Welcome to WebmasterWorld Guest from 54.163.52.98

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Concatenate Several RewriteCond Directives

Pros and Cons of concatenating several RewriteCond Directives

     

MickeyRoush

1:49 pm on Nov 16, 2012 (gmt 0)



Maybe someone can help clear this up for me. At AskApache he has several RewriteCond directives concatenated, if that's the correct term here.

RewriteCond %{REQUEST_METHOD} =POST
RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$
RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]
RewriteRule .* - [F,NS,L]


[askapache.com...]

The only part I really want to understand is this part. I'm already familiar with what each condition does/is, my curiosity is the way that they are concatenated.

RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$


What's the pros and cons of doing it this way instead of just separating them on one per line? Or would it achieve the same thing if each one was on it's own line? Like so:

RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$


I've been told different things, so I was hopefully someone here could help. Please, I'm not concerned with what the rules actually do, I'm more interested in if there's a benefit by concatenating the conditions or not.

phranque

1:59 pm on Nov 16, 2012 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



it's faster to concatenate and do a single condition check.
even faster if he put those all on one line but probably used two for readability.

he just wants to forbid certain requests if any of those headers are provided.

g1smd

6:06 pm on Nov 16, 2012 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



The stuff on ONE line is "this AND this AND this" not "OR" so you'll have problems with "OR" for the multiple lines version.

In the original ruleset, all five on the first line have to be not blank OR the three on the next line all have to be not blank.

If you put them on individual lines, then you'll need to remove the NOT ! from each.

"NOT(this AND this AND this)" on one line is the same as "this OR this OR this" on multiple lines or the same as "NOT this AND NOT this AND NOT this" on multiple lines.

lucy24

10:19 pm on Nov 16, 2012 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Is the underlying structure "either all 5 members of group A are empty OR all 3 members of group B are empty"?

The [OR] operator only applies to pairs of adjoining lines. Or sets of adjoining lines if you string them together.

It's a pretty horrendous-looking rule no matter how you slice it ;) I hope you don't have to invoke it too often. Otherwise you might want to take some entirely different approach like detouring to a php script where you have benefit of grouping parentheses.

MickeyRoush

11:23 pm on Nov 16, 2012 (gmt 0)



Thanks everyone for their replies. Maybe you can clarify this a bit more.

Do all of the conditions in this line have to be met together to make the RewriteRule work or can each condition be met separately and still make the RewriteRule work?

RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$


In other words, will the RewriteRule return as coded (which is a 403), if only

RewriteCond %{HTTP:VIA} !^$


is met and none of the other conditions are met?

g1smd

1:10 am on Nov 17, 2012 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



All five of the listed server variables have to be "not blank".

If any one (or more) of the listed server variables "is blank" the match fails.

phranque

2:46 am on Nov 17, 2012 (gmt 0)

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month




RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$


that's a concatenated string.
all of those environment variables must be NULL for the condition to fail.

MickeyRoush

9:59 am on Nov 17, 2012 (gmt 0)



Thanks for the replies. That's what I thought as well, but then I wondered why he reference another site that he got the idea from and they separated each one on it's separate line using [OR].

Thanks again.

lucy24

10:50 am on Nov 17, 2012 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



The source rule (referenced from the askapache version) goes:

RewriteCond %{HTTP:VIA} !^$ [OR]
RewriteCond %{HTTP:FORWARDED} !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA} !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$
RewriteRule ^(.*)$ - [F]


So it's no longer "If any of group A [OR] any of group B is non-empty"; it's "If any one of these eight items are non-empty". The result is exactly the same because what you're saying is a+b+c+d+e != "". Since you can't have a negative string, it's the same thing as
a != ""
OR
b != ""
OR
c != ""
et cetera.

Yes, I realize that in my previous post I misread the punctuation, making it "all A OR all B are empty" rather than "any of A or any of B are non-empty". Slight, ahem, difference.

Concatenation works in this specific case because everything on the list has to be empty. 0 + 0 + 0 + ... + 0 + 0 = 0, vs. 0 + 0 + 0 + ... + 0 + 0 + non-zero = non-zero.

Incidentally: everyone got so wrapped up in the conditions that we never made it to the Rule itself. I think it's funny that the original
^(.*)$ - [F]
was changed to
.* - [F,NS,L]
getting rid of one minor error --an unneeded capture with anchors- and replacing it with a different one --a slightly iffy set of flags. L with F is definitely redundant; NS is sometimes appropriate but shouldn't be thrown around like confetti. Could a subrequest ever come in through a proxy? Not necessarily a law-abiding subrequest: Is it physically possible?
 

Featured Threads

Hot Threads This Week

Hot Threads This Month