• Posted by admin

Introduction

I would have to say that mod_rewrite is probably one of the most powerful features of an Apache web server.  It allows you to have an incoming http request:

frozen_apples.html

to be re-written as

index.php?p=frozen_apples

This is a powerful additional level of security for your web site, as visitors will not be able to see the inner workings of your web server through the query string or page headers.  It can even hide the scripting engine that your website is running on.

In this example, I will be using PHP as the scripting language.

Setup

httpd.conf

mod_rewrite is a module that is by default, enabled in an apache web server installation.  You will want to check that the line:

load module mod_rewrite

is uncommented.

You’ll need your web server that you are hosting your site on to be able to allow overrides to Apache’s main settings.  You will have to edit your httpd.conf file.  For brevity, I only list the settings that are important to setting up mod_rewrite.

<VirtualHost *>

AllowOverride All

</VirtualHost>

This tells the Apache web server, that for this particular virtual host, allow overrides to the default apache settings as specified in httpd.conf.

.htaccess

You will have to create a .htaccess file (if you haven’t already) in your website’s root (/) directory.  The .htaccess file is where all the magic happens with mod_rewrite.

Example code to get things working…

RewriteEngine on

RewriteRule ^old(regular_expression).html$  new.php?id=$1

Regular expressions

Regular expressions play an important part in mod_rewrite.  They allow you to specify the exact format of the document name request.  This is incredibly powerful and important for web sites and appications that have a database backend.  A common web server attack called SQL Injection, attempts to insert database commands via page headers or a query string into the database.  If proper security and form validation isn’t implemented on the site, the results of this attack can be disasterous.  Using mod_rewrite to modify query strings, and obstruficate the user’s ability to see what technology is on the server, highly improves a security risk like SQL Injection.

On a form submitted to the web server which interacts with a database - the intruder tacks on SQL code to one of the form fields using ‘;’.

By filtering the form submission using mod_rewrite, we can disallow at the server level, what is an acceptable character and what is not. 

Another important point in our example here is mod_rewrite’s ability to filter and copy string data from the first url we specify to the next.

In the first filename, the regular expression sub-string that is contained between the brackets will transfer to the variable value $1 in the second string.

e.g.

RewriteRule ^([a-z]+).html$ index.php?article=$1

new.html would become index.php?article=new

Further Reading:

This tutorial only scratches the surface with mod_rewrite.  Here are some links to further your study with mod_rewrite.

mod_rewrite

apache official module documentation

regular expressions

Regular Expression Library