-
Notifications
You must be signed in to change notification settings - Fork 4
Recipes
Having ported the firewall to mod_setenvif
, it is possible to also dispense with any remaining rewrite rules. Follow these steps:
- Using
mod_rewrite
for permalink settings is a relic from httpd 2.2. The same effect can now be achieved withmod_dir
:
# This still takes precedence over nG-SetEnvIf.
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
FallbackResource /index.php
- Rules for access control can switch to using
mod_setenvif
or Cloudflare’s free-tier WAF.
nG deals in 403s. To fend off excessive 404s, use Wordfence. For best performance, opt out of ‘extended protection’.
Whether used primarily for page caching or DDoS mitigation, Cloudflare can complement the functionality of nG-SetEnvIf.
To stop requests circumventing CF proxy, configure httpd for Authenticated Origin Pulls. For best performance, choose the ECC version of private key for origin CA certificate, opt out of root certificate, and set SSLUseStapling to off. Then, comment out Listen 80
.
In case the primary edge certificate uses RSA, switch to ECDSA by setting certificate authority to lets_encrypt
via API call.
To add additional rules to nG-SetEnvIf, combine them into a Custom Rule for CF’s free-tier WAF. Doing so not only takes advantage of the non-backtracking algorithm of RE2 (as opposed to PCRE used in httpd), but streamlines maintenance when upgrading nG-SetEnvIf.
Depending on your specific settings, CF’s URL normalisation can take over some of the functionality of nG-SetEnvIf.
mod_rewrite should be considered a last resort, when other alternatives are found wanting. Using it when there are simpler alternatives leads to configurations which are confusing, fragile, and hard to maintain. Understanding what other alternatives are available is a very important step towards mod_rewrite mastery
— Rich Bowen