Playing with Apache URL Rewrites

URL Rewriting is one of the interesting concepts that can be employed to improve usability, cleanliness of URLs and also to filter out unwanted URLs at the server level. But, URL Rewriting can be tricky to start with, but gets very comfortable as we progress.

Apache,which has a good documentation on Mod Rewrite (, says:

The Apache module mod_rewrite is a killer one, i.e. it is a really sophisticated module which provides a powerful way to do URL manipulations. With it you can do nearly all types of URL manipulations you ever dreamed about. The price you have to pay is to accept complexity, because mod_rewrite’s major drawback is that it is not easy to understand and use for the beginner. And even Apache experts sometimes discover new aspects where mod_rewrite can help.

How did Apache URL Rewrite help me?

I used URL rewrites mainly for security purpose, by filtering out URLs at the entry level to the server, and denying access to resources to unwanted entities.

1. Redirect all HTTP incoming requests to HTTPS

I used RedirectMatch for this.

RedirectMatch permanent ^(.*)$$1

The Redirect directive maps an old URL into a new one by asking the client to refetch the resource at the new location. And the permanent returns a permanent redirect status (301) indicating that the resource has moved permanently.

2. Restricting individual files to be accessed only from a specific domain/IP address

We wanted our files, to be accessed to be accessed by our domain only ([]), others should get a forbidden response.

RewriteCond %{HTTP_HOST} “^$" [NC]
RewriteCond %{REQUEST_URI} "!^/$" [NC]
SetEnvIf Referer "^http(s)?://example\.com\/" local_referral
SetEnvIf Referer "^http(s)?://10\.1\.1\.1/" ip_referral
<FilesMatch \.(css|js|png|woff|gif|txt|ttf|woff2)$>
Order deny,allow
Deny from all
Allow from env=local_referral
Allow from env=ip_referral
RewriteCond %{HTTP_REFERER} "!^"
RewriteCond %{REQUEST_URI} "!\.(css|js|png|woff|gif|txt|ttf|woff2)"       [NC]

We can see that we checked for the correct HTTP_HOST, REQUEST_URI in the HTTP Request headers, validate the Referrer as our domain, and if we see that the requestor is our domain, we allow the access, else we forbid the access to the files. For example, our index.js or any image files would be accessed only when the request comes from our domain, else, 403, Forbidden HTTP Status would be sent.


Use of the [NC] flag causes the RewriteRule to be matched in a case-insensitive manner. That is, it doesn’t care whether letters appear as upper-case or lower-case in the matched URI.

3. Redirecting all URLs to their default www URL

Basically, we had an existing site running and we were launching a new single page web app without the dub dub dub. So, we wanted to redirect to, and since we had a single page web app, so, our routes were managed by the browser itself, like /#/posts, /#/feeds and we redirected all the other URLs to our existing

RewriteRule "^/?(.*)" "$1" [L,R,NE]

The [L] flag cause mod_rewrite to stop processing the rule set. In most contexts, this means that if the rule matches, no further rules will be processed. This corresponds to the lastcommand in Perl, or the break command in C.

Use of the [R] flag causes a HTTP redirect to be issued to the browser. If a fully-qualified URL is specified (that is, including http://servername ), then a redirect will be issued to that location. Otherwise, the current protocol, servername, and port number will be used to generate the URL sent with the redirect.

By default, special characters, such as & and ?, for example, will be converted to their hexcode equivalent. Using the [NE] flag prevents that from happening.

You can read more about flags at








Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s