Complements on the previous article. hash the file map, use a /static url, and avoid security problems with tis new mode.
So On a previous blog entry
I presented the basics for a rewriteRule settings to serve some targeted plone static files directly from apache and
without proxying to Plone.
This article, in short introduce apache as a proxy for most pages but as a direct file server for static ressources,
having a map of application url to filesystem real files stored in a text file and served via RewriteMap.
No let's make this solution even better.
use a hash map for url mappings
create a virtual /static url and apply some cache managment rules on his contents
allow the use of the /satic/ url directly
ensure only mapped static files are served via this static directory
So first thing to change, we used a simple text file for the mapping, mod_rewrite allows us to use a hash file.
Simply change:
by:
And to generate the .map file simply read the comments.
One important point, if you do not remove the old map before generating the new one,
old entries are still in the .map, to see it without too much garbage use :
Ok, so now let's look the current RewriteRule,
for matched elements the rewrite is done and the file is directly served.
We would like to add some apache settings to theses files,
the solution is to add the [PT] (pass-through) option to the rewrite rule.
Then Apache will continue to analyse the resulting url as if it were an original
requested url.
That mean the proxy settings for example will be applied on it.
So we will as well add a /satic on the resulting url and prevent /static to be served by the Proxy.
The rewriteRule is now:
And we add this ProxyPass exception:
We now have a virtual /static directory with all theses mapped contents inside.
We can use it to getBack the original DocumentRoot,
and to use an alias to point /static to our webapp sources (here /opt/plone/source).
And then we can add Expires settings from mod_expires on this /static location...
well in fact mod_expires requires a Directory directive so it will be on the /opt/plone/source directory.
Reset DocumentRoot:
Remove this line:
And add theses settings:
That's done. Now we have a big security Hole :-(.
Most files from /opt/plone/source are available via the /static url.
As /static is not proxied anymore and is now an alias on the filesystem directory where we have an allow from all ...
So we should add some rewriteRules to check which files are allowed via direct access on static.
And by default it should be *none.
But that's sad, it would be nice to promote good behaviour for theses wtf programmers which aren't admins,
we should let them use /static urls for files known to be static.
And maybe one day they'll think it's a good idea to make the distinction between known static files and dynamic content...
So we'll ask developpers to add some entries in the staticplonefiles.txt** making a mapping from static/files to real files this way (see, every entry is present 2 times):
And now our 3 static examples are available as well with the /static url. Well in fact do not forget to add this rule:
This will check that all directly accessed files via /static are present in our mapping.
And it's all done.
Like for the previous post you should really activate RewriteLog and look at what he does
for several different files, but now you should as well adjust Apache logLevel for this
VirtualHost and check the errorLog to observe what is done After the rewrite.
As an example of debug here are some debug outputs for:
a matched image
index.php which wont be proxified after
the / base uri, which will be proxified
an unmapped image
a direct access via /static for a forbidden file
Quite readable isn't it? But do not forget to remove debug for production env.