Querystring url toolkit

17 June 2013, 13:35
I have a url toolkit which contains this line:

Match ^/.*\.(js|ico|gif|jpg|jpeg|png|css|svg)(/|$) Return

However js and css files with a name like this:


are not matched.

Is it possible for url toolkit to ignore the querystring part of the uri?

Hiawatha version: 9.1
Operating System: Debian 6.0 32 bit
Hugo Leisink
17 June 2013, 13:40
Try this: Match ^/.*\.(js|ico|gif|jpg|jpeg|png|css|svg)(/|$|\?) Return
17 June 2013, 13:51
That one works but imposes a security issue for me. is now downloadable.

This is my setup:
UrlToolkit {
ToolkitID = cache
Match ^/.*\.(js|ico|gif|jpg|jpeg|png|css|svg)(/|$|\?) Return
Match .* DenyAccess

VirtualHost {
Hostname =
WebsiteRoot = /var/www/
ReverseProxy .* 60 # apache backend

VirtualHost {
Hostname =
WebsiteRoot = /var/www/
UseToolkit = cache

As you can see I use a virtualhost for serving the js, css and images via
It is not allowed to serve anything other than those files.
Hugo Leisink
18 June 2013, 10:47 is now downloadable.

What exactly is downloadable? What content to you see?
And is that a Hiawatha or Wordpress issue?
18 June 2013, 12:48
The browser downloads the wp-config.php as a text file. So all content is readable.

What I want to achieve is that on the only js, css and images are accessable. Not php or xml files or whatever.
Hiawatha is running as the frontend server and apache as upstream. They both share the same document root.

If I access (without cache.) I'll get a blank screen which is correct (a die(); in the wp-config.php file).

Because I don't have a php handler in hiawatha the wp-config.php (or any other php file) is served via hiawatha as plain text because the url toolkit matches the site.js (even if it is in the query string part).

I hope I make myself clear what I want.

Oh. Mye bad typo: should be

But in the config file all is set the same. I replaced it to as an example.
Hugo Leisink
18 June 2013, 12:55
If you don't specify a PHP hander, Hiawatha will indeed upload the content. Solution: remove the PHP scripts or deny access to it via an UrlToolkit rule.
18 June 2013, 13:26
Yes I also thought of that.

My wish was to make a toolkit which does something like allow js, css and image extensions and deny everything else.
This works. Because when I call (without query string) I get a 403 forbidden from hiawatha.
When I call this als works.

So I hoped the Match in the url toolkit would ignore the query string part for matching.
This topic has been closed.