.htaccess tutorial

htaccess Elite


RewriteRule does not allow environment variables in cookie f

The use of these awesome and useful mod_env directives and mod_setenvif directives setenvif

RewriteRule does not allow environment variables in cookie f

New postby rewritecond » 08 Oct 2007 17:07

I ended up replacing it with the following configuration options, which achieve what I want:

Code: Select all
# These SetEnvIf statements get evaluated per request, before the
    # Rewrite* statements. The Header statement sets a cookie to
    # remember the visitor's original referrer until the visitor submits the
    # contact form.
    SetEnvIf Request_Method ".*" set_referrer_url_from_http_referer
    SetEnvIf Referer "^$" !set_referrer_url_from_http_referer
    SetEnvIf Referer "^http://(www\.)?mydomain\.com"
!set_referrer_url_from_http_referer
    SetEnvIf Request_URI "^/vanity_url/" !set_referrer_url_from_http_referer
    Header add Set-Cookie "original_referrer_url=%{HTTP_REFERER}e;
domain=.mydomain.com" env=set_referrer_url_from

    # The Rewrite* statements are needed to handle the case when
    # vanity URLs are used. Vanity URLs are of the form
    # www.mydomain.com/abc. A vanity URL of the form /(abc) gets remapped
    # to /vanity_url/abc.html, etc.... The original referrer information is
    # also retained, which is important because if we simply did it in the
    # SetEnvIf and Header section above, the referrer would be lost because
    # the rewrite causes an internal redirect, which causes the referrer
    # HTTP header to be lost.
    RewriteEngine on
    RewriteBase /
    RewriteCond "/home/mydomain/www/public_html/vanity_url/$1.html" -s
    RewriteCond "%{HTTP_REFERER}" "^http://(.+)$"
    RewriteRule "^([a-zA-Z0-9]+)$" "vanity_url/$1.html"
[CO=original_referrer_url:%1:.mydomain.com,L]

    RewriteCond "/home/mydomain/www/public_html/vanity_url/$1.html" -s
    RewriteRule "^([a-zA-Z0-9]+)$" "vanity_url/$1.html" [L]


When I said the original configuration setting did not work, I meant that it did
not set the cookie as I wanted. Regardless, now I have my problem resolved in a
good way. however, I think cookie flag of the RewriteRule directive does not
allow environment variables. If it were consistent, you would think that the
cookie flag should allow environment variables.
rewritecond
 
Posts: 33
Joined: 30 Jan 2007 11:20

New postby rewritecond » 08 Oct 2007 17:12

Code: Select all
Apache reverse proxy and iNotes - Here's how you can do it.
Posted by Josh Tibbs on 18.Sep.03 at 03:38 PM using a Web browser
Category: iNotes -- iNotes Web AccessRelease: 5.0.10Platform: Windows 2000


Hi Mike and everybody else,

I'm using Redhat 9, Apache 2, Domino 5.0.10 on Win 2k, IIS.

Here's how I did it. My servers are all Domino for IIS with Basic auth only turned on in IIS. The cinapp1 server is the main app server with the portalish page. The portal page also serves a second purpose of setting a cookie with the user's server name (derived from Domino Directory and set with Computed Text JavaScript) that is used by mod_rewrite in Apache to rewrite requests to the user's correct server. The proxy itself uses basic auth over SSL (actually it's all over SSL) and authenticates users against Win2K AD (mod_auth_kerb). The browser then offers the credentials on each request because all requests are going to the same realm/server from the browser perspective.

There are a few problems still, though. 302 redirects are dog slow. I work around a few of them with mod_rewrite. Sometimes pages seem to stall. Haven't figured that out yet. There may be more efficient ways to do these rules and there may be junk rules left in this config. I'm a mod_rewrite n00b. Suggestions welcome.

# Config file for domain webmail

#Use a virtual host on port 80. Redirects to 443 for SSL.
<VirtualHost *:80>
ServerName webmail.domain.com
Redirect / https://webmail.domain.com
</VirtualHost>


<VirtualHost *:443>
ServerName webmail.domain.com
#SSL Stuff
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateKeyFile /etc/httpd/conf/webmail.domain.com.key
SSLCertificateFile /etc/httpd/conf/webmail.domain.com.crt

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0

#Fix the redirects. Forwards are handled by mod_rewrite and [P]
ProxyPassReverse / http://cinmail1.domain.com/
ProxyPassReverse / http://crnmail1.domain.com/
ProxyPassReverse / http://cromail1.domain.com/
ProxyPassReverse / http://einmail1.domain.com/
ProxyPassReverse / http://elymail1.domain.com/
ProxyPassReverse / http://munmail1.domain.com/
ProxyPassReverse / http://nrbmail1.domain.com/
ProxyPassReverse / http://olymail1.domain.com/
ProxyPassReverse / http://pinmail1.domain.com/
ProxyPassReverse / http://elymail1.domain.com/
ProxyPassReverse / http://thomail1.domain.com/
ProxyPassReverse / http://cinapp1.domain.com/
ProxyPassReverse / http://cinip140wtdom.domain.com/
ProxyPassReverse / http://cinip142wtdom.domain.com/
ProxyPassReverse / http://webmail.domain.com/
ProxyPassReverse / http://webmailex.domain.com/

#Turn on rewrite and crank up the log
RewriteEngine on
RewriteLog /etc/httpd/logs/rewrite.log
RewriteLogLevel 1

#Force SSL
RewriteCond %{SERVER_PORT} ^80
RewriteRule (.*) $0 [R]

#Logout
#RewriteCond %{QUERY_STRING} ^Logout
#RewriteRule (.*) /webserv.nsf [R,L]


# hack to return 302 to redirect to real webmail page instead of
# letting domino do it. 302 redirects are slow via proxy for unknown reason.
RewriteRule ^/mail/(.*)\.nsf$ $0/iNotes/Welcome/?OpenDocument [R,L]


#The rules. One set per server.
RewriteCond %{HTTP_COOKIE} domainWebmailSite=cinmail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://cinmail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=cromail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://cromail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=crnmail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://crnmail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=einmail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://einmail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=elymail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://elymail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=munmail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://munmail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=pinmail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://pinmail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=thomail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://thomail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=nrbmail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://nrbmail1.domain.com/$1 [P]

RewriteCond %{HTTP_COOKIE} domainWebmailSite=olymail1 [NC]
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://olymail1.domain.com/$1 [P]

#Didn't match yet? Better tell the user she has a bad cookie.
RewriteRule ^/((mail|iNotes|icons|domjava)/.*)$ http://webmailex.domain.com/badcookie.htm [P]

# fix another 302 delay
RewriteCond %{HTTP_HOST} ^webmail\.domain\.com
RewriteRule (^/$) /webserv.nsf [R,L]

# make the homepage requests go to the homepage server
RewriteCond %{HTTP_HOST} ^webmail\.domain\.com
RewriteRule (.*) http://webmailex.domain.com$0 [P]


# require KRB5 auth against AD from the top down
<Location />
SSLRequireSSL
AllowOverride None
AuthType KerberosV5SaveCredentials
AuthName "domain Webmail"
# determines if mod_auth_kerb will allow other modules
# to try to authenticate the user after it fails to do so
KrbAuthAuthoritative off
KrbAuthRealm DOMAIN.COM
KrbLifetime 300
#KrbExpireReauth on
order allow,deny
allow from all
require valid-user
</Location>
</VirtualHost>
rewritecond
 
Posts: 33
Joined: 30 Jan 2007 11:20

New postby rewritecond » 08 Oct 2007 17:15

Code: Select all
Thanks, I currently got this working:


RewriteEngine On

RewriteCond %{QUERY_STRING} adwords$ [NC]
RewriteCond %{ENV:adwords}!^1$
RewriteCond %{HTTP_COOKIE}!^.*adwords=1.*$ [NC]
RewriteRule ^.*$ - [E=adwords:1,CO=adwords:1:www.mysite.com]

RewriteCond %{ENV:adwords}!^1$
RewriteCond %{HTTP_COOKIE} ^.*adwords=1.*$ [NC]
RewriteRule ^.*$ - [E=adwords:1]

However, I believe it is not optimal yet. Not sure if writing out the Cookie through the RewriteEngine is the best thing. Also, the regex for recognizing the adwords=1 in the Cookie is not really efficient.

Anyone got any improvements?
rewritecond
 
Posts: 33
Joined: 30 Jan 2007 11:20

New postby rewritecond » 08 Oct 2007 17:15

Code: Select all
RewriteEngine on

RewriteCond %{HTTP_COOKIE}!^.*CookieName.*$
RewriteRule ^.*$ /_splash/setcookie.cgi
rewritecond
 
Posts: 33
Joined: 30 Jan 2007 11:20

New postby rewritecond » 08 Oct 2007 17:47

First thing to check on a 500-Server Error is your error log. It will tell you what the problem is. If you don't have access to your error log, it's time to look for a new host; You can't do much serious server-side stuff without an error log.

I'm not sure if this is a cut-n-paste error or the effects of posting on this board, but you must have space in the RewriteConds between the characters "}" and "!", and the last line is missing the closing "]".

I tested the code I posted in msg#18, and it works correctly on my servers. The URL is rewritten, the query string is populated, and the environment variable is populated and passed to the script correctly.

Code: Select all
DirectoryIndex cgi-bin/y/d.cgi/?index-IPP10000 index.htm
Options +FollowSymlinks -Indexes -MultiViews
RewriteEngine on
RewriteBase /
RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain\.com [NC]
RewriteRule \.(gif¦jpe?g¦png¦bmp)$ - [F,NC]
RewriteRule ^\.htaccess$ - [F]
#
# New Test of URL passing variables
#
RewriteRule ^([0-9]+)/([a-z]+)/?$ /cgi-bin/y/d.cgi?$2-IPP$1 [NC,E=MY_VAR:$1,C]
RewriteRule .* - [L]
#
RewriteRule ^([0-9]+)/?$ /cgi-bin/y/d.cgi?index-IPP$1 [E=MY_VAR:$1,C]
RewriteRule .* - [L]


Some of the changes (bolded) above are just clean-ups for efficiency, such as removing the redundant [L] from a rule with [F]. Others will prevent problems, such as the second RewriteCond failing for your hostname if a port number is appended.

Jim
rewritecond
 
Posts: 33
Joined: 30 Jan 2007 11:20

New postby rewritecond » 08 Oct 2007 17:48

The md5 hash of the filename would have to be a fixed value; mod_rewrite can match (test) pre-defined URL strings and pass requests to scripts, but cannot directly call functions, such as MD5 hash routines.

This solution sounds over-complicated, and -- begging your pardon -- ineffective. Regardless of any modification or encoding of the filename, it will be "visible" to the user's browser and therefore, directly accessible -- at least for the next hour.

I'd suggest you look into issuing a short-lived cookie to each user who visits an authorized page on your site, and then check for that cookie using mod_rewrite (or a server-side script) before serving the .swf file. Users with a correct and current cookie can be redirected to the .swf file, and those with an expired cookie or no cookie can be redirected to a "please login" file -- both would have to be be .swf files. Only the browser would have the cookie, so any attempt to request the .swf file with a download tool would fail. Hotlinking would not work, because the linking site would not be able to issue the required cookie with the correct realm.

Another alternative would be to redirect all requests for the .swf file to a server-side script to handle the authorization, if you are more comfortable with perl or php, for example.
rewritecond
 
Posts: 33
Joined: 30 Jan 2007 11:20

New postby rewritecond » 08 Oct 2007 17:49

You can test to see if the "valid page" exists, and if not, rewrite to the "special page":

Code: Select all
# Get cookie value if it exists
RewriteCond %{HTTP_COOKIE} curso=([^;]+)
# if valid page exists as a file
RewriteCond %{DOCUMENT_ROOT}/mir/lecciones/%1/$2 -f
# internally rewrite to valid page
rewriterule ^/conflict_directory/([^/])+/(.+\.html?)$ /mir8/lecciones/%1/$2 [L]
# else rewrite to special page
rewriterule ^/conflict_directory/([^/])+/(.+\.html?)$ /special_page.html [L]
rewritecond
 
Posts: 33
Joined: 30 Jan 2007 11:20


Return to SetEnvIf, SetEnv, PassEnv, UnsetEnv