Welcome to WebmasterWorld Guest from 35.172.111.215

Forum Moderators: Ocean10000 & phranque

URL masking

     
10:48 am on Sep 13, 2019 (gmt 0)

New User

joined:Sept 12, 2019
posts:9
votes: 1


Thank you everyone who helped me with my last question. I have another, a similar one.

This time I need to hide one specific URL. The URL looks like mysite.org/somedirectory/somefile.php
For security reasons I do not want the directory name and the php file name to show up in the URL. So, while this php file is called, I want the displayed URL to be either the site root or something like mysite.org/some_page.html (I can create this page but its content should not be displayed, the output produced by somefile.php should be displayed instead).

I've found that this is called URL masking and I've found a lot of suggestions on various forums and blogs. But again none of those suggestions worked for me. Is this possible at all and, if it is, can somebody tell me how to do it?
12:42 pm on Sept 13, 2019 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11870
votes: 244


i believe you are looking for an "internal rewrite", which you can accomplish using mod_rewrite directives.
12:44 pm on Sept 13, 2019 (gmt 0)

New User

joined:Sept 12, 2019
posts:9
votes: 1


Yes, this is done using mod_rewrite but I have no knowledge in this subject. I could only try what I found in various forums and blogs but nothing worked.
Is there anybody who can post the exact code?
1:03 pm on Sept 13, 2019 (gmt 0)

Senior Member

WebmasterWorld Senior Member topr8 is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 19, 2002
posts:3512
votes: 86


another question springs to mind.

are you sure that by 'hiding' the filename and directory you are actually making the site more secure? - the page can still be reached and if a hacker gets access to the server they will be able to see all your files anyway.
2:13 pm on Sept 13, 2019 (gmt 0)

New User

joined:Sept 12, 2019
posts:9
votes: 1


Well, as far as I know, it is a good practice to hide all custom php files. That's recommended, for example, in the Joomla security guide. So I would prefer this file to be hidden. Because there are ways hackers can use php files without getting full access to the server but they should know the names of those files to do that.
4:33 pm on Sept 13, 2019 (gmt 0)

Preferred Member from CA 

Top Contributors Of The Month

joined:Feb 7, 2017
posts:579
votes: 60


block viewing files from the directory?

If this is a common WP/Drupal/Joomla .php file all these file names will be written into the bot script and executed to see if it exists. They only need to know the directory location to point the bot script. Masking the php file name will not stop the bot script and the returned info.
5:35 pm on Sept 13, 2019 (gmt 0)

New User

joined:Sept 12, 2019
posts:9
votes: 1


Not from the directory, from the URL in the browser's address bar. And this is not a common Joomla file but my custom script
1:11 am on Sept 14, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15934
votes: 887


It sounds as if you’re describing a perfectly normal rewrite, which people do all the time for all sorts of reasons. The formula is simply

RewriteRule ^visible-URL-here /hidden-URL-here [L]

Note two things: The target starts with / meaning your site root, and the only flag is [L] meaning “OK, we’re done”. If you’re dealing with mod_rewrite in htaccess, you can only rewrite to a file that physically lives on the same server. The rule should be placed after any and all RewriteRules that involve external redirects, access control and whatever else you've got. In particular, make sure it comes after your canonicalization redirect (if necessary, do a Forums search for several hundred explanations of what this is) so you don't accidentally expose your hidden URL to the world.

Most often, once people start rewriting, they make a visible URL that is either extensionless or ends in a / slash. Personally I’m fond of letting the visible URL end in some standard extension like html--matching the rest of the site--because then it is less obvious that you're rewriting.
7:49 am on Sept 14, 2019 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11870
votes: 244


also, if your hidden url is web-accessible, you should implement a 301 redirect from the internal url to the equivalent external url.
1:26 pm on Sept 14, 2019 (gmt 0)

New User

joined:Sept 12, 2019
posts:9
votes: 1


Thank you lucy24. This seems to be exactly what I need but it did not work. I think, I know why - having read some stuff on the Web, I've understood that what this redirect does is, each time a visitor accesses mysite.com/visible-URL-here this URL will be displayed in the address bar but the actual content displayed on the page will be from mysite.com/hidden-URL-here
But my situation is different. The page to be accessed is mysite.com/hidden-URL-here (and actually, visitors do not access it directly, it is called by another php script) but the visible URL should be mysite.com/hidden-URL-here.
In other words, if I've understood everything correctly, in your example the page content is replaced while the URL remains the same but what I need is that the URL is replaced while the page content remains the same.
1:44 pm on Sept 14, 2019 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4558
votes: 363


The problem you are having with the URL masking appears to be because it is called by a script and is not requested by the visitor so .htaccess never 'sees' the request. PHP is processed server side before a page is loaded.
1:53 pm on Sept 14, 2019 (gmt 0)

New User

joined:Sept 12, 2019
posts:9
votes: 1


I've found how to do this with Java Script:
window.history.pushState("object or string", "Page Title", "/new_url.html");
This did just what I need
3:23 pm on Sept 14, 2019 (gmt 0)

Junior Member from US 

10+ Year Member

joined:Dec 23, 2008
posts:167
votes: 10


I would be surprised if Bad Actors have javascript active,
or even available (cite: curl, lynx, etc.)
5:52 pm on Sept 14, 2019 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15934
votes: 887


what I need is that the URL is replaced while the page content remains the same
Then you need two separate rules. The first rule is an external redirect from
/hidden-url
to
https://example.com/visible-url
with the usual redirect flags and also a RewriteCond looking at THE_REQUEST so you don't go around in circles. The second--and, as far as your server is concerned, entirely unrelated--rule is the rewrite described above.

But why is your “hidden” url visible in the first place? Did someone goof at an earlier stage in the site's history? If nobody has ever seen it, and there are no links to it, the external redirect should not be necessary.