxyPassReverse / http://cinmail1.domain.com/
ProxyPassReverse / http://crnmail1.domain.com/
ProxyPassReverse / http://cromail1.domain.com/
ProxyPassReverse / http://einmail1.domain.com/
ProxyPassReverse / http://elymail1.domain.com/
ProxyPassReverse / http://munmail1.domain.com/
ProxyPassReverse / http://nrbmail1.domain.com/
ProxyPassReverse / http://olymail1.domain.com/
ProxyPassReverse / http://pinmail1.domain.com/
ProxyPassReverse / http://elymail1.domain.com/
ProxyPassReverse / http://thomail1.domain.com/
ProxyPassReverse / http://cinapp1.domain.com/
ProxyPassReverse / http://cinip140wtdom.domain.com/
ProxyPassReverse / http://cinip142wtdom.domain.com/
ProxyPassReverse / http://webmail.domain.com/
ProxyPassReverse / http://webmailex.domain.com/

#Turn on rewrite and crank up the log
RewriteEngine on
RewriteLog /etc/httpd/logs/rewrite.log
RewriteLogLevel 1

#Force SSL
RewriteCond %{SERVER_PORT} ^80
RewriteRule (.*) $0 [R]

#Logout
#RewriteCond %{QUERY_STRING} ^Logout
#RewriteRule (.*) /webserv.nsf [R,L]


# hack to return 302 to redirect to real webmail page instead of
# letting domino do it. 302 redirects are slow via proxy for unknown reason.
RewriteRule ^/mail/(.*)\.nsf$ $0/iNotes/Welcome/?OpenDocument [R,L]


#The rules. One set per server.
RewriteCond %{HTTP_COOKIE} domainWebmailSite=cinmail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://cinmail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=cromail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://cromail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=crnmail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://crnmail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=einmail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://einmail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=elymail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://elymail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=munmail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://munmail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=pinmail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://pinmail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=thomail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://thomail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=nrbmail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://nrbmail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=olymail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://olymail1.domain.com/$1 [P]

#Didn't match yet? Better tell the user she has a bad cookie.
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://webmailex.domain.com/badcookie.htm [P]

# fix another 302 delay
RewriteCond %{HTTP_HOST} ^webmail\.domain\.com
RewriteRule (^/$) /webserv.nsf [R,L]

# make the homepage requests go to the homepage server
RewriteCond %{HTTP_HOST} ^webmail\.domain\.com
RewriteRule (.*) http://webmailex.domain.com$0 [P]


# require KRB5 auth against AD from the top down
<Location />
SSLRequireSSL
AllowOverride None
AuthType KerberosV5SaveCredentials
AuthName "domain Webmail"
# determines if mod_auth_kerb will allow other modules
# to try to authenticate the user after it fails to do so
KrbAuthAuthoritative off
KrbAuthRealm DOMAIN.COM
KrbLifetime 300
#KrbExpireReauth on
order allow,deny
allow from all
require valid-user
</Location>
</VirtualHost>


Top
 Profile  
 
 Post subject:
PostPosted: 08 Oct 2007 17:15 
Offline

Joined: 30 Jan 2007 11:20
Posts: 33
Code:
Thanks, I currently got this working:


RewriteEngine On

RewriteCond %{QUERY_STRING} adwords$ [NC]
RewriteCond %{ENV:adwords}!^1$
RewriteCond %{HTTP_COOKIE}!^.*adwords=1.*$ [NC]
RewriteRule ^.*$ - [E=adwords:1,CO=adwords:1:www.mysite.com]

RewriteCond %{ENV:adwords}!^1$
RewriteCond %{HTTP_COOKIE} ^.*adwords=1.*$ [NC]
RewriteRule ^.*$ - [E=adwords:1]

However, I believe it is not optimal yet. Not sure if writing out the Cookie through the RewriteEngine is the best thing. Also, the regex for recognizing the adwords=1 in the Cookie is not really efficient.

Anyone got any improvements?


Top
 Profile  
 
 Post subject:
PostPosted: 08 Oct 2007 17:15 
Offline

Joined: 30 Jan 2007 11:20
Posts: 33
Code:
RewriteEngine on

RewriteCond %{HTTP_COOKIE}!^.*CookieName.*$
RewriteRule ^.*$ /_splash/setcookie.cgi


Top
 Profile  
 
 Post subject:
PostPosted: 08 Oct 2007 17:47 
Offline

Joined: 30 Jan 2007 11:20
Posts: 33
First thing to check on a 500-Server Error is your error log. It will tell you what the problem is. If you don't have access to your error log, it's time to look for a new host; You can't do much serious server-side stuff without an error log.

I'm not sure if this is a cut-n-paste error or the effects of posting on this board, but you must have space in the RewriteConds between the characters "}" and "!", and the last line is missing the closing "]".

I tested the code I posted in msg#18, and it works correctly on my servers. The URL is rewritten, the query string is populated, and the environment variable is populated and passed to the script correctly.

Code:
DirectoryIndex cgi-bin/y/d.cgi/?index-IPP10000 index.htm
Options +FollowSymlinks -Indexes -MultiViews
RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain\.com [NC]
RewriteRule \.(gif¦jpe?g¦png¦bmp)$ - [F,NC]
RewriteRule ^\.htaccess$ - [F]
#
# New Test of URL passing variables
#
RewriteRule ^([0-9]+)/([a-z]+)/?$ /cgi-bin/y/d.cgi?$2-IPP$1 [NC,E=MY_VAR:$1,C]
RewriteRule .* - [L]
#
RewriteRule ^([0-9]+)/?$ /cgi-bin/y/d.cgi?index-IPP$1 [E=MY_VAR:$1,C]
RewriteRule .* - [L]


Some of the changes (bolded) above are just clean-ups for efficiency, such as removing the redundant [L] from a rule with [F]. Others will prevent problems, such as the second RewriteCond failing for your hostname if a port number is appended.

Jim


Top
 Profile  
 
 Post subject:
PostPosted: 08 Oct 2007 17:48 
Offline

Joined: 30 Jan 2007 11:20
Posts: 33
The md5 hash of the filename would have to be a fixed value; mod_rewrite can match (test) pre-defined URL strings and pass requests to scripts, but cannot directly call functions, such as MD5 hash routines.

This solution sounds over-complicated, and -- begging your pardon -- ineffective. Regardless of any modification or encoding of the filename, it will be "visible" to the user's browser and therefore, directly accessible -- at least for the next hour.

I'd suggest you look into issuing a short-lived cookie to each user who visits an authorized page on your site, and then check for that cookie using mod_rewrite (or a server-side script) before serving the .swf file. Users with a correct and current cookie can be redirected to the .swf file, and those with an expired cookie or no cookie can be redirected to a "please login" file -- both would have to be be .swf files. Only the browser would have the cookie, so any attempt to request the .swf file with a download tool would fail. Hotlinking would not work, because the linking site would not be able to issue the required cookie with the correct realm.

Another alternative would be to redirect all requests for the .swf file to a server-side script to handle the authorization, if you are more comfortable with perl or php, for example.


Top
 Profile  
 
 Post subject:
PostPosted: 08 Oct 2007 17:49 
Offline

Joined: 30 Jan 2007 11:20
Posts: 33
You can test to see if the "valid page" exists, and if not, rewrite to the "special page":

Code:
# Get cookie value if it exists
RewriteCond %{HTTP_COOKIE} curso=([^;]+)
# if valid page exists as a file
RewriteCond %{DOCUMENT_ROOT}/mir/lecciones/%1/$2 -f
# internally rewrite to valid page
rewriterule ^/conflict_directory/([^/])+/(.+\.html?)$ /mir8/lecciones/%1/$2 [L]
# else rewrite to special page
rewriterule ^/conflict_directory/([^/])+/(.+\.html?)$ /special_page.html [L]


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Powered by phpBB