AllowOverride and RewriteCond/RewriteRule interactions - apache

I'm trying to set up a site running on Apache 2.4.16 to redirect all www URLs to non-www URLs. I'm using HTML5 Boilerplate's Apache configs to do this (as well as everything else they provide).
https://github.com/h5bp/server-configs-apache/blob/master/dist/.htaccess
This happens on line 380, seen below:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ %{ENV:PROTO}://%1%{REQUEST_URI} [R=301,L]
</IfModule>
I'm using Include to add the whole file to my vhost config for the site, as well as an AllowOverride All for another .htaccess file at my doc root (same one that comes with Laravel 5):
production.vhost.conf (relevant part)
<Directory /var/www/hostname/production>
AllowOverride All
# Include H5BP server configs
Include server-configs-apache/dist/.htaccess
</Directory>
.htaccess (at doc root)
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
Now, almost everything from H5BP's .htaccess was working, except for the redirect from www to non-www. After poking around I noticed that the redirect was only working when I'd remove AllowOverride All from the <Directory> block in the vhost. So the doc root .htaccess was somehow overriding the rewrite conditions.
I've actually already fixed my initial issue by moving the doc root .htaccess contents into the vhost file and removing the AllowOverride, but I'm more curious as to why this was happening; more specifically how AllowOverride interacts with RewriteCond and RewriteRule.
My hunch is that the .htaccess in my doc root was overriding the www to non-www redirect, but I'm not sure why that one specifically. For example, the http -> https redirect worked without issue (line 352 of H5BP, uncommented out in mine), it seemed to be just that one redirect. I didnt even think that those rules could be overridden since RewriteCond/RewriteRules feel unique to me.
If there are any, what are the rules that determine how an .htaccess can override a rewrite rule?

If there are any, what are the rules that determine how an .htaccess
can override a rewrite rule?
Conditions and rules don't dictate how .htaccess works. AllowOverride is what allows .htaccess usage. If you have AllowOverride All then .htaccess is allowed, if you have AllowOverride None, then it's not and it will be ignored. In 2.4 None is the default.
.htaccess is per directory so it will take precedence if it's located in a directory that has rules applied as long as .htaccess file usage is allowed there. Which is confgiured in the server config in VirtualHost or Directory directives.
Also using an include for .htaccess in a vhost is a very bad configuration. If you have access to the vhost file or the config, you should create another config and include it with the .htaccess contents.
You should not be using .htaccess files at all actually with access to the server config. See this apache recommendation on not using .htaccess.
https://httpd.apache.org/docs/2.4/howto/htaccess.html#when

Related

mod_rewrite (Apache 2.4) RewriteBase outside htdocs

I stuck on a problem trying to get a my rewrite rules working.
Assume the following setup:
Folder structure like this:
app/
web/ <--- Document-Root
.htaccess <--- My mod_rewrite rules
index.php
vendor/
company/
package/
Folder/
Route.php
The vhost points to "web/" as Document-Root and the security is reduced
so all overrides are allowed:
<Directory "~PATH~\web">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order deny,allow
allow from all
Require all granted
</Directory>
Now i try to rewrite simply every request (*) to "Route.php" (internal! no 301 or something).
For my understanding if if would call "www.example.com/a/b" then i would expect that the
request is internal redirected to ~PATH~/vendor/vendor/company/package/Folder/Route.php
where i can fetch everything and take the request in PHP for further processing.
But the rewrite fails. Maybe its not possible to traverse a directory up "/../" ?!
Content of .htacces:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /../vendor/company/package/Folder
RewriteRule .* - [E=ROUTER:Route.php]
# route calls to router /x/y/
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule . %{env:ROUTER}?mode=htaccess [QSA,L]
</IfModule>
Any help appreciated :)
Thanks in advance!
Try this
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule .* ../vendor/company/package/Folder/Router.php [L]
</IfModule>
EDIT:
I've tried it on my local machine.
This Setup works:
RewriteRule .* vendor/company/package/Folder/Router.php [L]
Seems like its not allowed to forward the Request to directories higher than the Docroot.
I've found this post:
htaccess RewriteRule redirecting to parent directory?
The important Part:
You can't rewrite to outside the document-root. This is a security thing.
EDIT2:
More Information: mod_rewrite - Apache HTTP Server Version 2.4
Quote:
URL-path
A DocumentRoot-relative path to the resource to be served. Note that mod_rewrite tries to guess whether you have specified a file-system path or a URL-path by checking to see if the first segment of the path exists at the root of the file-system. For example, if you specify a Substitution string of /www/file.html, then this will be treated as a URL-path unless a directory named www exists at the root or your file-system (or, in the case of using rewrites in a .htaccess file, relative to your document root), in which case it will be treated as a file-system path. If you wish other URL-mapping directives (such as Alias) to be applied to the resulting URL-path, use the [PT] flag as described below.

Why is Apache Permanent Redirect removing the slash between the domain and the path?

I'm using Apache 2.4, and I set up two virtual directories. One requires SSL, and the other one redirects to it.
If a user attempts to visit https://www.derp.com/derp without /derp existing, they correctly get a 404. But when a user visits http://www.derp.com/derp, Apache incorrectly redirects the user to https://www.derp.comderp, removing the slash between the path and the domain name.
I have no idea what would be causing this.
The following is the setup of my Virtual Host.
<VirtualHost *:443>
ServerAdmin derp#derp.com
ServerName www.derp.com
ServerAlias derp.com
DocumentRoot "C:\Users\derp\Documents\Web Projects\derp"
SSLEngine on
SSLCertificateFile "C:\Apache24\certs\cert.cer"
SSLCertificateKeyFile "C:\Apache24\certs\key.key"
</VirtualHost>
<VirtualHost *:80>
ServerAdmin derp#derp.com
ServerName www.derp.com
ServerAlias derp.com
Redirect permanent / https://www.derp.com/
</VirtualHost>
<Directory "C:\Users\derp\Documents\Web Projects\derp">
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Require all granted
SSLRequireSSL
</Directory>
Why would Apache be behaving this way?
Bonus Question: Should redirects be handled in my virtual host definition, or should it be handled in the .htaccess file in the web site's physical directory?
Edit:
I'm starting a Laravel project, and by default the public folder does contain a .htaccess file, so here's that guy:
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
Edit Two:
I tried:
adding a slash at the end of the DirectoryRoot path
replacing the backslashes with forward slashes in the DirectoryRoot path
replacing the backslashes with double backslashes in the DirectoryRoot path
I also removed the .htaccess file from the directory completely.
It redirects correctly when you go from http://www.derp.com to https://www.derp.com. It's just when you specify a path and attempt https that it removes the slash between the domain and the path.
Edit Three:
I also attempted the following suggestion:
Redirect permanent / https://www.derp.com/
Try
RedirectMatch permanent /(.*) https://www.derp.com/$1
or
RedirectMatch permanent (.*) https://www.derp.com/$1
... and instead of redirecting to https://www.derp.comderp, it instead does not redirect, attempts and gives a 404 for http://www.derp.com/derp, but using Apache's 404, instead of throwing a Not Found Exception, as Laravel does without configuration.
Edit Four:
I have also tried:
<IfModule mod_rewrite.c>
Options -MultiViews
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
In the .htaccess file and the behavior did not change at all.
I got it.
The issue did not lay with the rewriting at all, it was the SSLRequireSSL directive under my Directory definition that was causing the problem.
I simply removed this directive, refreshed the cache in all of my browsers, and the site then continued to work correctly. This was discovered through the process of elimination.
The documentation notes:
This directive forbids access unless HTTP over SSL (i.e. HTTPS) is enabled for the current connection. This is very handy inside the SSL-enabled virtual host or directories for defending against configuration errors that expose stuff that should be protected. When this directive is present all requests are denied which are not using SSL.
The emphasis is my own. SSLRequireSSL may have Apache only return a 403 or 404 if HTTP over SSL is not enabled, interfering with the Redirect rule. A rewrite rule such as the one in this answer on Server Fault may be a better alternative depending on your use case:
RewriteEngine On
RewriteCond %{SERVER_PORT} !443
RewriteRule ^(/(.*))?$ https://%{HTTP_HOST}/$1 [R=301,L]
My issue was related to browser caching.
I tried it in a different browser and it worked and then tried again in a private session in the first browser and it also worked.

mod_rewrite in Users/<username>/Sites directory on OSX

There may be a fairly simple solution to this, but I've been searching for a couple of days and can't find one, soooo...
I'm developing a website on an OS X box (Lion). The working site is hosted at /Users/username/Sites and I've added that directory to /etc/apache2/users/username.conf. I can view the pages with no problems.
BUT... I'm using CodeIgniter and I want to remove the index.php from the URL. This should be a fairly simple job for mod_rewrite. I've added an .htaccess file to the directory (and set AllowOverride All in my conf file above). After googling around I discovered that I need Options +FollowSymLinks set (I did in the .htaccess file).
The problem with this is that it appears to rewrite the URL from localhost/~username/ to /Users/username/Sites. Problem with this is that, in that form, the browser simply attempts to DOWNLOAD the index.php file, rather than executing it. This gets worse when the links are /Users//Sites/index.php/controller/function because those files don't exist... CodeIgniter is meant to take over in the index.php, but only if it is executed.
So I can't remove the Options +FollowSymLinks because that generates Access Forbidden errors, and I can't leave it in for the reasons above.
Interestingly, putting exactly the same website to the /Library/WebServer/Documents directory works fine. OS X doesn't appear to mind FollowSymLinks to that directory, probably because it is set as the DocumentRoot in httpd.conf
My httpd.conf is stock Lion, except for AllowOverride All on /Library/Webserver/Documents. mod_rewrite is enabled.
My username.conf is
<Directory "/Users/username/Sites/">
Options Indexes MultiViews FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
My .htaccess file in the site's directory is
Options +FollowSymLinks
RewriteEngine on
RewriteCond $1 !^(index\.php|static|robots\.txt)
RewriteRule ^(.*)$ index.php/$1 [L]
Clearly, I can develop on /Library/WebServer/Documents, but would prefer to do it in my local files.
There is an excellent wiki page on the CodeIgniter website about mod rewrite, it covers all of the changes you need to make to your .htaccess file and the CodeIgniter files itself.
It is easy to forget changing values in your config file like the index_page from:
$config['index_page'] = "index.php";
to
$config['index_page'] = "";
The example .htaccess file shown on that wiki page is (I have removed the comments):
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^system.*
RewriteRule ^(.*)$ /index.php?/$1 [L]
RewriteCond %{REQUEST_URI} ^application.*
RewriteRule ^(.*)$ /index.php?/$1 [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]
And if you find that you need to, just add the AddType and Options properties to it.
Here some of tricks may usefull
AddType application/x-httpd-php .php
Options +FollowSymLinks
RewriteEngine on
RewriteBase /Users/username/Sites/
RewriteEngine on
RewriteCond $1 !^(index\.php|static|robots\.txt)
RewriteRule ^(.*)$ index.php/$1 [L]
Also you can log rewriting log. But suggest you to remove these lines , after you fix everything
RewriteLog "/var/log/httpd/rewrite_log"
RewriteLogLevel 9

How to use mod_rewrite in a subdomain's .htaccess?

I have a domain (let the name be) mydomain.com.
I added a subdomain, sub.mydomain.com. (It's an other site, the two sites don't have anything to do with each other)
I have mapped the subdomain (with godaddy.com's tool) to /sub directory. It works well with static file paths, ex. http://sub.mydomain.com/js/script.js.php.
However, I would like to be able to use the rewrite module to get http://sub.mydomain.com/js/script.js
My .htaccess files:
.htaccess in the root directory:
RewriteEngine On
RewriteCond %{HTTP_HOST} ^sub.mydomain.com$
RewriteRule ^.*$ http://mydomain.com/sub%{REQUEST_URI} [L,P]
.htaccess in the /sub directory:
RewriteEngine on
RewriteRule ^js/script\.js$ js/script.js.php [L]
(I tried adding RewriteBase /sub/, I didn't succeed).
It seems as if Apache didn't notice the /sub's .htaccess
How can I get the rewrite work on the subdomain's paths?
SOLVED!
After a long, exhausting debugging and googling I found an Apache setting that made the trouble:
I added Options -MultiViews and voilá, it works!
/////////////////////////////////////////////
Now my configuration:
-no .htaccess in the root.
-.htaccess in the root/sub:
DirectoryIndex site/index.php
Options -MultiViews
RewriteEngine on
RewriteRule ^site/js/script.js$ /site/js/script.js.php [L]

mod_rewrite in <Location /> in apache conf causing rewrite in .htaccess file not to work?

I am using zend framework, which has a nifty example .htaccess used for redirecting non-existing locations to index.php to be processed by the framework:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} -s [OR]
RewriteCond %{REQUEST_FILENAME} -l [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^.*$ - [NC,L]
RewriteRule ^.*$ /site/index.php [NC,L]
And here is the apache config for /site
Alias /site "/path/to/zf/project/public"
<Directory "/path/to/zf/project/public">
Options Indexes MultiViews FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
While we are upgrading the site, I want to redirect all traffic to a specific file (offline.html, for example) except for a certain IP (127.0.0.1, for example), so I am trying to use this rule in the apache config:
<Location />
Options Indexes MultiViews FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^127\.0\.0\.1
RewriteCond %{REQUEST_URI} !/offline\.html$
RewriteRule .* /offline.html [R=302,L]
</Location>
This seems to work, but for some reason it makes my .htaccess file seem not to work. I can access /site just fine, but I can't go any deeper to, for example, /site/controller/action.
Thanks!
The Apache 2.2 and Apache 2.4 documentation of mod_rewrite clearly state that rewrite rules in <Location> directives should be avoided. This caution was not included in the Apache 2.0 documentation.
Although rewrite rules are syntactically permitted in <Location> and <Files> sections (including their regular expression counterparts), this should never be necessary and is unsupported. A likely feature to break in these contexts is relative substitutions.
So strange things can happen. You could remove the <Location> section (and RewriteBase directive) and use these new rewrite rules directly in the <VirtualHost> definition, without any <Directory> or <Location> section. It's even faster.
The only problem with global level rewrite rules is that you do not have the REQUEST_FILENAME already computed (you could hack that a little but here you do not even need REQUEST_FILENAME).
You also have one error in your RewriteRule, you use a Redirect so the rewrite Rule should use a absolute url:
RewriteRule .* http://www.example.com/offline.html [R=302,L]
About the maintenance page, a classic way of handling it is with these two lines:
ErrorDocument 503 /htdocs/err/503.html
RedirectMatch 503 ^/(?!err/)
Where you do not filter on local IP, but the interesting part is that the code used for maintenance is 503 (temporary unavailable) which is more correct (in fact a redirect 307 is even more correct but old browser could have problems with it). To do the same with a local IP restriction and a RewriteRule it would be:
ErrorDocument 503 /offline.html
RewriteCond %{REMOTE_HOST} !^127\.0\.0\.1
RewriteCond %{ENV:REDIRECT_STATUS} !=503
RewriteRule ^ - [L,R=503]
To have these rules in the htaccess file, you'll have to add/remove them by hand when you want to use "offline mode".
A better way to do this through the application is to create a controller plugin.
If the APPLICATION_ENV = 'offline', the plugin would do _forward('offline', 'error', 'default');
Alternatively, you could write the logic in a subclass of Zend_Controller_Action which you use as the base class for your controllers.