1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 8:32 pm May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

.htaccess causing CPU overload or blocking access to add-on/subdomain?

.htaccess redirect rules causing loop and restricting access to subdomain

         

irini

5:57 am on Feb 4, 2012 (gmt 0)

10+ Year Member



Hello webmasterworld!
Please bear with me if in the process of exposing my ignorance here i happen to connect issues that should be raised in multiple threads (or if i otherwise out-newb other newbs in my newbie-ness) - and accept my sincere thanks & appreciation in advance for any tolerance of mind you'll give me.

Would anyone kind enough to help (and capable of doing so) please review the .htaccess contents below and advise on whether something therein would either:

A. cause PHP processes to drive MySQL queries without end or produce some sort of loop that could explain repeated CPU overloads and other performance issues
and/or
B. restrict access to an add-on domain which appears in cpanel as a subdomain under the root -- (restrict access = trigger cpanel error when trying to upload files and "server not found" msg. when URL is entered in a browser)...

I've tried to research the matter online for over a month (& related opensource matters for over a year) - sifting through seemingly endless forum threads, technical apache/PHP manuals/documentation, online tutorials, etc. but with limited success.

Alas, now having thoroughly re-confirmed that i am not qualified to be a webmaster (yet) - i am crash-landing in webmasterworld to seek guidance from those who apparently are...so ANY help with this topic (and those likely to follow) would be appreciated loads!

If it makes any difference, it's a Joomla site (still 1.5.25) on a VPS running apache 2.2.21, PHP 5.3.8 & MySQL 5.1.56-log...

Apparently, the site was hacked a while ago and then "restored," but it seems that either the hacker left a back door or the added security measures were insufficient because i found an "allow from ip ..." included on the line before the last </limit> tag at the top of the code below, which matched that of a dictionary attacker active around when the site was hacked...so at this point, ANY input you have regarding the below would be super helpful - thank you!


Begin .htaccess excerpts:

IndexIgnore .htaccess */.?* *~ *# */HEADER* */README* */_vti*
#<Limit GET POST>
#order deny,allow
#deny from all
#allow from all
#</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
Allow from 123.18.235.243
</Limit>

AuthName example.org

RewriteEngine On

RewriteCond %{HTTP_HOST} ^.*$
RewriteRule ^cityname1$ "http\:\/\/example\.org\/all\-locations\/ab\-cde\-fgh\-ijk\-lmnopqrs\-tu" [R=301,L]

RewriteCond %{HTTP_HOST} ^.*$
RewriteRule ^cityname2$ "http\:\/\/example\.org\/all\-locations\/zy\-nameofplace\-cityname2\-state" [R=301,L]

RewriteCond %{HTTP_HOST} ^.*$
RewriteRule ^cityname3$ "http\:\/\/example\.org\/all\-locations\/nameofplace\-cityname3" [R=301,L]

RewriteCond %{HTTP_HOST} ^.*$
RewriteRule ^cityname4$ "http\:\/\/example\.org\/all\-locations\/ab\-cdefg\-h\-ijk\-lmnop" [R=301,L]

RewriteCond %{HTTP_HOST} ^.*$
RewriteCond %{HTTP_HOST} ^example.org$ [OR]
RewriteRule ^Seminar2011$ "http\:\/\/oldeventname\.com " [R=301,L]
RewriteRule ^seminar2011$ "http\:\/\/oldeventname\.com " [R=301,L]

Options +FollowSymLinks

RewriteEngine On

# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.php [F,L]

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} !^/index.php
RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$ [NC]
RewriteRule (.*) index.php
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]

RewriteCond %{HTTP_HOST} ^.*$
RewriteRule ^seminar2011$ "http\:\/\/example\.org\/component\/content\/article\/33\/123\-event\-2011" [R=301,L]

RewriteCond %{HTTP_HOST} ^example\.org$ [OR]
RewriteCond %{HTTP_HOST} ^www\.example\.org$
RewriteRule ^(.*)$ "http\:\/\/example\.org\/$1" [R=301,L]

----------
End of .htaccess
----------

Note that i've used alphabet letters in the cityname rewrite rules instead of the SEF url that contained a proper name...sorry if that's confusing!

If you've made it this far down my post - thank you SOOO much for your time and attention!

Note: I can't say i'll help answer other people's posts here - but i can assure you i'll copy & paste old-thread solutions into the threads of new people who didn't read them as often as i can:) Either way, please help! :)

g1smd

7:51 am on Feb 4, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



You have a very old .htaccess file that has a lot of problems built in. Get the new one that comes with recent Joomla installs (1.5.23 onwards, 1.6.3 onwards - version numbers from memory). It's in the installer ZIP as htaccess.txt.

Options +FollowSymLinks
RewriteEngine On

The above two lines should be at the top and each should appear only once in the file.

For your bunch of redirects at the start of the file you should remove the escaping from colons, slashes and hyphens in the rule target. The target should be "literal".

Once you have the new .htaccess file, put the redirects in the place in the middle of the file that says "redirects go here". This is after the rules that block malicious access.


RewriteCond %{HTTP_HOST} ^.*$

The above line is redundant. Remove it from each rule.

Do not place redirects after the part of the code that does internal rewrites. It is too late to redirect to a new URL once the request has been internally rewritten and the server is looking on the hard drive for the correct folder.

It's sort-of lucky that you did make the above mistake so that the code never runs, because the www to non-www redirect in your example is broken and would likely cause an infinite redirect loop.

You only need one condition and the pattern should be !^(example\.com)?$

The www to non-www rule will be the last of the redirects. All of the redirects should be listed before internal rewrites. This is so critical that it is noted in newer versions of the official .htaccess file.

Remove the escaping from rule targets. They should all be literal.

lucy24

9:17 am on Feb 4, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



For your bunch of redirects at the start of the file you should remove the escaping from colons, slashes and hyphens in the rule target.

This is the point where I usually ask if your cat stepped on the keyboard, but if I remember rightly you haven't got one. You meant "remove the escaping from colons, slashes and hyphens in the rule", right? Full stop. Actually "rule and condition"-- i.e. everywhere.

Irini-- As far as I know, colons : never need to be escaped anywhere. Slashes / do not need to be escaped in mod_rewrite. Hyphens do not need to be escaped. (Except maybe in grouping brackets, but that's not an issue here.)

In this piece

(/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$

the last option includes the first option, so it's redundant. "Slash followed by zero or more non-period characters". The list is almost certainly more than you need for your site. For example it's not likely you would have both htm and html.

In fact this whole package would do much better in the Rule itself. That is, instead of

RewriteCond %{REQUEST_URI} (/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$ [NC]
RewriteRule (.*) index.php

you can say in a single line

RewriteRule (\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$ index.php [L]

Then if the request doesn't have any of those extensions, and isn't for a directory (the /[^.]* part), then there is no need for mod_rewrite to take the time to evaluate any of the Conditions.

irini

4:28 pm on Feb 4, 2012 (gmt 0)

10+ Year Member



Hmmmm...well, THANK YOU for real! I appreciate your taking the time to help with this!

I've read through both your comments and will get Joomla's newer .htaccess and then try to decipher the rest of your input - and then i'll post the updated version here to see if i got you right.

Thanks again!:)

g1smd

8:58 am on Feb 5, 2012 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



In this piece
(/|\.php|\.html|\.htm|\.feed|\.pdf|\.raw|/[^.]*)$

The newer official Joomla file addresses this issue and several other code problems.

Changes: [joomlacode.org...]

History: [joomlacode.org...]
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 8:32 pm May 1, 2026