You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by "Belov, Charles" <Ch...@sfmta.com> on 2011/02/15 20:52:59 UTC

[users@httpd] Rewrite conflicts with partial downloads

The SFMTA has various archival documents on the www.sfmta.com website
which we need to retain without modification for public disclosure.  As
the documents have the potential of being mistaken for current
information, I put in a feature in which a request that comes in without
a referer from a document's parent directory will be shown a warning
page informing the requestor that the document is archival.  They can
then follow an altered link to the document which will not require an
authorized referer.

I had to back this change out because it turns out that when Internet
Explorer (and possibly other browsers) do this download, it sends a
referer for the initial request but then sends additional partial
requests without the referer.  So the first part of the file gets
downloaded, then requests for additional parts of the file get
redirected to the warning page, causing Internet Explorer to freeze.

The question is, is there a way I can indicate to mod_rewrite that this
is a follow-up partial request -- that is, detect the range request
header -- and that it is not to do a rewrite of the URL?

I plan to separately report this as a bug to Microsoft, but in the
meantime, site visitors need to be able to access the file without
freezing their browser.  So the question is, is there a way I can
prevent the rewrite in the case of a partial request?

Details follow:

Example file of interest:  
http://www.sfmta.com/cms/cmta/documents/2-15-11Item11.pdf

Example referer:
http://www.sfmta.com/cms/cmta/SFMTABoardFeb.152011SpecialMeetingagenda.h
tm

.htaccess rewrite code for the /cms/cmta/documents directory (currently
backed out):

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://(www\.)?sfmta\.com/cms/cmta/ [NC]
RewriteCond %{HTTP_REFERER} !^https://sfmta\.securesites\.net/cms/cmta/
[NC]
RewriteCond %{QUERY_STRING} !^giveMeTheArchive$
RewriteRule ^(.*)$
/cms/asystem/302-archive-warning.php?request=/cms/cmta/documents/$1 [R]

www.sfmta.com/cms/asystem/302-archive-warning.php?request=/cms/cmta/docu
ments/2-15-11Item11.pdf 
will give a warning page which produces a sanitized link to
http://www.sfmta.com/cms/cmta/documents/2-15-11Item11.pdf?giveMeTheArchi
ve

Server log for a sample Internet Explorer request:

Request 1 at 9:21:06 PT: 
GET /cms/cmta/documents/2-15-11Item11.pdf HTTP/1.1
Referer: 
http://www.sfmta.com/cms/cmta/SFMTABoardFeb.152011SpecialMeetingagenda.h
tm
Result:  200 OK status, 751,863 bytes 

Request 2 at 9:21:07 PT:
GET /cms/cmta/documents/2-15-11Item11.pdf HTTP/1.1
Referer: -
Result:  303 See Other status, 253 bytes

Request 3 at 9:21:07 PT
GET
/cms/asystem/302-archive-warning.php?request=/cms/cmta/documents/2-15-11
Item11.pdf HTTP/1.1
Referer: -
Result:  416 Requested Range Not Satisfiable status, 230 bytes

Well, of course there is a 416, since the request is no longer for the
PDF but for the warning page.  But it's a moot point, since the task was
in trouble as of request 2 when it came in without a referer, even
though it's a follow-up on request 1, which did have the referer, and
got redirected.





Hope this helps,
Charles Belov
SFMTA Webmaster


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] RE: Rewrite conflicts with partial downloads

Posted by Igor Galić <i....@brainsware.org>.

> Corrected solution .htaccess file, currently implemented in
> /cmta_test/
> directory.

Sorry to only chime in now - but I don't have enough of a clue
about mod_rewrite, so I don't feel comfortable answering more
complex questions.

The one thing I do know is that we do not recommend putting
RewriteRules in .htaccess, when you have access to the server's
configuration files.

http://wiki.apache.org/httpd/RewriteContext

i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] RE: Rewrite conflicts with partial downloads

Posted by "Belov, Charles" <Ch...@sfmta.com>.

I appear to have found a workable solution.

> -----Original Message-----
> From: Belov, Charles 
> Sent: Tuesday, February 15, 2011 11:53 AM
> To: 'users@httpd.apache.org'
> Subject: Rewrite conflicts with partial downloads
> 
> The SFMTA has various archival documents on the www.sfmta.com 
> website which we need to retain without modification for 
> public disclosure.  As the documents have the potential of 
> being mistaken for current information, I put in a feature in 
> which a request that comes in without a referer from a 
> document's parent directory will be shown a warning page 
> informing the requestor that the document is archival.  They 
> can then follow an altered link to the document which will 
> not require an authorized referer.
> 
> I had to back this change out because it turns out that when 
> Internet Explorer (and possibly other browsers) do this 
> download, it sends a referer for the initial request but then 
> sends additional partial requests without the referer.  So 
> the first part of the file gets downloaded, then requests for 
> additional parts of the file get redirected to the warning 
> page, causing Internet Explorer to freeze.
> 
> The question is, is there a way I can indicate to mod_rewrite 
> that this is a follow-up partial request -- that is, detect 
> the range request header -- and that it is not to do a 
> rewrite of the URL?
> 
> I plan to separately report this as a bug to Microsoft, but 
> in the meantime, site visitors need to be able to access the 
> file without freezing their browser.  So the question is, is 
> there a way I can prevent the rewrite in the case of a 
> partial request?
> 
> Details follow:
> 
> Example file of interest:  
> http://www.sfmta.com/cms/cmta/documents/2-15-11Item11.pdf
> 
> Example referer:
> http://www.sfmta.com/cms/cmta/SFMTABoardFeb.152011SpecialMeeti
> ngagenda.htm
> 
> .htaccess rewrite code for the /cms/cmta/documents directory 
> (currently backed out):
> 

Corrected solution .htaccess file, currently implemented in /cmta_test/
directory.

# /cms/cmta/documents/.htaccess

# if someone enters just www.sfmuni.com/cmta/, go to this page
DirectoryIndex mtaindx.htm

# if not referred from cmta and not an override, give warning before
allowing
RewriteEngine On
RewriteCond %{HTTP_REFERER}
!^http://(www\.)?sfmta\.com/cms/cmta(_test)?/ [NC]
RewriteCond %{HTTP_REFERER}
!^https://sfmta\.securesites\.net/cms/cmta(_test)?/ [NC]
RewriteCond %{QUERY_STRING} !^giveMeTheArchive$
RewriteRule ^(.*)$
/cms/asystem/302-archive-warning.php?request=/cms/cmta/documents/$1
[R=303,L]

# and feed back that the location is without the query part
# and that only the SFMTA.com location is to be indexed
SetEnvIf request_uri "^/(.*)$" this_request_uri=$1
Header set Location "http://www.sfmta.com/%{this_request_uri}e"

# prevent partial downloads for IE 
SetEnv acceptranges=bytes
BrowserMatchNoCase msie acceptranges=none 
Header set Accept-Ranges %{acceptranges}e

> 
> www.sfmta.com/cms/asystem/302-archive-warning.php?request=/cms
/cmta/documents/2-15-11Item11.pdf
> will give a warning page which produces a sanitized link to 
> http://www.sfmta.com/cms/cmta/documents/2-15-11Item11.pdf?give
> MeTheArchive
> 
> Server log for a sample Internet Explorer request:
> 
> Request 1 at 9:21:06 PT: 
> GET /cms/cmta/documents/2-15-11Item11.pdf HTTP/1.1
> Referer: 
> http://www.sfmta.com/cms/cmta/SFMTABoardFeb.152011SpecialMeeti
> ngagenda.htm
> Result:  200 OK status, 751,863 bytes 
> 
> Request 2 at 9:21:07 PT:
> GET /cms/cmta/documents/2-15-11Item11.pdf HTTP/1.1
> Referer: -
> Result:  303 See Other status, 253 bytes
> 
> Request 3 at 9:21:07 PT
> GET 
> /cms/asystem/302-archive-warning.php?request=/cms/cmta/documen
> ts/2-15-11Item11.pdf HTTP/1.1
> Referer: -
> Result:  416 Requested Range Not Satisfiable status, 230 bytes
> 
> Well, of course there is a 416, since the request is no 
> longer for the PDF but for the warning page.  But it's a moot 
> point, since the task was in trouble as of request 2 when it 
> came in without a referer, even though it's a follow-up on 
> request 1, which did have the referer, and got redirected.
> 

The issue is that by adding the header Accept-Ranges, it prevents
Internet Explorer from following up with a content-range request.
However, Firefox, which does provide a referer in conjunction with
content-range requests, displays a blank document in place of the PDF if
I send it the Accept-Ranges: none header.

BrowserMatch doesn't seem to allow me to conditionally send a header
only for IE, at least so far as I can tell by the documentation, and
none of the <...> directives seem to allow me to branch by browser.


 
Hope this helps,
Charles Belov
SFMTA Webmaster

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org