tags:

views:

530

answers:

2
Q: 

Rewrite rules - going outside the docroot.

Assuming the following directory structure,

htdocs/
  images/
  css/
  .htaccess
system/
  index.php
  ...

I would like to route all incoming requests through that php script. I have been trying some rewrite rules within the htaccess, but I can't seem to be able to route to files that are outside the document root. I couldn't find a reason for this in the apache manuals, so eventually resorted to "Include" an apache config file, where the rules are different.

Is there a way of rewriting outside of the docroot?

+2  A: 

No, you cannot route outside the docroot without potentially enormous risk.

You should place the index.php within the htdocs folder and rewrite it there, not outside. If you were to rewrite to handle the index, accessing outside the docroot, and you made one little mistake it's potentially exploited by any hacker rewriting the request string. Not pretty!

The Wicked Flea  2008-11-30 18:39:22
+5  A: 

What a lot of frameworks do is use rewrite to route all requests to one file where you can do more complex routing of your own. An example .htaccess file might be:

# ignore anything that's an actual file (eg CSS, js, images) 
RewriteCond %{DOCUMENT_ROOT}%{REQUEST_URI} !-f
# redirect all other traffic to the index page
RewriteRule ^.*$ index.php [L]

Where index.php is inside your doc root (htdocs/index.php) and from which you can safely include System/index.php where appropriate.

rojoca  2008-11-30 18:43:00
remember to make sure you can't include any old file based on querystring - otherwise people might try things like /etc/passwd or /etc/httpd/httpd.conf etc - bad!
benlumley  2008-11-30 18:51:28

related questions

How do I add a MIME type to .htaccess?
Difference between the Apache HTTP Server and Apache Tomcat?
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Cleanest & Fastest server setup for Django
Installing Apache Web Server on 64 Bit Mac
Running Apache alongside another web server?
Algorithm behind MD5Crypt
Can you compile Apache HTTP Server and redeploy its binaries to a different location ?
mod_rewrite rule to redirect all requests except for one specific path
How do I create a self signed SSL certificate to use while testing a web app.
Software for Webserver Log Analysis?
What is the difference between an endpoint, a service, and a port when working with webservices?
What are the proper permissions for an upload folder with PHP/Apache?
mod_rewrite to alias one file suffix type to another
How do you redirect HTTPS to HTTP?
Using mod_rewrite to Mimic SSL Virtual Hosts?
User authentication on Resin webserver
How do you set up Python scripts to work in Apache 2.0?
Block user access to internals of a site using HTTP_REFERER
.htaccess directives to *not* redirect certain URLs
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP