let's say i'm running a web site at www.domain1.com
in ".htaccess" i do a redirect to an external "domain2" as follows:
RewriteEngine On
RewriteBase /
RewriteRule ^mydirectory/(.*)$ http://www.domain2.com/mydirectory/$1 [NC,L]
note that in the RewriteRule i'm not passing the flags [R] or [R=301].
and now i'm opening http://www.domain1.com/mydirectory/ from a web browser.
in the logs of that external "domain2", what exactly will show up as:
client IP
HTTP referrer (referer)
will the client IP be from the actual client web browser, or from my web server running at "domain1"?
will there be any hints that it got "redirected" from my "domain1"? in the "referer" field, for example?
and will the web client will be notified about any "redirection" status code?
will the client IP be from the actual client web browser, or from my web server running at "domain"?
The "actual client web browser". (Or, whatever IP would normally be reported when that client makes a request to domain2.com, as they could be connecting through a proxy server, VPN, etc.)
A redirect response from domain1.com is an instruction for the client to make an entirely new request to domain2.com.
will there be any hints that it got "redirected" from my "domain1"? in the "referer" field, for example?
Not if you make the redirect as soon as the user first arrives at domain1.com. Generally, the browser preserves the Referer header from the previous "non-redirected" request. The redirect itself does not generate a Referer.
So, if you make a direct request to domain1.com (ie. no Referer) then no Referer will be passed in the redirected request to domain2.com.
However, if a user followed a link from another-domain.com to domain1.com (ie. another-domain.com is the Referer) and you issue a "redirect" from domain1.com to domain2.com then the browser would pass another-domain.com as the Referer (by default).
And if you allowed the user to browse domain1.com for a while (navigating from page to page - which will naturally generate a Referer) before issuing a redirect to domain2.com then domain1.com will likely be seen as the Referer when the client makes the request to domain2.com. At least, by default, this can be overridden by setting a Referrer-Policy (in modern browsers) on the referring site.
Of course, the user may have configured their browser to suppress the Referer and the originating website (eg. another-domain.com, or domain1.com) can also suppress the Referer being sent by setting a Referrer-Policy in modern browsers. Old browsers (such as IE11) do not support this, so you are at the mercy of whatever defaults the browser uses.
and will the web client will be notified about any "redirection" status code?
Yes, that's what a redirect is.
If domain1.com redirects to domain2.com then...
domain1.com sends a 3xx redirect response back to the client with a Location HTTP response header telling the client of the URL to make a request to.
The client's browser then makes a new request to the URL stated in the Location header.
RewriteEngine On
RewriteBase /
RewriteRule ^mydirectory/(.*)$ http://www.domain2.com/mydirectory/$1 [NC,L]
Note that this generates a 302 (temporary) redirect, even though the status code (R or R=301) is not explicitly stated. (The RewriteBase directive is entirely superfluous here.)
Related
I have a website running on www.example.com that makes GET requests to api.example.com to process a form. When I examine web server logs for api.example.com I see that requests from Safari get the full referer (e.g., www.example.com/page-where-request-originated). But requests from Chrome only get a partial referer (www.example.com).
I need the ability to track the full referring page when the request hits api.example.com. Reviewing the documentation for Referrer-Policy it seems my only option is to set it to unsafe-url. But that seems overkill because I only want the referrer to be sent for subdomains of example.com. Is that possible?
The only option I can find is strict-origin : Send the origin as referrer, but only when the request is no downgrade from https to http.
see: https://wiki.crashtest-security.com/enable-security-headers
Everything else will either omit the referrer completely or send the origin URL without any URL parameters.
I have a domain (example.com) and I want to load a page from this subdomain (subdomain.example.com) within an iframe. But I want to block direct access to the subdomain with .htaccess. So I have edited the .htaccess in the subdomain with the code below.
There I have added access only to the localhost, but it doesn't work. It gives me page error. How can I solve this?
RewriteEngine On
#RewriteCond %{HTTP_HOST} ^(www\.)?subdomain.myurl.com$
#--allowed ip(s)--#
#RewriteCond %{REMOTE_ADDR} !^(127.0.0.1)$
#RewriteRule ^ - [F,L]
You can't reliably do this with .htaccess. The problem here is that when the browser requests the subdomain's URL in the IFRAME, this is also essentially a "direct request" - a direct request from the client. So, from the server's perspective, it's difficult to determine whether the request is from within the iframe or not.
The closest you can get is to check the HTTP Referer request header (as sent by the browser), which should be set to example.com when the document in the IFRAME is requested. However, this is unreliable, can be easily faked and will block indexing - if that is a concern. If a user types the URL directly in the browser's address bar then there is no HTTP Referer, but likewise,
the Googlebot also does not send a Referer header.
For example, in the root of the subdomain:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https?://(subdomain\.)example\.com
RewriteRule ^ - [F]
If the HTTP Referer is not start http://example.com or http://subdomain.example.com (HTTP or HTTPS) then block the request (403 Forbidden).
The L flag is not required when using the F flag - it is implied.
Alternatively, you could perhaps use JavaScript to detect whether the document is contained in a frame or not and if not, redirect to the framed document. However, this would only work if you have a single "master" document that contains the IFRAME.
There I have added access only to the localhost
The IP address from which the request originates has nothing to do with whether the subdomain is being requested from within an IFRAME on the main domain.
I had an old website that permanently redirected (HTTP 302) all traffic from http://example.com/ to http://exmpale.com/drupal
now I re-implemented the entire website on wordpress but the old redirection is still cached on my user's browsers and breaking my revisiting users' experience (for some assets only).
I was thinking of adding to my new website a route serving as /drupal that will force the browser to trash the cache, is there a way to do so? maybe some http headers/javascript to trash the cache?
what do you think?
(BTW, I'm on a hosted service so my options are limited to php / .htaccess / javascript but I can't change http server configurations)
You said :
permanently redirected (HTTP 302)
But it's either:
temporary redirect (HTTP 302)
permanent redirect (HTTP 301)
302 responses are usually not cached in browsers. If you were using 301 response code this could be stored until the user close the browser. If you have problems with your users it certainly means you were using 301, but if it is not the case it means something between you and the final user is storing a cache of the redirection (like a reverse proxy cache in front of your server?).
If you were using a 301 you might try to add a temporary redirect on /drupal to /. But this may create an inifinite redirection loop on the browsers. You can maybe prevent it by adding a fake argument on the redirection, like redirectiong to /?redir=fix.
The question may sound odd, but given an article, it is definitely possible to use the rewrite module to perform redirects just as with the redirect module. Both are able to issue a permanent redirect (301).
There is a question asking for the difference, but it talks about the rewrite module being used to purely rewrite not redirect. Another post makes this clear, but doesn't seem to get an adequate answer.
Hence, my question: What's the difference between these modules? Which is preferred over the other when it comes to redirects?
NOTE: THIS ANSWER DOES NOT answer difference between IIS Redirect (httpRedirect) vs URL Rewrite Module's Redirect but rather difference between URL Rewrite Module's (redirect vs rewrite).
If you are trying to hide complex URL (with querystrings) to more friendly URLs then Rewrite is the way to go as browser/Search Engines will always see 200OK and assume the content is coming from requested original URL.
If you are trying to indicate a change of resource to search engines/users of new URL then Redirect is the way to go as you are sending 301 status code saying that resource has moved from original to this new location.
IIS Redirect:
Redirecting happens at Client Side
Browser sees a different URL In address bar.
Client aware of a redirect URL.
301/302 can be issued. Edit: (303/307 can be issued too)
Good for SEO/Search Engine to indicate of new URL. mysite.com/abc to mysite.com/pqr
Can be redirected to same site or different site altogether.
IIS Rewrite:
Redirecting happens at Server Side
Browser does not see new URL in address bar.
Client unaware if content is served from a re-written URL.
No 301/302 are issued. This will have normal 200 OK assuming that rewritten URL Resource is available.
Good to hide unfriendly URL and also SEO. mysite.com/article/test-sub/ to mysite.com/article.aspx?id=test-sub
Generally for a resource within same site.
Request Handling (REDIRECT): www.mysite.com/abc to redirect to www.mysite.com/pqr
Client calls: www.mysite.com/abc
URL Rewrite Module sees a rule match for client URL and gives new redirect URL.
Server responds with 301 with new URL for client to call www.mystite.com/pqr
Client calls new URL www.mystite.com/pqr
Server responds with 200 OK for new URL. (address bar shows new URL)
Request Handling (REWRITE): www.mysite.com/abc which you want to point to www.mysite.com/pqr
Client calls: www.mysite.com/abc
URL Rewrite Module sees a rule match and provides new rewritten url to IIS i.e. www.mysite.com/pqr and Server makes request for that URL within IIS.
Server responds with 200 OK for original URL but with content from rewritten url. (address bar shows original URL and client does not know that you are serving content from different URL)
I want to redirect both http://www.mysite.com and https://www.mysite.com to https://secure.mysite.com under IIS7.5.
I've installed the HTTP Redirect module, which seems to work fine for http:// redirect, by setting up a site binding to http and a HTTP redirect to (exact site)
But how do I redirect https://www.mysite.com to https://secure.mysite.com?
If I set up a HTTPS binding for the website it seems to bind to www.mysite.com automatically, even though the SSL certificate is for secure.mysite.com, and there doesn't seem to be any way to split the two.
Ideally I'd like to do this via IIS configuration rather than code..