Estou tentando permitir apenas solicitações recebidas /multi
se o Content-Type
cabeçalho da solicitação começar com multipart/form-data
, enquanto as solicitações para outros POST
, PUT
ou DELETE
pontos de extremidade devem sempre ter o application/json
Content-Type
.
Ao fazer o seguinte no meu .htaccess
arquivo web root (sem acesso root):
# Enforce multipart/form-data content type for /multi routes
RewriteCond %{REQUEST_URI} ^/multi [NC]
RewriteCond %{HTTP:Content-Type} !^multipart/form-data; [NC]
RewriteRule ^ - [R=400,L,END]
# Enforce JSON content type for all other POST, PUT, and DELETE endpoints
RewriteCond %{REQUEST_METHOD} ^(POST|PUT|DELETE)$
RewriteCond %{HTTP:Content-Type} !^application/json [NC]
RewriteCond %{REQUEST_URI} !^/multi [NC]
RewriteRule ^ - [R=400,L,END]
... e, em seguida, enviando um POST /multi
com Content-Type: multipart/form-data
, recebo 400 Bad Request
a resposta do Apache. Quando removo o segundo bloco de reescrita, a solicitação passa. Por que o segundo bloco de reescrita é aplicado ao enviar um POST /multi
com Content-Type: multipart/form-data
, embora eu tenha a RewriteCond %{REQUEST_URI} !^/multi [NC]
condição nele, o que deve impedir que seja aplicado?
Quando verifico os logs de erro do apache ao enviar a solicitação com o segundo bloco de reescrita ativado, não tenho nenhum log de erro. Quando verifico o Apache Dom Log, simplesmente tenho uma solicitação recebida para /multi
produzir a 400
resposta. Assim, de fato, parece ser o fato de que a segunda regra de reescrita é aplicada, o que não faz sentido para mim.
Arquivo .htaccess completo
# Prevent files whose name starts with ".ht" from frontend access
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>
# Set global Rules for document root directory
Options Indexes FollowSymLinks
Require all granted
# Specify rewrite rules
RewriteEngine On
# Authorization Header seems to be stripped by default, hence explicitly enable it
# Doing it via the rewrite rule is not the native way of doing it, and would need an improved rule to avoid that an
# Authorization HTTP header with an empty value is still passed to PHP
# RewriteCond %{HTTP:Authorization} ^(.*)
# RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
CGIPassAuth On
# Enforce multipart/form-data content type for /multi route
RewriteCond %{REQUEST_URI} ^/multi [NC]
RewriteCond %{HTTP:Content-Type} !^multipart/form-data; [NC]
RewriteRule ^ - [R=400,L,END]
# Enforce JSON content type for all other POST, PUT, and DELETE endpoints (return a 400 Bad Request otherwise)
RewriteCond %{REQUEST_METHOD} ^(POST|PUT|DELETE)$
RewriteCond %{HTTP:Content-Type} !^application/json [NC]
RewriteCond %{REQUEST_URI} !^/multi [NC]
RewriteRule ^ - [R=400,L,END]
# Route all incoming requests through index.php, except if it's for existing files
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule . /index.php [L]
# Ensure that png images, javascript and css files are all delivered with correct mime type. mod_mime must be enabled.
AddType application/javascript .js
AddType image/png .png
AddType text/css .css
# Add an 'Expires' HTTP header for all accessed js, css and png image files. mod_expires must be enabled.
ExpiresActive On
ExpiresByType image/png "access plus 1 year"
ExpiresByType application/javascript "access plus 1 year"
ExpiresByType text/css "access plus 1 year"
# Also add a Cache-Control HTTP header for the same cache lifetime of 1 year, to cover all browsers. mod_headers needed.
<FilesMatch "\.(js|css|png)$">
Header set Cache-Control "public, max-age=31536000"
</FilesMatch>
# Define Image Uploads directory, to be able to access img uploads while uploads are kept outside from document root
RewriteRule ^images/(.*)$ /uploads/imgs/$1 [L]
# Ensure that all icons are delivered with the image/jpeg MIME type
RewriteRule ^icons/ - [E=CONTENT_TYPE:image/png]