Apache's .htaccess file options makes it easy to have clean URLs, smart redirects, and even control SSL connections.  In this post, I am going to give you several tips on how you make your web applications smarter.  Note that your server must support mod_rewrite in order to use these tips.


Make Sure Everyone is on the Same Domain

Even if you don’t have multiple domains pointing to your site, it’s possible that www.example.com and just example.com will work.  If that’s the case, Google and other search engines could be crawling your site twice and the website could take a ranking hit for duplicate content.  The following example shows how we can redirect visitors from two domains down to one.

RewriteCond %{HTTP_HOST} ^www.example.net$ [NC,OR]
RewriteCond %{HTTP_HOST} ^example.net$ [NC,OR]
RewriteCond %{HTTP_HOST} ^www.example.com$ [NC]
RewriteRule ^(.*)$ http://example.com/$1 [R=301,L]

Force SSL on Specific Site Directories

I use SSL on a couple of my sites, but it doesn’t need to be enabled (or forced) on the entire site, so we use .htaccess mod_rewrite rules to enforce SSL where we need it.  The following peice of code will force SSL on all requests in the directory named ‘secure’.

RewriteCond %{HTTPS} off
RewriteRule ^secure/.*$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Both of these lines need to be copied if we need to enforce more than one directory, so if we need the directory ‘secure’ and the the directory ‘users’ secured, we would use this code.

RewriteCond %{HTTPS} off
RewriteRule ^secure/.*$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

RewriteCond %{HTTPS} off
RewriteRule ^users/.*$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

For the rest of the site, we don’t need SSL, so use something like this if we have the ‘secure’ and ‘users’ directory with SSL enabled.

RewriteCond %{HTTPS} on
RewriteCond %{REQUEST_URI} !secure/.*$
RewriteCond %{REQUEST_URI} !users/.*$
RewriteRule ^(.*)$ http://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Force SSL on a Domain or Sub-Domain

Similar to the need above, we can force SSL on an entire domain if we need to.

RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^wells-it.com$ [NC]
RewriteRule ^.*$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

Take a Website Offline

If a website needs to go down for maintenance or whatever, that can be done with a simple few lines of code.  Just remember to change the page’s path in both lines where you see not-up.htm, or you could create a redirect loop.

RewriteCond %{REMOTE_HOST} !^123\.214\.71\.126
RewriteCond %{REQUEST_URI} !/static/not-up\.htm$
RewriteRule .* /static/not-up.htm [R=302,L]

Remove ‘index.php’ From the URL

This is one that will come in handy if you use CodeIgniter or any other framework that sends all requests through index.php.  Basically, this code checks to see if the URL request exists as a static file or directory.  If does, it would be a picture, style sheet, javascript include, etc.  If it is not found, then it assumes that it must be for the framework to handle, and it sends it to the index.php file.

RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1 [L]

Keep Visitors Off the Stage

On my large sites, I have both a production copy and a stage copy.  The stage copy is where I do all my developing and testing.  When I am satisfied with the changes, I push the changes to my live site.  The problem is that I don’t want site visitors seeing my stage copy, so I use some mod_rewrite code to keep them off.  You need to know your IP address for this one, and if you have a dynamic IP, you will have to change the file every time you get a new one.

RewriteCond %{REMOTE_HOST} !^56\.51\.98\.126
RewriteCond %{HTTP_HOST} ^stage.wells-it.com$ [NC]
RewriteRule ^(.*)$ http://wells-it.com/$1 [R=301,L]

If you have multiple IP address that you want access to the stage, you can just add another condition.

RewriteCond %{REMOTE_HOST} !^56\.51\.98\.126
RewriteCond %{REMOTE_HOST} !^74\.65\.95\.128
RewriteCond %{HTTP_HOST} ^stage.wells-it.com$ [NC]
RewriteRule ^(.*)$ http://wells-it.com/$1 [R=301,L]

Turn .htaccess Into a Web Application Firewall

I didn’t write this one, so I can’t take credit for it, but you can find the code here.  It contains some very slick code to keep malicious page requests from getting through to your web applications.

Final Notes

Since some of these URL rewrites actually redirect the browser, it’s possible to get into a redirect loop where you will never satisfy the rules you have in place, and the browser will redirect forever…until it detects a loop and stops with an error.  If this happenes, try to see where the loop is or post a comment if you’re stuck.


5 Responses to “Several mod_rewrite Tricks for a Better Web Application”

Leave a Reply





Wordpress doesn't like it when you post PHP code. Go save your code at pastebin, and post the link here.

About the Author

Andrew has been coding PHP applications since 2006, and has plenty of experience with PHP, MySQL, and Apache. He prefers Ubuntu Linux on his desktop and has plenty of experience at managing CentOS web servers. He is the owner of Wells IT Solutions LLC, and develops PHP applications full time for anyone that needs it as well as does desktop computer support locally in the local area. He spends most of his free time exploring new programming concepts and posting on The Webmaster Forums.