Using Apache's mod_rewrite to hide scripts extension

**Jerry Stuckle** · Jun 2 '08, 10:35 AM

Re: Using Apache's mod_rewrite to hide scripts extension

Álvaro G. Vicario wrote:

With Apache's mod_rewrite module I can keep *.php files and load them as
*.html files:
>
# Make http//example.com/foo/bar.html load /home/site/foo/bar.php
RewriteEngine On
RewriteRule ^(.*)\.html$ $1.php [L]
>
But, is there any elegant way to prevent direct access to
"http//example.com/foo/bar.php"? No matter the "L" flag, all *.html
requests get parsed again with any *.php rule I write, even though the
rewriting does not force a browser redirect and even if I use the NS
flag :-?
>
I still can restrict it in PHP itself (I can think of checking the value
of $_SERVER['REQUEST_URI']), but I'd like to understand why L and NS do
not work as I expected.
>
>
Sorry if this is kinda offtopic but my news server does not provide any
Apache group.
>
>

You can always get the Apache newsgroups through Google Groups. And
I've found most news servers will add groups if you ask them nicely -
they just need to know the newsgroup is wanted.

As for your question - it is NOT a good idea to parse all .html files as
..php, anyway. It puts an unnecessary load on the server. Just keep php
code in .php files. You'll find it works much better.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**=?ISO-8859-1?Q?=22=C1lvaro_G=2E_Vicario=22?=** · Jun 2 '08, 10:35 AM

Re: Using Apache's mod_rewrite to hide scripts extension

Jerry Stuckle escribió:

As for your question - it is NOT a good idea to parse all .html files as
.php, anyway. It puts an unnecessary load on the server. Just keep php
code in .php files. You'll find it works much better.

There aren't any plain HTML files in the site: they all use PHP to
compose the page including headers, footers and the like (plus headers
for client-side caching: site contents are not actually dynamic).
Currently, I code in *.html files and get them all parsed as PHP but
it's annoying because I have to tell my text editor to use PHP syntax
highlighting for *.html files... but only for that project! Furthermore,
if I ever add a plain HTML file I can't distinguish it easily.

I thought mod_rewrite could be an elegant solution but I'm disappointed
with my lack of understanding of its internals.

If I completely omit extensions (http://example.com/foo/bar) the issue
is the same: I can't prevent http://example.com/foo/bar.php from loading.

--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://bits.demogracia.com
-- Mi web de humor al baño María: http://www.demogracia.com
--

**C. (http://symcbean.blogspot.com/)** · Jun 2 '08, 10:35 AM

Re: Using Apache's mod_rewrite to hide scripts extension

On 28 Apr, 11:54, "Álvaro G. Vicario"
<alvaroNOSPAMTH A...@demogracia .comwrote:

Jerry Stuckle escribió:
>

As for your question - it is NOT a good idea to parse all .html files as
.php, anyway. It puts an unnecessary load on the server. Just keep php
code in .php files. You'll find it works much better.

>
There aren't any plain HTML files in the site: they all use PHP to
compose the page including headers, footers and the like (plus headers
for client-side caching: site contents are not actually dynamic).
Currently, I code in *.html files and get them all parsed as PHP but
it's annoying because I have to tell my text editor to use PHP syntax
highlighting for *.html files... but only for that project! Furthermore,
if I ever add a plain HTML file I can't distinguish it easily.
>
I thought mod_rewrite could be an elegant solution but I'm disappointed
with my lack of understanding of its internals.
>
If I completely omit extensions (http://example.com/foo/bar) the issue
is the same: I can't preventhttp://example.com/foo/bar.phpfrom loading.
>
--
--http://alvaro.es- Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web:http://bits.demogracia.com
-- Mi web de humor al baño María:http://www.demogracia.com
--

Wouldn't it be simpler to just rename all your files as .html and
setup the PHP handler to process them?

C.

**Jerry Stuckle** · Jun 2 '08, 10:35 AM

Re: Using Apache's mod_rewrite to hide scripts extension

Álvaro G. Vicario wrote:

Jerry Stuckle escribió:

>As for your question - it is NOT a good idea to parse all .html files
>as .php, anyway. It puts an unnecessary load on the server. Just
>keep php code in .php files. You'll find it works much better.

>
There aren't any plain HTML files in the site: they all use PHP to
compose the page including headers, footers and the like (plus headers
for client-side caching: site contents are not actually dynamic).
Currently, I code in *.html files and get them all parsed as PHP but
it's annoying because I have to tell my text editor to use PHP syntax
highlighting for *.html files... but only for that project! Furthermore,
if I ever add a plain HTML file I can't distinguish it easily.
>
I thought mod_rewrite could be an elegant solution but I'm disappointed
with my lack of understanding of its internals.
>
If I completely omit extensions (http://example.com/foo/bar) the issue
is the same: I can't prevent http://example.com/foo/bar.php from loading.
>
>
>

And you will NEVER have any static pages on the site?

Why are you going to all of the trouble, anyway. PHP works fine as .php
files. You cause yourself and the server to run through all kinds of
hoops to parse them as .html files.

But if you insist, try alt.apache.conf iguration - available on Google
Groups.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Jerry Stuckle** · Jun 2 '08, 10:35 AM

Re: Using Apache's mod_rewrite to hide scripts extension

Álvaro G. Vicario wrote:

Jerry Stuckle escribió:

>As for your question - it is NOT a good idea to parse all .html files
>as .php, anyway. It puts an unnecessary load on the server. Just
>keep php code in .php files. You'll find it works much better.

>
There aren't any plain HTML files in the site: they all use PHP to
compose the page including headers, footers and the like (plus headers
for client-side caching: site contents are not actually dynamic).
Currently, I code in *.html files and get them all parsed as PHP but
it's annoying because I have to tell my text editor to use PHP syntax
highlighting for *.html files... but only for that project! Furthermore,
if I ever add a plain HTML file I can't distinguish it easily.
>
I thought mod_rewrite could be an elegant solution but I'm disappointed
with my lack of understanding of its internals.
>
If I completely omit extensions (http://example.com/foo/bar) the issue
is the same: I can't prevent http://example.com/foo/bar.php from loading.
>
>
>

Oops - I think I misread what you are doing (twice!).

If I understand this correctly now, you have your PHP code in .php
files, and have Apache set up to load those PHP files if the equivalent
..html is called. This would be OK.

But you don't want the .php files to be able to be loaded directly. I'm
not sure what difference it makes - does it cause a problem to load the
..php file?

From the PHP end, yes, you can restrict access. But if you want to do
it with mod_rewrite, you really need to be following up on an Apache
newsgroup. You'll get expert answers there.

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

**Tim Roberts** · Jun 2 '08, 10:35 AM

Re: Using Apache's mod_rewrite to hide scripts extension

Jerry Stuckle <jstucklex@attg lobal.netwrote:

>
>Oops - I think I misread what you are doing (twice!).
>
>If I understand this correctly now, you have your PHP code in .php
>files, and have Apache set up to load those PHP files if the equivalent
>.html is called. This would be OK.
>...
>But you don't want the .php files to be able to be loaded directly. I'm
>not sure what difference it makes - does it cause a problem to load the
>.php file?
>
From the PHP end, yes, you can restrict access. But if you want to do
>it with mod_rewrite, you really need to be following up on an Apache
>newsgroup. You'll get expert answers there.

mod_rewrite is one of those magical products that can be configured to do
practically anything (like Sendmail). And like most such products, it is
difficult to get right.

However, I think this will do what the original poster wanted:

RewriteEngine On
RewriteRule ^(.*)\.php$ $1.php [R=404,L]
RewriteRule ^(.*)\.html$ $1.php [L]

That says PHP references should redirect to a 404, and HTML references
should be rewritten to PHP.
--
Tim Roberts, timr@probo.com
Providenza & Boekelheide, Inc.

**=?ISO-8859-1?Q?=22=C1lvaro_G=2E_Vicario=22?=** · Jun 2 '08, 10:35 AM

Re: Using Apache's mod_rewrite to hide scripts extension

Tim Roberts escribió:

RewriteEngine On
RewriteRule ^(.*)\.php$ $1.php [R=404,L]
RewriteRule ^(.*)\.html$ $1.php [L]
>
That says PHP references should redirect to a 404, and HTML references
should be rewritten to PHP.

It doesn't work either because when I request foo.html I'm silently
redirected to foo.php, rewriting starts again and first rule generates a
Not Found status code.

Thank you for your suggestion but it's really tricky!

I've asked my newsmaster if I can get "alt.apache.con figuration" added
to the groups lists (Google Groups is okay but it does not allow e-mail
obfuscation) but I guess I'll implement this as is and I just won't care
about direct access to *.php files (or I'll check
$_SERVER['REQUEST_URI'] and generate the 404 status in PHP). Your
comparison of mod_write with Sendmail has scared me to the bone ;-)

--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://bits.demogracia.com
-- Mi web de humor al baño María: http://www.demogracia.com
--

**Guillaume** · Jun 2 '08, 10:35 AM

Re: Using Apache's mod_rewrite to hide scripts extension

Álvaro G. Vicario a écrit :

Tim Roberts escribió:

> [L]

rewriting starts again

Or not, L flag stands for Last, it shouldn't start again and directly
serve the request, i.e. foo.php.

Regards,
--
Guillaume

**Michael Fesser** · Jun 2 '08, 10:35 AM

Re: Using Apache's mod_rewrite to hide scripts extension

..oO(Guillaume)

>Álvaro G. Vicario a écrit :

>Tim Roberts escribió:

>> [L]

>rewriting starts again

>
>Or not, L flag stands for Last, it shouldn't start again and directly
>serve the request, i.e. foo.php.

The L flag means that no further rules are evaluated for the _current_
request, but if some rewriting action triggers an internal redirect,
then the entire process starts again from the first RewriteRule.

Micha

**M. Strobel** · Jun 2 '08, 10:35 AM

Re: Using Apache's mod_rewrite to hide scripts extension

Ãlvaro G. Vicario schrieb:

Tim Roberts escribiÃ³:

> RewriteEngine On
> RewriteRule ^(.*)\.php$ $1.php [R=404,L]
> RewriteRule ^(.*)\.html$ $1.php [L]
>>
>That says PHP references should redirect to a 404, and HTML references
>should be rewritten to PHP.

>
It doesn't work either because when I request foo.html I'm silently
redirected to foo.php, rewriting starts again and first rule generates a
Not Found status code.
>
Thank you for your suggestion but it's really tricky!
>
I've asked my newsmaster if I can get "alt.apache.con figuration" added
to the groups lists (Google Groups is okay but it does not allow e-mail
obfuscation) but I guess I'll implement this as is and I just won't care
about direct access to *.php files (or I'll check
$_SERVER['REQUEST_URI'] and generate the 404 status in PHP). Your
comparison of mod_write with Sendmail has scared me to the bone ;-)
>
>

If you want to deny execution of php scripts, you can put them outside
of the web space.

If your php script you want to protect is inside the web space, you can
deny access in the .htaccess file. This is handy for include-only
directories.

Max

**Jerry Stuckle** · Jun 2 '08, 10:35 AM

Re: Using Apache's mod_rewrite to hide scripts extension

M. Strobel wrote:

Ãlvaro G. Vicario schrieb:

>Tim Roberts escribiÃ³:

>> RewriteEngine On
>> RewriteRule ^(.*)\.php$ $1.php [R=404,L]
>> RewriteRule ^(.*)\.html$ $1.php [L]
>>>
>>That says PHP references should redirect to a 404, and HTML references
>>should be rewritten to PHP.

>>
>It doesn't work either because when I request foo.html I'm silently
>redirected to foo.php, rewriting starts again and first rule generates
>a Not Found status code.
>>
>Thank you for your suggestion but it's really tricky!
>>
>I've asked my newsmaster if I can get "alt.apache.con figuration" added
>to the groups lists (Google Groups is okay but it does not allow
>e-mail obfuscation) but I guess I'll implement this as is and I just
>won't care about direct access to *.php files (or I'll check
>$_SERVER['REQUEST_URI'] and generate the 404 status in PHP). Your
>comparison of mod_write with Sendmail has scared me to the bone ;-)
>>
>>

>
If you want to deny execution of php scripts, you can put them outside
of the web space.
>
If your php script you want to protect is inside the web space, you can
deny access in the .htaccess file. This is handy for include-only
directories.
>
Max
>

Which is not his question...

--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attgl obal.net
=============== ===

Using Apache's mod_rewrite to hide scripts extension

Using Apache's mod_rewrite to hide scripts extension

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment