Testing URL ReWrite .htaccess or web.config

There are at least two methods to test if URL ReWrite is functioning:

  • Are pretty permalinks working?
  • Break .htaccess or web.config to determine if the web server is processing URL ReWrite. Interestingly, IIS and Apache are subject to the same “break” and both respond with server errors if rewrite is broken.

IIS web.config

  • Add some un-commented text, ie. outside of the well-formed xml tags
<?xml version="1.0" encoding="UTF-8"?>
<!-- comments -->
break rewrite

Apache .htaccess

  • Add some un-commented text anywhere
# running as FastCGI so NO CAN USE php_value
# but 5.3 supports per dir php.ini
break rewrite

If the URL ReWrite file is broken, and if the web server, either IIS or Apache, is processing the web.config or .htaccess of interest, an HTTP error is emitted by the server. Depending on error handling configuration, you might see the web server’s default error page, or you might see a custom error page, or you may simple be redirected to the site’s home page (endless loop).


Protecting Files/Folders, Deny Web Server, Allow PHP

We would like to provide an extra level of security for files and folders that we can’t move outside the web server document root. A common scenario with shared web hosting is that IIS or Apache and PHP run under the same user account. We can give this additional security by leveraging the difference effect that allow / deny directives have on the web server versus their effect on PHP. In short, we can direct the web server not to go there, while at the same time allow PHP.

IIS Authorization Rules

  • To allow/deny IIS, URL Authorization must be “turned on.” In IIS Manager->Connections select the server or a site, then ensure “Features View.” Is “Authorization Rules” in the feature list?

view of IIS Manager feature list

  • If not turn it on in Control Panel->Programs and Features->Turn Windows features on or off … Please wait …IIS->WWW Services->Security-> check the box for “URL Authorization”

view of Windows features

  • click OK to turn on URL Authorization
  • Confirm in IIS Manager Authorization Rules are now available

Using IIS Manager handle editing the web.config for all folders-directories in the connections tree.

Example web.config Deny All access to a folder, IIS7.5

<?xml version="1.0" encoding="UTF-8"?>
                <remove users="*" roles="" verbs="" />
                <add accessType="Deny" users="*" />