Prevent Apache for opening files with similar name to url - apache

My .htaccess:
RewriteEngine On
RewriteBase /
RewriteCond %{REQUESTFILENAME} !-f
RewriteCond %{REQUESTFILENAME} !-d
RewriteRule ^login/generic_oauth$ auth0-callback.php [L]
RewriteRule ^(.*)$ index.php?page=$1 [L]
My vhost file:
<VirtualHost *:443>
DocumentRoot /home/blabla/www/frontend/
ServerName some-domain.net
ServerAlias www.some-domain.net
SSLEngine on
SSLCertificateFile /etc/apache2/crt/cert.pem
SSLCertificateKeyFile /etc/apache2/crt/key.pem
<Directory />
Options -Indexes +FollowSymLinks -MultiViews
AllowOverride All
Require all granted
</Directory>
<Directory /home/blabla/www/>
Options -Indexes +FollowSymLinks -MultiViews
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
The problem is when I try to access https://www.some-domain.net/login/generic_oauth Apache is loading login.php (which exists). Problem disappears when I rename the file to loggin.php for example.

The problem is when I try to access https://www.some-domain.net/login/generic_oauth Apache is loading login.php (which exists). Problem disappears when I rename the file to loggin.php for example.
This problem is symptomatic of having MultiViews enabled. Although, you appear to be disabling MultiViews in the server config, except that you are not targeting the DocumentRoot with your <Directory> containers...
DocumentRoot /home/blabla/www/frontend/
:
<Directory />
Options -Indexes +FollowSymLinks -MultiViews
AllowOverride All
Require all granted
</Directory>
<Directory /home/blabla/www/>
Options -Indexes +FollowSymLinks -MultiViews
AllowOverride All
Require all granted
</Directory>
You should not be setting AllowOveride All and Require all granted in the <Directory /> container, ie. the entire drive! You should be disabling access instead and this should already be defined outside of the <VirtualHost> container, in the main server config.
You are then granting access to /home/blabla/www/, but this is the directory above the DocumentRoot?! Do you have another .htaccess in this parent directory? Do you have another <Directory> container that matches the DocumentRoot?
So, your config should look more like this:
<Directory />
Options SymLinksIfOwnerMatch
AllowOverride None
Require all denied
</Directory>
<VirtualHost *:443>
ServerName some-domain.net
ServerAlias www.some-domain.net
SSLEngine on
SSLCertificateFile /etc/apache2/crt/cert.pem
SSLCertificateKeyFile /etc/apache2/crt/key.pem
DocumentRoot /home/blabla/www/frontend/
<Directory /home/blabla/www/frontend>
Options +FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
As with any changes to the server config, you need to restart Apache.
If this does not resolve the issue then you need to look for any other places in the config that could be enabling MultiViews. And if all else fails, explicitly disable MultiViews in the .htaccess file itself:
Options -MultiViews

Related

How to setup Apache to run Laravel rooted from a subpath?

The DocumentRoot of example.com is in /var/www/html.
Laravel is installed in /var/www/example/public and I can access it using http://example.com/dashboard but problem arises when I try to access other routes like as http://example.com/dashboard/login and is throwing 404 Not Found error. And saying The requested URL /var/www/example/public/index.php was not found on this server. Can anyone please guide me?
The .htaccess file in the public directory is untouched.
Here is the 000-default.conf:
ServerName example.com
UseCanonicalName Off
<Directory /var/www/html/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
Allow from all
</Directory>
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /dashboard /var/www/example/public
<Directory /var/www/example/public>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
#dynamic subdomain provisioning
<VirtualHost *:80>
DocumentRoot /var/www/example/public
ServerName user.example.com
ServerAlias *.example.com
<Directory /var/www/example/public>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
</VirtualHost>
I could solve using the following in the 000-default.conf file:
<Directory /var/www/example/public>
DirectoryIndex index.php
AcceptPathInfo on
AllowOverride All
Options None
Order allow,deny
Allow from all
</Directory>
And had to change the laravel .htaccess in the following way:
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
RewriteBase /dashboard
# Redirect Trailing Slashes...
RewriteRule ^(.*)/$ dashboard/$1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>

Ubuntu Apache virtualhost with symfony

have a problem here with Symfony . I want to have virtual host on ubuntu so I can access my Symfony application like this app.local. What I have tried:
<VirtualHost *:80>
ServerName app.local
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
DocumentRoot /var/www/app/web
<Directory /var/www/app/web>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
Require all granted
</Directory>
</VirtualHost>
I added these lines to hosts file
127.0.0.1 app.local
but when I write app.local in my browser, it brings the index of my www directory(default apache page). What am I doing wrong?
Try this :
/etc/apache2/sites-available/mysite.conf
<VirtualHost *:80>
ServerName app.local
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
</IfModule>
DocumentRoot /var/www/app/web
<Directory /var/www/app/web>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
Then apply configuration changes :
$>sudo a2ensite mysite // If not already enabled
$>sudo service apache2 restart
If the problem is not solved, check the error logs in /var/log/apache2/

Simple mod_rewrite rule is not working

In my main public directory, I have this .htaccess file, however when visiting /register I get a 404 error.
Options +FollowSymlinks
RewriteEngine On
RewriteRule ^register$ register.php
With this, I want to make anyone who visits /register to use /register.php. I am certain that mod_rewrite is enabled and AllowOverride All is present in my virtual host file.
Does anyone know how I can troubleshoot this? All I get is The requested URL /register was not found on this server.
Virtual host:
<VirtualHost *:80>
ServerAdmin my#email.com
ServerName my.site.com
DocumentRoot /home/mark/public
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /home/mark/public>
Options All MultiViews ExecCGI
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog /home/mark/logs/public_error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /home/mark/logs/public_access.log combined
</VirtualHost>
<Directory /home/mark/public>
Options All MultiViews ExecCGI
AllowOverride All
Order allow,deny
allow from all
</Directory>
You need to turn off MultiViews:
Options All -MultiViews ExecCGI
It's messing with optional content negotiation. From the apache documentation:
If the server receives a request for /some/dir/foo and /some/dir/foo does not exist, then the server reads the directory looking for all files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements, and returns that document.
If you're going to have a rule to rewrite /register to /register.php, you don't want MutliViews mucking things up before it even gets to your rewrite rules.
This works for me:
/etc/apache2/sites-enabled/000-default
<VirtualHost *:80>
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride All
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
....
</VirtualHost>
/var/www/.htaccess
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_URI} ^/register$
RewriteRule ^(.*)$ register.php [NS,L]
EDIT: added DocumentRoot /var/www

Apache2 DirectoryIndex Issue

I am a little stuck and am sure that this is a trivial problem, but just can't seem to find the right solution.
I have a local development server running apache2 w/mod_ssl & mod_rewrite.
I created a self-signed cert and added the respective virtual host directive for *:443.
The issue I seem to be having is that now that I have the SSL side of things working properly. And when I say properly, I mean that I can go to the https url of my site (e.g. https://dev.mysite/) without adding index.php and it pulls up the index.php just fine.
But when I go to the regular http url of the site, I have to type in the index.php to see the site. (e.g. http://dev.mysite/index.php)
I tried adding a DirectoryIndex directive to the *:80 block, but this still doesn't appear to work.
Below is the virtual host file contents if that helps at all;
ServerName dev.mysite
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/vhosts/bsah_dev/mysite
<Directory />
DirectoryIndex index.php
Options Indexes FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/vhosts/bsah_dev/mysite/>
DirectoryIndex index.html index.htm index.php
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/vhosts/bsah_dev/mysite
SSLEngine On
<Directory /var/www/vhosts/bsah_dev/mysite>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]
</IfModule>
</Directory>
SSLOptions +StrictRequire
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
</VirtualHost>
A few comments on your configuration, which may help you fix this problem:
<Directory />
DirectoryIndex index.php
Options Indexes FollowSymLinks
AllowOverride None
</Directory>
That's quite unusual: normally, you wouldn't grant access to anything for the root directory (of your machine, not your document root). See the Directory documentation, which suggests using this:
<Directory />
Order Deny,Allow
Deny from All
</Directory>
This should work as expected in your configuration:
<Directory /var/www/vhosts/bsah_dev/mysite/>
DirectoryIndex index.html index.htm index.php
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
(This being said, index.php will only be used if there's no index.html or index.htm found first.)
The DirectoryIndex documentation says it can be placed in "server config, virtual host, directory, .htaccess" (see "Context"). It also works within the Directory directive (and such values will override the values you'd find at the VirtualHost or server level).
This rule, in the HTTPS section doesn't make sense:
<Directory /var/www/vhosts/bsah_dev/mysite>
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTPS} !^on$ [NC]
RewriteRule . https://%{HTTP_HOST}%{REQUEST_URI} [L]
</IfModule>
</Directory>
You're using a rewrite rule to redirect to the equivalent https:// URL. However, this rule is in the section where SSL is enabled, so you're redirecting from https:// to https://, not from http://.

Problem enabling .htaccess

I'm trying to enable .htaccess files on a Ubuntu server I set up. I changed the sites file from:
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
[unnecessary config code omitted]
</VirtualHost>
to
<VirtualHost *:80>
ServerAdmin webmaster#localhost
DocumentRoot /var/www/document_root
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/document_root>
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Directory>
[unnecessary config code omitted]
</VirtualHost>
Now when I try to view a page in my browser I get a 500 Internal Server Error. Any ideas as to what my problem may be? Thanks for the help.
EDIT
Here is my .htaccess file:
RewriteEngine on
RewriteCond $1 !^(index\.php|images|css|js|robots\.txt|favicon\.ico)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ /index.php/$1 [L]
I checked the apache error logs as requested and it appears that the error being logged is:
[Fri Jul 10 19:39:12 2009] [alert]
[client 192.168.1.1]
/var/www/document_root/.htaccess:
Invalid command 'RewriteEngine',
perhaps misspelled or defined by a
module not included in the server
configuration
Bah... I didn't have mod_rewrite enabled. I feel stupid.