Apache .htaccess 将index.html 重定向到根目录,为什么需要FollowSymlinks 和RewriteBase?
为了将所有 somefolder/index.html (以及 somefolder/index.htm)重定向到 somefolder/ 我在Apache .htaccess 文件:
RewriteEngine on
RewriteCond %{THE_REQUEST} ^.*\/index\.html?\ HTTP/
RewriteRule ^(.*)index\.html?$ "/$1" [R=301,L]
这很好用!
但在 Google 群组 他们建议还添加:
Options +FollowSymlinks
RewriteBase /
有谁能好心解释一下为什么我必须添加最后几行,并向我解释一下知道它们的含义和作用吗?
不添加这些线路是否存在潜在的安全风险?
非常感谢,
In order to redirect all somefolder/index.html (and also somefolder/index.htm) to somefolder/ I use this simple rewrite rule in Apache .htaccess file:
RewriteEngine on
RewriteCond %{THE_REQUEST} ^.*\/index\.html?\ HTTP/
RewriteRule ^(.*)index\.html?$ "/$1" [R=301,L]
This works well!
But at Google groups they suggest to add also:
Options +FollowSymlinks
RewriteBase /
Could anyone be so kind to explain me why would i have to add these last lines, and explain me a bit what they mean and what they do?
Is there a potential secuirty risk in not adding these lines?
Many thanks,
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
为什么建议:
建议您添加
Options +FollowSymlinks因为有必要为 mod_rewrite 工作,并且有可能,虽然您可能被允许打开它,但主服务器配置并未启用它。我怀疑需要遵循符号链接的原因是因为模块对 apr_stat() 进行了多次调用,这看起来需要遵循符号链接才能在所有情况下获取文件信息。至于
RewriteBase,通常没有必要。文档继续讨论它,但正如大多数人的文件一样确实位于DocumentRoot< /a> 某处,通常仅在您进行外部重定向并且使用目录相对 URL 时才起作用。为了说明我的意思,请考虑以下情况:对 example.com/redirect 的请求将导致外部重定向到 example.com/full/path/to/web/root/index .html。原因是在处理重定向之前,mod_rewrite 会重新附加当前目录路径(这是
RewriteBase的默认值)。如果您将RewriteBase修改为/,则路径信息将替换为该字符串,因此对 index.html 的请求现在将是对 /index.html 的请求。请注意,您也可以在替换时显式执行此操作,无论 RewriteBase 的值如何:
...例如按预期工作。但是,如果您有许多需要公共基础的规则,并且需要在目录之间移动,或者您的内容不在根目录下,则在这种情况下适当设置
RewriteBase会很有用。不使用它们的风险:
不指定Options +FollowSymlinks绝对没有安全风险,因为如果您不指定并且主服务器配置没有设置它,mod_rewrite将始终返回403 Forbidden。这对于试图查看您的内容的人来说是一个问题,但这绝对不会给他们任何利用您的代码的更多机会。
如果您的 .htaccess 文件之一中的规则集配置不正确,则不设置
RewriteBase可能会暴露 Web 内容的路径,但我不确定是否有任何理由认为存在安全风险。Why they're suggested:
It's suggested that you add
Options +FollowSymlinksbecause it's necessary that symlink following is enabled for mod_rewrite to work, and there's a chance that, while you may be allowed to turn it on, it's not enabled by the main server configuration. I suspect the reason that symlink following is necessary is beause the module makes a number of calls toapr_stat(), which looks like it needs to follow symlinks in order to get file information in all cases.As for
RewriteBase, it's typically not necessary. The documentation goes on about it, but as most people's files do live under theDocumentRootsomewhere, it usually only serves a purpose if you're redirecting externally and you use directory-relative URLs. To illustrate what I mean, consider the following:A request for example.com/redirect will result in an external redirect to example.com/full/path/to/web/root/index.html. The reason for this is that before it handles the redirection, mod_rewrite re-appends the current directory path (which is the default value of
RewriteBase). If you modifiedRewriteBaseto be/, then the path information would be replaced with that string, so a request for index.html would now be a request for /index.html.Note that you could just have done this explicitly on the replace too, regardless of the value of
RewriteBase:...works as intended, for example. However, if you had many rules that needed a common base and were being shifted around between directories, or your content wasn't under the root, it would be useful to appropriately set
RewriteBasein that case.The risk of not using them:
There's absolutely no security risk in not specifying
Options +FollowSymlinks, because if you don't and it's not set by the main server configuration, mod_rewrite will always return 403 Forbidden. That's kind of problematic for people trying to view your content, but it definitely doesn't give them any extended opportunity to exploit your code.Not setting
RewriteBasecould expose the path to your web content if you had an improperly configured rule set in one of your .htaccess files, but I'm not sure that there's any reason to consider that a security risk.