homepage Welcome to WebmasterWorld Guest from 54.205.144.54
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Concatenate Several RewriteCond Directives
Pros and Cons of concatenating several RewriteCond Directives
MickeyRoush




msg:4519707
 1:49 pm on Nov 16, 2012 (gmt 0)

Maybe someone can help clear this up for me. At AskApache he has several RewriteCond directives concatenated, if that's the correct term here.

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]


[askapache.com...]

The only part I really want to understand is this part. I'm already familiar with what each condition does/is, my curiosity is the way that they are concatenated.

RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$


What's the pros and cons of doing it this way instead of just separating them on one per line? Or would it achieve the same thing if each one was on it's own line? Like so:

RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$


I've been told different things, so I was hopefully someone here could help. Please, I'm not concerned with what the rules actually do, I'm more interested in if there's a benefit by concatenating the conditions or not.

 

phranque




msg:4519710
 1:59 pm on Nov 16, 2012 (gmt 0)

it's faster to concatenate and do a single condition check.
even faster if he put those all on one line but probably used two for readability.

he just wants to forbid certain requests if any of those headers are provided.

g1smd




msg:4519755
 6:06 pm on Nov 16, 2012 (gmt 0)

The stuff on ONE line is "this AND this AND this" not "OR" so you'll have problems with "OR" for the multiple lines version.

In the original ruleset, all five on the first line have to be not blank OR the three on the next line all have to be not blank.

If you put them on individual lines, then you'll need to remove the NOT ! from each.

"NOT(this AND this AND this)" on one line is the same as "this OR this OR this" on multiple lines or the same as "NOT this AND NOT this AND NOT this" on multiple lines.

lucy24




msg:4519802
 10:19 pm on Nov 16, 2012 (gmt 0)

Is the underlying structure "either all 5 members of group A are empty OR all 3 members of group B are empty"?

The [OR] operator only applies to pairs of adjoining lines. Or sets of adjoining lines if you string them together.

It's a pretty horrendous-looking rule no matter how you slice it ;) I hope you don't have to invoke it too often. Otherwise you might want to take some entirely different approach like detouring to a php script where you have benefit of grouping parentheses.

MickeyRoush




msg:4519809
 11:23 pm on Nov 16, 2012 (gmt 0)

Thanks everyone for their replies. Maybe you can clarify this a bit more.

Do all of the conditions in this line have to be met together to make the RewriteRule work or can each condition be met separately and still make the RewriteRule work?

RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$

In other words, will the RewriteRule return as coded (which is a 403), if only

RewriteCond %{HTTP:VIA} !^$

is met and none of the other conditions are met?

g1smd




msg:4519820
 1:10 am on Nov 17, 2012 (gmt 0)

All five of the listed server variables have to be "not blank".

If any one (or more) of the listed server variables "is blank" the match fails.

phranque




msg:4519832
 2:46 am on Nov 17, 2012 (gmt 0)


RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$


that's a concatenated string.
all of those environment variables must be NULL for the condition to fail.

MickeyRoush




msg:4519872
 9:59 am on Nov 17, 2012 (gmt 0)

Thanks for the replies. That's what I thought as well, but then I wondered why he reference another site that he got the idea from and they separated each one on it's separate line using [OR].

Thanks again.

lucy24




msg:4519877
 10:50 am on Nov 17, 2012 (gmt 0)

The source rule (referenced from the askapache version) goes:

RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule ^(.*)$ - [F]


So it's no longer "If any of group A [OR] any of group B is non-empty"; it's "If any one of these eight items are non-empty". The result is exactly the same because what you're saying is a+b+c+d+e != "". Since you can't have a negative string, it's the same thing as
a != ""
OR
b != ""
OR
c != ""
et cetera.

Yes, I realize that in my previous post I misread the punctuation, making it "all A OR all B are empty" rather than "any of A or any of B are non-empty". Slight, ahem, difference.

Concatenation works in this specific case because everything on the list has to be empty. 0 + 0 + 0 + ... + 0 + 0 = 0, vs. 0 + 0 + 0 + ... + 0 + 0 + non-zero = non-zero.

Incidentally: everyone got so wrapped up in the conditions that we never made it to the Rule itself. I think it's funny that the original
^(.*)$ - [F]
was changed to
.* - [F,NS,L]
getting rid of one minor error --an unneeded capture with anchors- and replacing it with a different one --a slightly iffy set of flags. L with F is definitely redundant; NS is sometimes appropriate but shouldn't be thrown around like confetti. Could a subrequest ever come in through a proxy? Not necessarily a law-abiding subrequest: Is it physically possible?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved