I have a PHP application that runs on apache. The app is publicly accessible and hence attracts noise from the internet. I used to have a curated list of request paths to block, but I realised that the app only has a limited amount of valid paths that can be requested, and it might be better to do the reverse: only allow a list of valid paths.
After some careful investigation of the app and the logs I now have a list of ~100 paths, this includes the app paths, images, css, js, etc. After some trial and error I have come up with the follow construct in my web server config:
<Location />
<RequireAll>
Require expr "%{REQUEST_URI} in {'/app/path1', '/app/path2', '/app/legit', etc, etc}"
This works, but I am not sure if this is the best approach. The actual configuration line is quiet long (about 8k), but that isn't really a problem because it's generated from a jinja template.
What I am curious about:
- Does the above expression ("if item in list") return true as soon as a first hit is found? Because then it would make sense to sort the list by most frequently used paths.
- Is there maybe another approach to do what I'm doing? Perhaps some sort of RewriteMap or similar?