阿帕奇的.htaccess重定向index.html来根,为什么有FollowSymLinks和的RewriteBase? [英] Apache .htaccess to redirect index.html to root, why FollowSymlinks and RewriteBase?
问题描述
为了重定向所有 somefolder / index.html的(也是 somefolder / index.htm的)以 somefolder / 我在Apache中的.htaccess文件中使用这个简单的重写规则:
RewriteEngine叙述上
的RewriteCond%{THE_REQUEST} ^ * \ /指数\ html的?\ HTTP /
重写规则^(。*)指标\ html的?$/ $ 1[R = 301,L]
这工作得很好!
但<一href="http://groups.google.com/group/only-validation/web/fix-canonical-issues-www-vs-non-www-and-more-on-apache-server?pli=1">Google组他们建议还补充:
选项+了FollowSymLinks
的RewriteBase /
-
可能有人会这么好心来解释我为什么我一定要添加这些最后几行,并解释我一点,他们的意思是什么,他们做了什么?
-
有没有在不增加这些线路的潜在secuirty风险?
非常感谢,
为什么他们建议:
它建议你添加选项+了FollowSymLinks ,因为它是必要启用符号链接下面的的 mod_rewrite的工作,并有一个机会,虽然你可能会被允许打开它,它不是由主服务器配置中启用。我怀疑符号链接下面是必要的beause模块提出了一些要求,以 apr_stat(),它看起来像它需要遵循符号链接,以获取文件信息的原因在所有情况下
至于的RewriteBase ,它通常没有必要。文档的推移它,但由于大多数人的文件中的执行的在的DocumentRoot 生活的地方,它通常只服务的目的,如果你重定向外部和使用目录的相对URL。为了说明我的意思,考虑以下几点:
RewriteEngine叙述上
重写规则^重定向的index.html [R,L]
有关的 example.com/redirect 的请求会导致外部重定向到的 example.com/full/path/to/web/root/index.html 的。这样做的原因是,它处理重定向之前,mod_rewrite的重新追加当前目录路径(这是的RewriteBase 的默认值)。如果修改的RewriteBase 是 / ,那么路径信息,将与该字符串替代,所以请求 index.html的的现在是一个请求的 /index.html 的。
请注意,你可能只是有明确的替代的价值做了这件事,无论的RewriteBase :
RewriteEngine叙述上
重写规则^重定向/index.html [R,L]
...按预期工作,例如。但是,如果你有一个需要一个共同的基础,并正在被到处转移目录之间,或者你的内容是没有根据的根源很多规则,这将是适当地设置有用的RewriteBase 在这种情况下。
不使用它们的危险性:
有没有在不指定选项+了FollowSymLinks 绝对没有安全风险,因为如果不这样做,它不是由主服务器的配置设置,mod_rewrite的将始终返回403禁止。这就是人们试图查看内容有点问题,但它肯定不会给他们任何扩展的机会,利用你的code。
不设置的RewriteBase 可能使路径到网页内容,如果你有在你的.htaccess文件中的一个配置不当的规则集,但我不知道有什么理由认为这是一个安全隐患。
In order to redirect all somefolder/index.html (and also somefolder/index.htm) to somefolder/ I use this simple rewrite rule in Apache .htaccess file:
RewriteEngine on
RewriteCond %{THE_REQUEST} ^.*\/index\.html?\ HTTP/
RewriteRule ^(.*)index\.html?$ "/$1" [R=301,L]
This works well!
But at Google groups they suggest to add also:
Options +FollowSymlinks
RewriteBase /
Could anyone be so kind to explain me why would i have to add these last lines, and explain me a bit what they mean and what they do?
Is there a potential secuirty risk in not adding these lines?
Many thanks,
Why they're suggested:
It's suggested that you add Options +FollowSymlinks because it's necessary that symlink following is enabled for mod_rewrite to work, and there's a chance that, while you may be allowed to turn it on, it's not enabled by the main server configuration. I suspect the reason that symlink following is necessary is beause the module makes a number of calls to apr_stat(), which looks like it needs to follow symlinks in order to get file information in all cases.
As for RewriteBase, it's typically not necessary. The documentation goes on about it, but as most people's files do live under the DocumentRoot somewhere, it usually only serves a purpose if you're redirecting externally and you use directory-relative URLs. To illustrate what I mean, consider the following:
RewriteEngine On
RewriteRule ^redirect index.html [R,L]
A request for example.com/redirect will result in an external redirect to example.com/full/path/to/web/root/index.html. The reason for this is that before it handles the redirection, mod_rewrite re-appends the current directory path (which is the default value of RewriteBase). If you modified RewriteBase to be /, then the path information would be replaced with that string, so a request for index.html would now be a request for /index.html.
Note that you could just have done this explicitly on the replace too, regardless of the value of RewriteBase:
RewriteEngine On
RewriteRule ^redirect /index.html [R,L]
...works as intended, for example. However, if you had many rules that needed a common base and were being shifted around between directories, or your content wasn't under the root, it would be useful to appropriately set RewriteBase in that case.
The risk of not using them:
There's absolutely no security risk in not specifying Options +FollowSymlinks, because if you don't and it's not set by the main server configuration, mod_rewrite will always return 403 Forbidden. That's kind of problematic for people trying to view your content, but it definitely doesn't give them any extended opportunity to exploit your code.
Not setting RewriteBase could expose the path to your web content if you had an improperly configured rule set in one of your .htaccess files, but I'm not sure that there's any reason to consider that a security risk.
这篇关于阿帕奇的.htaccess重定向index.html来根,为什么有FollowSymLinks和的RewriteBase?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
