Apache .htaccess to redirect index.html to root, why FollowSymlinks and RewriteBase?

13,482

Why they're suggested:

It's suggested that you add Options +FollowSymlinks because it's necessary that symlink following is enabled for mod_rewrite to work, and there's a chance that, while you may be allowed to turn it on, it's not enabled by the main server configuration. I suspect the reason that symlink following is necessary is beause the module makes a number of calls to apr_stat(), which looks like it needs to follow symlinks in order to get file information in all cases.

As for RewriteBase, it's typically not necessary. The documentation goes on about it, but as most people's files do live under the DocumentRoot somewhere, it usually only serves a purpose if you're redirecting externally and you use directory-relative URLs. To illustrate what I mean, consider the following:

RewriteEngine On

RewriteRule ^redirect index.html [R,L]

A request for example.com/redirect will result in an external redirect to example.com/full/path/to/web/root/index.html. The reason for this is that before it handles the redirection, mod_rewrite re-appends the current directory path (which is the default value of RewriteBase). If you modified RewriteBase to be /, then the path information would be replaced with that string, so a request for index.html would now be a request for /index.html.

Note that you could just have done this explicitly on the replace too, regardless of the value of RewriteBase:

RewriteEngine On

RewriteRule ^redirect /index.html [R,L]

...works as intended, for example. However, if you had many rules that needed a common base and were being shifted around between directories, or your content wasn't under the root, it would be useful to appropriately set RewriteBase in that case.

The risk of not using them:

There's absolutely no security risk in not specifying Options +FollowSymlinks, because if you don't and it's not set by the main server configuration, mod_rewrite will always return 403 Forbidden. That's kind of problematic for people trying to view your content, but it definitely doesn't give them any extended opportunity to exploit your code.

Not setting RewriteBase could expose the path to your web content if you had an improperly configured rule set in one of your .htaccess files, but I'm not sure that there's any reason to consider that a security risk.

Share:
13,482
Marco Demaio
Author by

Marco Demaio

Just love coding all day long! Now I'm using PHP and Javascript for my daytime job. I took part in realizing all the back end application to handle the orders, contracts and invoices for a site that sells posta certificata per aziende. Language I love most is C++ Language I hate most is VB6/VB.NET Wishes: to see PHP becoming more OO with operator overloading, and Python add curly braces. I have started coding in BASIC since I was a 13 years old kid with a Commodore 64 and Apple II. During University they taught me C and C++ and JAVA and I realized even more how much I love to code. :) Funny stuff: Micro Roundcube plugin to improve the search box

Updated on June 09, 2022

Comments

  • Marco Demaio
    Marco Demaio 8 months

    In order to redirect all somefolder/index.html (and also somefolder/index.htm) to somefolder/ I use this simple rewrite rule in Apache .htaccess file:

    RewriteEngine on
    RewriteCond %{THE_REQUEST} ^.*\/index\.html?\ HTTP/
    RewriteRule ^(.*)index\.html?$ "/$1" [R=301,L]
    

    This works well!

    But at Google groups they suggest to add also:

    Options +FollowSymlinks 
    RewriteBase / 
    
    1. Could anyone be so kind to explain me why would i have to add these last lines, and explain me a bit what they mean and what they do?

    2. Is there a potential secuirty risk in not adding these lines?

    Many thanks,

  • Marco Demaio
    Marco Demaio over 12 years
    +1 and thanks for the time you took in explaining all this. I wish I could upvote you more. I wonder if RewriteBase might be teh solution to solve this other question I asked: stackoverflow.com/questions/3242322/…
  • Tim Stone
    Tim Stone over 12 years
    @Marco Demaio: No problem! As for your other question, I'll take a look at it later today and see if I have any suggestions.