We Keep Coding

Excluding a specific URL from HTTP Basic Auth - mod_rewrite causing problems

We have "HTTP Basic Auth" on a certain subdomain of ours, but would like to allow everything to access a specific URL on that subdomain without authenticating (for a 3rd party hitting our webhook URL).
So I tried to use SetEnvIf Request_URI ^/webhook/ allow to allow with Allow from env=allow (full file below) but it seems that because we've got some mod_rewrite rules to rewrite all these URLs to a PHP entry point, the Request_URI is never actually /webhook once it gets to this point (guessing but didn't know how to 100% confirm this.
It's still asking for a basic auth user/pass regardless of the URL.
Note that the .htaccess file is the same on all our domains / subdomains, whereas the VirtualHost can be configured just for this subdomain.
Full VirtualHost config with the "HTTP Basic Auth" config section:
<VirtualHost *:80>
RewriteEngine on
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=permanent,L]
DocumentRoot /var/www/sub.ourdomain.co.uk/blah/www
ServerAdmin x#ourdomain.co.uk
ServerName sub.ourdomain.co.uk
ServerAlias www.sub.ourdomain.co.uk
ErrorDocument 400 /error.php
ErrorDocument 401 /error.php
ErrorDocument 403 /403.html
ErrorDocument 404 /error.php
ErrorDocument 405 /error.php
ErrorDocument 408 /error.php
ErrorDocument 410 /error.php
ErrorDocument 411 /error.php
ErrorDocument 412 /error.php
ErrorDocument 413 /error.php
ErrorDocument 414 /error.php
ErrorDocument 415 /error.php
ErrorDocument 500 /error.php
ErrorDocument 501 /error.php
ErrorDocument 502 /error.php
ErrorDocument 503 /error.php
ErrorDocument 506 /error.php
ErrorLog /var/log/httpd/sub.ourdomain.co.uk.apache.log
CustomLog /var/log/httpd/sub.ourdomain.co.uk.access.log combined
<Directory "/var/www/sub.ourdomain.co.uk/blah/www">
SetEnvIf Request_URI ^/webhook/ allow
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk
# Setup a deny/allow
Order Deny,Allow
# Deny from everyone
Deny from all
# except if either of these are satisfied
Satisfy any
# 1. a valid authenticated user
Require valid-user
# or 2. the "allow" var is set
Allow from env=allow
</Directory>
</VirtualHost>
.htaccess mod_rewrite rules:
RewriteCond %{REQUEST_METHOD} !(^GET|^POST|^HEAD)
RewriteRule .* - [R=405,L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts)
RewriteRule ^(.*)$ /boot.php
RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^(.*)$ /boot.php
Edit 1 - based on the comments I also tried: SetEnv allow true and SetEnv allow 1 to remove the doubt of whether it's the URL and it still asks for the basic auth password, so it may not be related to the URL afterall.
Edit 2 - Adding the entire .htaccess to make sure I'm not missing something else:
php_value max_input_vars 4000
RewriteEngine on
# Disallow other HTTP verbs such as PUT and DELETE
RewriteCond %{REQUEST_METHOD} !(^GET|^POST|^HEAD)
RewriteRule .* - [R=405,L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)
RewriteRule ^(.*)$ /boot.php
RewriteCond %{REQUEST_URI} ^/$
RewriteRule ^(.*)$ /boot.php
AddType font/ttf .ttf
AddType font/eot .eot
AddType font/otf .otf
AddType font/woff .woff
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/css text/javascript application/x-javascript application/javascript text/x-component text/html text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon application/json font/woff font/otf font/eot font/ttf
</IfModule>
<ifModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 1 seconds"
ExpiresByType text/html "access plus 1 seconds"
ExpiresByType image/gif "access plus 2592000 seconds"
ExpiresByType image/jpeg "access plus 2592000 seconds"
ExpiresByType image/png "access plus 2592000 seconds"
ExpiresByType text/css "access plus 604800 seconds"
ExpiresByType font/ttf "access plus 604800 seconds"
ExpiresByType font/eot "access plus 604800 seconds"
ExpiresByType font/otf "access plus 604800 seconds"
ExpiresByType font/woff "access plus 604800 seconds"
ExpiresByType text/javascript "access plus 604800 seconds"
ExpiresByType application/x-javascript "access plus 604800 seconds"
</ifModule>
<ifModule mod_headers.c>
<filesMatch "\\.(ico|pdf|flv|jpg|jpeg|png|gif|swf)$">
Header set Cache-Control "max-age=2592000, public, proxy-revalidate"
</filesMatch>
<filesMatch "\\.(js|css|ttf|eot|otf|woff)$">
Header set Cache-Control "max-age=604800, public, proxy-revalidate"
</filesMatch>
<filesMatch "\\.(xml|txt)$">
Header set Cache-Control "max-age=216000, public, must-revalidate"
</filesMatch>
</ifModule>
Edit 3 - Sorry, should have mentioned that we're stuck on Apache 2.2 for now.

Using Apache 2.4+ you can use <If> expression to disable auth or use allow from all directive for a URI using THE_REQUEST variable. THE_REQUEST represents original request sent to Apache and it doesn't get updated in the context of a single request:
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk
Require valid-user
Satisfy any
Order deny,allow
Deny from all
<If "%{THE_REQUEST} =~ /webhook/">
Satisfy any
Allow from all
</If>
# your current mod_rewrite rules can appear below this line:
DirectoryIndex boot.php
RewriteEngine on
# Disallow other HTTP verbs such as PUT and DELETE
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule ^ - [R=405,L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)
RewriteRule ^ boot.php [L]
Update: Here is a workaround solution that works on Apache 2.2 using <FilesMatch> directive:
DirectoryIndex boot.php
RewriteEngine on
# Disallow other HTTP verbs such as PUT and DELETE
RewriteCond %{REQUEST_METHOD} !^(GET|POST|HEAD)
RewriteRule ^ - [R=405,L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_URI} !(/img|/js|/css|/fonts|/twig|/pdf|/vendors|/server-status)
RewriteRule ^ boot.php [L]
SetEnvIfNoCase Request_URI ^/webhook/ allow
<FilesMatch "^(?!boot\.php$).*$">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/httpd/passwords/sub.ourdomain.co.uk
Require valid-user
Order Deny,Allow
Deny from all
Allow from env=allow
Satisfy any
</FilesMatch>

Apache 2.4 LogLevel and rewrite is ignored

I'm trying to understand why my attempt at logging redirects and rewrites are failing in my config. I've added "LogLevel debug rewrite:trace6" to my virtual domain config and it isn't reflected in the error_log shown below.
I'm also having a problem with redirects. Can I log them in the same way to find out why they're seemingly being ignored?
I would like to redirect all requests for https://example.com/download.html to instead go to https://example.com/resource-center and only the third one below works. However, I want to be sure only /download.html off the root works, not /folder/download.html. How can I do this?
Redirect 301 ^/download.html /resource-center
Redirect 301 ^download.html /resource-center
Redirect 301 /download.html /resource-center
These redirects appear in the Include file with my config.
I've included the entirety of my config here, as I'm not sure which parts are needed to help troubleshoot this.
This is httpd-2.4.43-1.fc32.x86_64 on fedora32.
ServerTokens Prod
ServerSignature Off
<VirtualHost 222.111.222.111:443>
ServerName example.com
ServerAlias example.com engage.example.com www.example.com support.example.com infocenter.example.com store.example.com updates.example.com
ServerAdmin gdadmin#example.com
DocumentRoot /var/www/www.example.com-443/html/
ScriptAlias /cgi-bin/ /var/www/www.example.com-443/cgi-bin/
ErrorLog /var/www/www.example.com-443/logs/error_log
CustomLog /var/www/www.example.com-443/logs/access_log timing
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %T/%D %I/%O/%B H:%H U:%U gd443 s:%s V:%V v:%v" timing
CustomLog "/var/www/www.example.com-443/logs/cached-requests.log" timing env=cache-hit
CustomLog "/var/www/www.example.com-443/logs/uncached-requests.log" timing env=cache-miss
CustomLog "/var/www/www.example.com-443/logs/revalidated-requests.log" timing env=cache-revalidate
CustomLog "/var/www/www.example.com-443/logs/invalidated-requests.log" timing env=cache-invalidate
LogLevel debug rewrite:trace6
LogLevel error ssl:warn
SuexecUserGroup guardian guardian
HostnameLookups off
RewriteEngine on
RewriteCond %{HTTP_HOST} ^infocenter.example.com$
RewriteRule ^ https://example.com/cloud-email-security? [L,R=301]
RewriteCond %{HTTP_HOST} ^store\.example\.com$
RewriteRule ^ https://example.com/cloud-email-security? [L,R=301]
RewriteCond %{HTTP_HOST} !^example\.com$ [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [NE,R=301,L]
RewriteCond %{QUERY_STRING} ^list=
RewriteRule /eng/ https://example.com/? [R=301,L]
RewriteRule /advisories/ https://example.com/? [R=301,L]
KeepAliveTimeout 120
Timeout 120
ProxyTimeout 120
<IfModule mod_log_config.c>
CustomLog "|/var/www/html/apache_pipelogger" "%v %p %m %B %D %s"
</IfModule>
SecStatusEngine On
<IfModule !mod_php5.c>
<IfModule !mod_php7.c>
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
<FilesMatch \.(php|phar)$>
SetHandler "proxy:unix:/run/php-fpm/example.sock|fcgi://localhost"
</FilesMatch>
</IfModule>
</IfModule>
<Directory "/var/www/www.example.com-443/html">
AllowOverride all
Options +FollowSymLinks +Includes +ExecCGI
DirectoryIndex index.html index.php
Include /etc/httpd/conf.d/example-old-links.htaccess
</Directory>
SSLEngine on
Header always set Strict-Transport-Security "max-age=15768000"
Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure
Header always set X-FRAME-OPTIONS "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
SSLCertificateKeyFile /etc/letsencrypt/privkey.pem
SSLCertificateFile /etc/letsencrypt/cert.pem
SSLCertificateChainFile /etc/letsencrypt/fullchain.pem
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
<IfModule mod_mime.c>
AddType application/x-javascript .js
AddType text/css .css
</IfModule>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/css application/x-javascript text/x-component text/html text/plain text/xml application/javascript
<IfModule mod_setenvif.c>
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
</IfModule>
</IfModule>
Header append Vary User-Agent env=!dont-vary
</VirtualHost>
<VirtualHost 222.111.222.111:80>
ServerName example.com
ServerAlias example.com engage.example.com www.example.com support.example.com infocenter.example.com store.example.com updates.example.com
ServerAdmin gdadmin#example.com
ErrorLog /var/www/www.example.com-443/logs/error_log
CustomLog /var/www/www.example.com-443/logs/access_log timing
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %T/%D %I/%O/%B H:%H U:%U gd80 s:%s V:%V v:%v" timing
</VirtualHost>
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
SSLHonorCipherOrder on
SSLCompression off
SSLSessionTickets off
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:/var/run/ocsp(128000)

There are two LogLevel directives in your config
LogLevel debug rewrite:trace6
LogLevel error ssl:warn
and the second one overrides the first one. Comment the second directive when debugging.
The redirect
Redirect 301 /download.html /resource-center
looks fine to me, the other two won't work as expected since Redirect
doesn't work with regexes as URL path (but RedirectMatch does).
It's also a feature of mod_alias and not of mod_rewrite if you're wondering why these requests are not logged with rewrite:trace6.
You could use a RewriteRule instead if you want to use mod_rewrite, e.g.
RewriteRule ^/download\.html$ /resource-center [R=301,L]

ProcessMaker on Centos 7 doesn't find mod_rewrite

I'm having trouble getting ProcessMaker running on CentOS 7. I've got through the CentOS 7 installation and have all of the prerequisites. I've modified my virtual hosts file to look like this:
NameVirtualHost my.host.com
<VirtualHost my.host.com:80>
ServerName my.host.com
DocumentRoot /opt/processmaker/workflow/public_html
DirectoryIndex index.html index.php
<Directory /opt/processmaker/workflow/public_html>
Options Indexes FollowSymLinks MultiViews
AllowOverride none
Order allow,deny
Require all granted
Allow from all
ExpiresActive On
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^.*/(.*)$ app.php [QSA,L,NC]
</Directory>
</VirtualHost>
I receive the following error message:
Sistem Configuration Error:
Please review your apache virtual host configuration file, and be sure you have the following rules:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /app.php [QSA,L]
</IfModule>
I've verified that mod_rewrite is installed and loaded:
# ls /etc/httpd/modules | grep mod_rewrite
mod_rewrite.so
# grep rewrite /etc/httpd/conf.modules.d/00-base.conf
LoadModule rewrite_module modules/mod_rewrite.so
What am I missing here?

<VirtualHost *:9999>
ServerName 127.0.0.1
DocumentRoot /opt/processmaker/workflow/public_html
DirectoryIndex index.html index.php
<Directory /opt/processmaker/workflow>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ /app.php [QSA,L]
ExpiresActive On
ExpiresDefault "access plus 1 day"
ExpiresByType image/gif "access plus 1 day"
ExpiresByType image/png "access plus 1 day"
ExpiresByType image/jpg "access plus 1 day"
ExpiresByType text/css "access plus 1 day"
ExpiresByType text/javascript "access plus 1 day"
</Directory>
</VirtualHost>

I still don't understand why this was happening, but reinstalling everything slightly differently fixed it. The major change was using the default PHP installation, but adding the current EPEL repository to get php_mcrypt, but otherwise following the stock installation instructions. I don't see any good reason why this would have changed anything, but it now works.

Test for .htaccess rewrites failed

I am trying to install SugarCRM Enterprise 7.2 and I keep getting this error during system check:
Test for .htaccess rewrites failed. This usually means you do not have
AllowOverride set up for Sugar directory.
I am running Ubuntu 14.04 with LAMP, and I am trying to install Sugar to the local path
var/www/html/sugar_ent_7
I have already tried putting both
<Directory /var/www/ >
Allowoverride All
Order allow,deny
Allow from all
</Directory>
and
<Directory /var/www/html/sugar_ent_7 >
Allowoverride All
Order allow,deny
Allow from all
</Directory>
to my
/etc/apache2/apache2.conf
file, and no results. I have also tried making a
/etc/apache2/sites-available/sugar_ent_7.conf
file with this code
<Directory /var/www/html/sugar_ent_7>
Order allow,deny
Allow from All
AllowOverride All
</Directory>
and still nothing. What am I doing wrong?

Run the command
a2enmod rewrite;
in your terminal and restart your apache.
Hope this helps.

I met the same problem.
its aim is just to check the following code exists in your .htaccess:
# install/installSystemCheck.php
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase {$basePath}
RewriteRule ^itest.txt$ install_test.txt [N,QSA]
</IfModule>
I don't think SugarCRM is enough to check this setting, so let's just comment it out and make it passed:
#
// if($res != "SUCCESS") {
if(false) {
....

This error can also (misleadingly?) occur when sugar tries to address itself vi IP during the system check. When vhosting is configured it cannot find itself via IP, thus an entry to the hosts file can solve this. In the terminal enter:
vi /etc/hosts
Then add the IP of the system Sugar is running on with the URL you're referring to it, e.g.:
123.234.123.234 subdomain.host.com

# BEGIN SUGARCRM RESTRICTIONS
RedirectMatch 403 (?i).*\.log$
RedirectMatch 403 (?i)/+not_imported_.*\.txt
RedirectMatch 403 (?i)/+(soap|cache|xtemplate|data|examples|include|log4php|metadata|modules)/+.*\.(php|tpl)
RedirectMatch 403 (?i)/+emailmandelivery\.php
RedirectMatch 403 (?i)/+upload
RedirectMatch 403 (?i)/+custom/+blowfish
RedirectMatch 403 (?i)/+cache/+diagnostic
RedirectMatch 403 (?i)/+files\.md5$
# END SUGARCRM RESTRICTIONS
<IfModule mod_rewrite.c>
Options +FollowSymLinks
RewriteEngine On
RewriteBase /dir
RewriteRule ^cache/jsLanguage/(.._..).js$ index.php?entryPoint=jslang&module=app_strings&lang=$1 [L,QSA]
RewriteRule ^cache/jsLanguage/(\w*)/(.._..).js$ index.php?entryPoint=jslang&module=$1&lang=$2 [L,QSA]
</IfModule>
<FilesMatch "\.(jpg|png|gif|js|css|ico)$">
<IfModule mod_headers.c>
Header set ETag ""
Header set Cache-Control "max-age=2592000"
Header set Expires "01 Jan 2112 00:00:00 GMT"
</IfModule>
</FilesMatch>
<IfModule mod_expires.c>
ExpiresByType text/css "access plus 1 month"
ExpiresByType text/javascript "access plus 1 month"
ExpiresByType application/x-javascript "access plus 1 month"
ExpiresByType image/gif "access plus 1 month"
ExpiresByType image/jpg "access plus 1 month"
ExpiresByType image/png "access plus 1 month"
</IfModule>

Apache: Deliver some urls from the file system, all others from Rails app

I want to host two different services on a Apache web server, reachable via the same domain: Some special URLs should go into the filesystem, all others should be handle by a Rails application.
Example:
http://mydomain.com/foo/123.txt
=> should deliver /var/www/special/foo/123.txt
http://mydomain.com/users
=> should go to Rails/Passenger
Here is my virtual host setup for the Rails app:
<VirtualHost *:80>
ServerName mydomain.com
ServerAlias *.mydomain.com
DocumentRoot /var/www/mydomain/current/public
<Directory /var/www/mydomain/current/public>
Options FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
ExpiresActive on
ExpiresDefault "access plus 1 year"
FileETag MTime Size
</Directory>
RewriteEngine On
# Check for maintenance file and redirect all requests
ErrorDocument 503 /system/maintenance.html
RewriteCond %{REQUEST_URI} !\.(css|gif|jpg|png)$
RewriteCond %{DOCUMENT_ROOT}/system/maintenance.html -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.html
RewriteRule ^.*$ - [redirect=503,last]
# Rewrite index to check for static
RewriteRule ^/$ /index.html [QSA]
# Rewrite to check for Rails cached page
RewriteRule ^([^.]+)$ $1.html [QSA]
# Deflate
AddOutputFilterByType DEFLATE text/html text/plain text/css text/xml application/xml application/xhtml+xml text/javascript application/x-javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
ErrorLog /var/log/apache2/mydomain.com-error_log
CustomLog /var/log/apache2/mydomain.com-access_log combined
</VirtualHost>
Somewhere in the middle a RewriteCond/RewiteRule should be added, so accessing http://mydomain.com/foo/123.txt does not go to the Rails app, but the filesystem instead.
For this I need help. It would by great if someone can can give me a hint.

Found the solution by myself:
RewriteCond %{REQUEST_URI} ^/foo/.*$
RewriteRule ^.*$ /var/www/special/foo%{REQUEST_URI}