Multiple rewrite rules

Hello All,

I have a quick question regarding multiple mod_rewrite rules. Our
security nazis have told us that we need to disable the HTTP TRACE
method on our servers. The version we are using (2.0.52-41.ent, i.e.
RedHat's rpm) doesn't have the TraceEnable option so we need to use
the RewriteRule method.

We have one server though that already has a RewriteRule in place,
this rule forces all connections from http (port 80) to https (port
443). If I put the trace rule ahead of this rule, than this
redirection ceases to function. If I put the trace rule after it, I
get back a 302 Found (Document moved) message - which according to the
security folks is still a 'vulnerable' system. I don't want to argue
about the stupidity of that, I agree it's a stupid point of view. I
just need to get this to pass the annoying security review.

Here are the two rules that I'm trying to make work together (both are
in /etc/httpd/conf/httpd.conf):

RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*)$ https://pps-mail.nascom.nasa.gov/$1 [L,R]

RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule .* - [F]


Any help would be greatly appreciated.

-Tony

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Multiple rewrite rules

Hi,
>
> I have a quick question regarding multiple mod_rewrite rules. Our
> security nazis have told us that we need to disable the HTTP TRACE
> method on our servers. The version we are using (2.0.52-41.ent, i.e.
> RedHat's rpm) doesn't have the TraceEnable option so we need to use
> the RewriteRule method.
>
> We have one server though that already has a RewriteRule in place,
> this rule forces all connections from http (port 80) to https (port
> 443). If I put the trace rule ahead of this rule, than this
> redirection ceases to function. If I put the trace rule after it, I
> get back a 302 Found (Document moved) message - which according to the
> security folks is still a 'vulnerable' system. I don't want to argue
> about the stupidity of that, I agree it's a stupid point of view. I
> just need to get this to pass the annoying security review.
>
> Here are the two rules that I'm trying to make work together (both are
> in /etc/httpd/conf/httpd.conf):
>
> RewriteCond %{SERVER_PORT} !^443$
> RewriteRule ^/(.*)$ https://pps-mail.nascom.nasa.gov/$1 [L,R]

There is an [L] option in this rewrite rule which means that it will be
the last one to be executed. Any following rewrite rules will be
disregarded, so just try and remove the [L]. The order has to be kept,
though, because if you put the TRACE rule ahead of the other one, the
client will get a 403 Forbidden, so there won't be any further request
and thus no redirection.


Sascha

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: multiple rewrite rules

Thanks for your excellent explanation. =


I have used the book "The Definitive Guide to mod_rewrite" by Rich Bowen. D=
o you recommend a different reference?


==================== =====3D=
===========3D
Jeff Shearer, CISA, CISSP, IAM, IEM

-----Original Message-----
From: "Krist van Besien" [krist.vanbesien@gmail.com]
Date: 12/06/2009 10:27 PM
To: users@httpd.apache.org
Subject: Re: [users@httpd] multiple rewrite rules

On Sun, Dec 6, 2009 at 9:08 PM, Jeff Shearer wrote=
:
> I have been trying without success to rewrite multiple css files with on =
RewriteCond. Here is my latest attempt to give y'all an idea of what I am t=
rying to do.

I have the impression that you are unware how rewriteconds and
rewriterules interact. You can't have one rewritecond apply to many
rewriterules.

Apache always first tests if the LHS of the RewriteRule matches. Then
it will look at any RewriteConds above. It they match than the RHS is
applied.

In order to explain better what happens with your rules I've numbered them:

1> RewriteCond %{HTTP_USER_AGENT} .Windows.*Firefox\/3.*
2> RewriteRule ^/styles/progclean.css
http://progressive.trustedtechpro.com/styles/winff3/progclea n.css
3> RewriteRule ^/styles/terms.css
http://progressive.trustedtechpro.com/styles/winff3/terms.cs s [L]
4> RewriteCond %{HTTP_USER_AGENT} .MSIE\ 7.*
5> RewriteRule ^/styles/progclean.css
http://progressive.trustedtechpro.com/styles/winie7/progclea n.css
6> RewriteRule ^/styles/terms.css
http://progressive.trustedtechpro.com/styles/winie7/terms.cs s [L]
7> RewriteRule ^/styles/progclean.css
http://progressive.trustedtechpro.com/styles/unsupported/pro gclean.css
8> RewriteRule ^/styles/terms.css
http://progressive.trustedtechpro.com/styles/unsupported/ter ms.css
[L]

RewriteCond at line 1 only applies to RewriteRule on line 2.
RewriteRule at line 3 does not have ReweriteCond so all browsers get
http://progressive.trustedtechpro.com/styles/winff3/terms.cs s. Rules 6
and 8 will even never get triggered...

Have a look at the docs.


Krist

-- =

krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org



------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: multiple rewrite rules

On Mon, Dec 7, 2009 at 7:32 AM, Jeff Shearer wrot=
e:
> Thanks for your excellent explanation.
>
> I have used the book "The Definitive Guide to mod_rewrite" by Rich Bowen.=
=A0Do you recommend a different reference?

I don't know about this book. All I know about mod_rewrite I have from
the official docs, and from experimentation.

The documentation is quite clear that you can have multiple
RewriteCond's per RewriteRule, but that a RewriteCond only applies to
one RewriteRule.

I had to cut may answer short, as my train was arriving and I had to
get out :-)

So here is the rest:

I asume that you have references to two CSS files in your HTML pages,
and that you want to give different versions of these files to
different browsers.
Now, since a RewriteCond applies only to one rule, you need to repeat it.
You don't really need the L flag, and if the files are on the same
host, you don't need to add that either. So I asume the following
would work:

RewriteEngine on
RewriteLog /var/log/httpd-rewrite.log
RewriteLogLevel 2

RewriteCond %{HTTP_USER_AGENT} .Windows.*Firefox\/3.*
RewriteRule ^/styles/progclean.css /styles/winff3/progclean.css
RewriteCond %{HTTP_USER_AGENT} .Windows.*Firefox\/3.*
RewriteRule ^/styles/terms.css /styles/winff3/terms.css

RewriteCond %{HTTP_USER_AGENT} .MSIE\ 7.*
RewriteRule ^/styles/progclean.css /styles/winie7/progclean.css
RewriteCond %{HTTP_USER_AGENT} .MSIE\ 7.*
RewriteRule ^/styles/terms.css /styles/winie7/terms.css

RewriteRule ^/styles/progclean.css /styles/unsupported/progclean.css
RewriteRule ^/styles/terms.css /styles/unsupported/terms.css

I hope this helps,

Krist


--=20
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org