mod_rewrite强制内部重定向 [英] mod_rewrite force internal redirect

问题描述

我的目标是减少应用程序签名的可见性.这不是默默无闻的安全措施，而只是深度的表面防御，因此，乍一看，攻击者无法分辨出它是否是静态站点. (还具有外观美感；即使应用程序在正常操作中永远看不见，也可以隐藏应用程序详细信息，这让用户感觉更干净").因此，我想拒绝访问某些目录而不显示它们的存在，因此如果用户请求一个不存在的页面，我必须给出与我的应用程序完全相同的404响应.

My goal is to reduce the visibility of my app's signature. This is not security by obscurity, just a superficial bit of defence in depth, so that at first glance an attacker cannot tell if it is a static site or not. (Also cosmetic; it just feels "cleaner" to hide app details even if they would never become visible in normal operation). Therefore I want to deny access to some directories without revealing that they exist, so I must give the exact same 404 response my app would give if the user requested a non-existent page.

在.htaccess文件中，我具有以下内容:

In an .htaccess file, I have the following:

RewriteEngine on
RewriteCond "%{REQUEST_FILENAME}" "!-f"
RewriteCond "%{REQUEST_FILENAME}" "!-d"
RewriteRule "^(.*)" "index.php?page=$1"
RewriteRule "^(secret_dir1|secret_dir2)(/.*)?$" "index.php?page=404"

其中，index.php根据"page" GET参数的值呈现漂亮的漂亮网页；如果页面"与应用程序级别的页面不对应，或者页面"设置为404，则脚本将渲染一个漂亮的404页面，其中包含适当的标题和所有内容.

where index.php renders a nice pretty webpage according to the value of the "page" GET parameter; if "page" does not correspond to a page at the app level, or "page" is set to 404, the script renders a pretty 404 page with proper headers and everything.

这是发生问题的地方. 应用程序级" 404按预期工作；呈现404页面.但是，如果用户请求mydomain.com/dir_i_am_trying_to_hide，则会为他们提供301重定向到mydomain.com/dir_i_am_trying_to_hide/?page=404:外部重定向而不是内部重写.

Here's where the problem happens. "App-level" 404s work as expected; a 404 page is rendered. However, if the user requests mydomain.com/dir_i_am_trying_to_hide, they are given a 301 redirect to mydomain.com/dir_i_am_trying_to_hide/?page=404: an external redirect instead of an internal rewrite.

为什么它发送外部重定向而不是仅重写URL?我应该如何正确避免这种情况?除非，有没有办法强制服务器进行内部重写? (Apache文档似乎表明您可以强制将RewriteRule设置为外部，但不能强制这样做)

Why is it sending out an external redirect instead of just rewriting the url? How am I supposed to avoid this properly? Barring that, is there a way to force the server to do an internal rewrite instead? (The Apache docs seem to indicate you can force a RewriteRule to be external, but not the other way around)

推荐答案

原来我的重写规则没有引起外部重定向； Apache的DirectorySlash是；我会查询hostname/secret_dir1，它将发送重定向到hostname/secret_dir1/.

Turns out my rewrite rule was not causing the external redirect; Apache's DirectorySlash was; I would query hostname/secret_dir1 and it would send a redirect to hostname/secret_dir1/.

我不确定为什么要更改查询字符串，但是添加了DirectorySlash off可以解决该问题.

I'm not sure why the query string was changed, but adding DirectorySlash off fixed it.

这篇关于mod_rewrite强制内部重定向的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！