Exclude specific subdomain or no subdomain in htaccess RewriteRule

Question

I keep dynamic content and static content on different sub domains for my web app but I've recently found out that if called directly the dynamic content can be viewed on my static subdomain (www.) or no subdomain at all.

---

URL Structure:

http(s)://(subdomain).(domain).(tld)/(static page) OR (direct/random hash) OR (secure/random hash)

All static content is accessible via "WWW" which results in my SEO friendly domains such as

http(s)://www.domain1.com/about
http(s)://www.domain1.com/
http(s)://www.domain2.com/about
http(s)://www.domain2.com/

While dynamic content viewed through the web app would be accessed from a domain such as

http(s)://dynamic1.domain1.com/direct/randomhash
http(s)://dynamic2.domain1.com/direct/randomhash
http(s)://dynamic1.domain2.com/direct/randomhash
http(s)://dynamic2.domain2.com/direct/randomhash

---

This is my current .htaccess file

The rules to rewrite the dynamic links where the URI starts with secure or direct as well as any file extensions to the index.php file.

Header set Connection keep-alive
<IfModule mod_dir.c>
    DirectorySlash Off
</IfModule>
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteRule ^index.php  - [L]
    RewriteRule ^(secure|direct)  /index.php [L]
    RewriteCond %{REQUEST_URI} !^/server-status
    RewriteCond %{REQUEST_URI} !^/public/cache
    RewriteRule !\.(png|gif|css|jpg|zip|js|html|htm|swf|ico|fon|ttf|otf|svg|woff|woff2|eot)$  /index.php [L]
</IfModule>

The above is currently working but my issue is that if a user simply changes the sub domain from the one used for dynamic content to WWW it will still work and will result in dynamic content being accessible from my SEO friendly sub domain.

I'm hoping to be able to edit this rule RewriteRule ^(secure|direct) /index.php [L] so that it would be excluded if there is an active www. sub domain or no subdomain all together while still working if the domain or subdomain is anything else.

That is to say the subdomain or domain would still be a wildcard unless the subdomain is www.

---

I'm assuming I have to add %{HTTP_HOST} to the RewriteRule ^(secure|direct) /index.php [L] and use a regex to allow any sub domain, domain, and tld but im not sure how to exclude if the http host starts with WWW. or no subdomain at all.

My end goal is so that the secure and direct paths can not be viewed via a www. or no subdomain while still working with any other subdomain / domain.

Answer 1

You can use:

RewriteCond %{HTTP_HOST} ^(?:www\.)?[^.]+\.[^.]+$ [NC]
RewriteRule ^(secure|direct)  /index.php [L]

Answer 2

You should add a condition to the rule that handles 'secure' and 'direct' requests, so that they have to only come from the subdomains you match, not the www one.

RewriteCond %{HTTP_HOST}  ^dynamic[0-9]+\.[a-z]+ 
RewriteRule ^(secure|direct)  /index.php [L]

That way only requests that have subdomains matching that rule will get re-written to the PHP script. If the user changes the sub-domain back to www, or to anything else that doesn't match the pattern you specify in the condition, then the request won't find its way through to the PHP script.

If your names for dynamic sub-domains are truly random, then just use something else that you know about them so that 'www' doesn't match, for example if they're all at least four characters long then this pattern would work:

RewriteCond %{HTTP_HOST}  ^[^.][^.][^.][^.]+\. 
RewriteRule ^(secure|direct)  /index.php [L]

because the string 'www.' does not match a pattern starting with four or more non-dots and then a dot.