英文:
Best practice for redirecting URLs
问题
我有一个域名 'example.com'。
我想要的是使我的URL尽可能干净和可读。
例如:
- example.com/login
- example.com/about-us
- 等等。
但由于有文件扩展名,并且我的文件不都在服务器(Apache)的文档根目录中,我需要重定向它们:
- example.com/login => example.com/authorization/login/login.php
- example.com/about-us => example.com/pages/about-us/about-us.html
但实现这种行为的最佳方式是什么?
出于测试目的,我使用Apache的.htaccess文件进行了如下操作:
RewriteEngine On
RewriteRule ^login/?$ /authorization/login/login.php
RewriteRule ^about-us/?$ /pages/about-us/about-us.html
然而,这似乎不是一个公共网站的最佳方式。
出于安全考虑,.htaccess文件比标准的Apache配置更容易访问,更改会立即生效(无需重新启动服务器)。这使用户有权限在.htaccess文件中进行更改,从而对服务器本身具有很大的控制权。放置在.htaccess文件中的任何指令都与放置在Apache配置文件中的指令具有相同的效果。此外,值得注意的是,如果用户可以访问Apache配置文件本身,Apache通常不鼓励使用.htaccess文件。
英文:
I have a domain 'example.com'.
What I want to do is having my URL's as clean and readable as possible
For Example:
- example.com/login
- example.com/about-us
- etc.
but since there are file extension and my files are not all in the servers (Apache) document root I need to redirect them:
- example.com/login => example.com/authorization/login/login.php
- example.com/about-us => example.com/pages/about-us/about-us.html
But what is the best way too achieve this kind of behaviour?
For testing purposes I did it using Apaches .htaccess file like this:
RewriteEngine On
RewriteRule ^login/?$ /authorization/login/login.php
RewriteRule ^about-us/?$ /pages/about-us/about-us.html
This however doesn't seem like the best way way to do for a public website.
Edit:
This assumption is mainly based on articles like this
or this:
> For security, the .htaccess file is much more accessible than standard Apache configuration and the changes are made live instantly (without the need to restart the server). This grants users permission to make alterations in the .htaccess file, giving them a lot of control over the server itself. Any directive placed in the .htaccess file, has the same effect as it would in the Apache configuration itself. It’s also important to note that Apache generally discourages the use of .htaccess if the user can access the Apache configuration files themselves.
答案1
得分: 1
你提供的额外信息解决了关于在何处实施重写规则的问题,而不是重写规则本身是好还是坏的问题。
确实,应该始终首选在http服务器的中央配置中进行配置,而不是在分布式配置文件中。
如果启用了分布式配置文件(通常称为".htaccess"),确实可以添加该功能,主要是为那些无法访问中央配置的情况提供的(即:非常便宜的网络服务提供商)。但今天,Web应用程序框架通常错误地使用此功能,这些框架依赖于能够将自己的配置写入这些文件。这对于想要操作这些应用程序的不熟练的人来说很方便,但显然会带来严重的安全威胁……显然,软件绝不能改变其自身的实现。
除了安全问题,还有一个要考虑的重要点是http服务器的性能。使用分布式配置文件肯定会产生负面影响。对于每个请求,都必须读取和解释所请求路径上的所有这些文件。文件层次结构增加了整体设置的复杂性。而且,它使调试变得更加困难。
所以,通常情况下,你应该使用http服务器的中央配置,除非你有特定的原因不这样做。
英文:
The additional information you provided addresses the question where you implement your rewrite rules. Not whether using rewrite rules is good or bad in the first place.
Indeed one should always prefer to configure the http server in its central configuration. Not in distributed configuration files.
If enabled, you can indeed add distributed configuration files (often called ".htaccess"), that feature is provided mainly for situations where you don't have access to the central configuration (read: really cheap web service providers). That feature is typically miss used today by web application frameworks that rely on being able to write its own configuration into such files. That works and is convenient for unexperienced people who want to operate such applications. But it obviously raises massive security threats ... A software should obviously never be able to alter its own implementation.
In addition to the security concerns it also is a valid point to address the http server's performance. Using distributed configuration files definitely has a negative impact. For each and every request all such files on the requested path have to be read and interpreted. The file hierarchy adds complexity to the fulil setup. And it makes debugging a much more difficult task.
So yes, usually you should use the central configuration of the http server. Unless you have specific reasons not to
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论