We Keep Coding

AEM Apache Dispatcher 2.4.6 client denied by server configuration

I have an AEM 6.3 instance running behind an Apache instance which version is 2.4.6, with Dispatcher module in it. All is good, but now I need to wipe out all query params for all URLs that end with ".html".
This may sound simple to accomplish, but I came across an issue I can't resolve. This is the rewrite rule I'm using to remove all the query params from URLs ending in .html:
RewriteRule ^/(.*)\.html$ /$1.html [QSD]
Technically, one could see this rewrite as not a rewrite actually, because it is sending the original request to the same URL, but the flag QSD is for dropping all query params.
The problem is, if I reload my Apache instance whit this rule included, I start getting errors like this:
[Wed Jun 10 14:53:35.698908 2020] [authz_core:error] [pid 31733] [client 54.209.162.6:61649] AH01630: client denied by server configuration: /etc/clientlibs, referer: https://my.domain.com/etc/clientlibs/mygroup/some/simple/page.html
I know some people had issues like this when migrating from Apache 2.2 to 2.4. This is not my case, and I have also checked my vhost configuration. I don't have directives from Apache 2.2 like "Order deny,allow" or "Allow from all". I'm using "Require all granted".
One weird thing in AEM logs, is that when my Rewrite rule is not in place, I can see error.log logging that "/etc/clientlibs/mygroup/some/simple/page.html" is found. But if I put the rule and reload Apache, I see this from logs:
10.06.2020 10:16:40.085 *INFO* [54.209.162.6 [1591798600081] GET /etc/clientlibs/mygroup/some/simple/page/jcr:content.json HTTP/1.1] org.apache.sling.engine.impl.SlingRequestProcessorImpl service: Resource /etc/clientlibs/mygroup/some/simple/page/jcr:content.json not found
It is like the extension .html would be ripped off from URL, and since there is no extension, AEM or rather Sling is trying to use the default content resolver which is JSON.

why donÄt you just use
RewriteRule ^ %{REQUEST_URI} [L,R,QSD]
(maybe the redirect is not needed in your case... but it makes things clear to the browser).
Or if you just want to make sure that your request is cached in the dispatcher and not passed throught to AEM each time, use:
/filter {
/0001 { /type "deny" /method "POST" /url "/etc/*" }
/0002 { /type "allow" /method "GET" /url "/etc/*" /query "a=*" }
}
in your dispatcher config (s. https://docs.adobe.com/content/help/en/experience-manager-dispatcher/using/configuring/dispatcher-configuration.html for details).

I finally was able to fix my issue. Even though I still don't understand the full picture. This is my final condition and rule:
RewriteCond %{QUERY_STRING} ^.
RewriteRule ^/(.*)\.html$ /$1.html [QSD,PT]
Adding "PT" along with "QSD" makes Apache not return the "client denied" error. The condition around QUERY_STRING it is just to make sure Apache only manipulates those requests that really have query params in the URL, or technically at least one char

What about adding a conditional to skip this rule to be applied for /etc/clientlibs just before the rewrite rule. RewriteCond %{REQUEST_URI} !^/etc/clientlibs.*

Apache 2.4 RewriteRule only working with domain name

I'm moving an old site from apache 2.2 to 2.4
I've got a vhost.conf file that contains the following rewriterule:
RewriteRule ^/news/[0-9]{4}/[A-za-z]{3}/([0-9a-zA-Z-]*)/([0-9]{4})([0-9]{6})/?$ "/news/article.cfm?article_id=$3&urltitle=$1&clk=$2" [NE,L]
So I'm trying to turn this url:
https://example.com/news/2016/Feb/Article-Title/0025012345
into this:
https://example.com/news/article.cfm?article_id=012345&urltitle=Article-Title&clk=0025
Depending on what I put in the 2nd part of the RewriteRule I get the following:
"https://example.com/news/article.cfm?article_id=$3&urltitle=$1&clk=$2" this works fine but I don't want to specify the hostname as it gets used on dev/staging/live servers, so the URLs change
"/news/article.cfm?article_id=$3&urltitle=$1&clk=$2" this throws a 404 which shows up in the access_log
"news/article.cfm?article_id=$3&urltitle=$1&clk=$2" this throws a 503 which shows up in the access_log
So I know I'm correctly identifying the URL in the first part of the rule and grabbing the correct components with my regex, as specifying the full domain name shows the correct URL manipulation.
I'm completely failing to do a relative redirect though, and I'm certain this rule works in Apache 2.2
I'm using the following software:
CentOS Linux release 7.7.1908 (Core)
Server version: Apache/2.4.6 (CentOS)
Server built: Aug 8 2019 11:41:18

Obviosuly, the answer is in the manual... which I should have read in more detail:
https://httpd.apache.org/docs/2.4/rewrite/remapping.html#old-to-new
Assume we have recently renamed the page foo.html to bar.html and now want to provide the old URL for backward compatibility. However, we want that users of the old URL even not recognize that the pages was renamed - that is, we don't want the address to change in their browser.
RewriteEngine on
RewriteRule "^/foo\.html$" "/bar.html" [PT]
The key thing here being the [PT], that fixed it for me:
RewriteRule ^/news/[0-9]{4}/[A-za-z]{3}/([0-9a-zA-Z-]*)/([0-9]{4})([0-9]{6})/?$ "/news/article.cfm?article_id=$3&urltitle=$1&clk=$2" [PT,NE,L]

Issue with Let's Encrypt certificate: https://www.example.com not working with redirection to https://example.com

I have an issue with the certificate that I have generated for a website (dubbed here example.com).
I can type in browser http://www.example.com and successfully redirected to https://example.com as I wanted (with a certificate generated by let's encrypt). I have done this redirection with Rewrite Rules with Apache2. The redirection to https://example.com also works fine when I type http://example.com.
Now, I am face to an issue when I type directly in browser https://wwww.example.com: I get the following error:
To generate let's encrypt certificate, I have executed the following command:
./certbot-auto certonly --no-bootstrap --no-self-upgrade --renew-by-default -a standalone -d example.com --rsa-key-size 4096
I would like to generate a certificate working both for example.com and www.example.com: is the command above with cerbot-auto correct for this?
It seems that before my migration from Debian 7 to Debian 10, I had a *.example.com name in the certificate info window of the browser but I am not sure.
How to type https://www.example.com and to be correctly redirected to https://example.com without having the error illustrated in the figure above?
Update 1
Is a single certificate sufficient to make all the redirections to be performed, I mean in my case only one certificate example.com? This was the case on my previous OS, I think that I had only a unique certificate (for example.com).
I want to have the following redirections:
http://example.com -----> https://example.com
http://www.example.com -----> https://example.com
https://www.example.com -----> https://example.com
except for URL containing the directory podcast where I want to stay in HTTP mode.
So, from Ref: Apache redirect www to non-www and HTTP to HTTPS, I did:
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{REQUEST_URI} !^/podcast [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [L,NE,R=301]
Does these Rewrite rules seem to be correct?
Unfortunately, if I type directly https://www.example.com, I am not redirected to https://example.com and the Warning window figure above appears, I don't know what to do.
Update 2
1) Does Let's Encrypt offer the possibility to generate a "wildcards" certificate ?, I mean under the form *.example.com when we look at the certificate in browsers.
2) Moreover, Does anyone know how to perform with Apache2 Rewrite rules the rule which allows to redirect https://www.example.com to https://example.com.
To get more information, I am starting a bounty.
At the end of the bounty, I talk about what to do to make a redirection from https://www.example.com to https://example.com (these URL are masked into bounty under the same href tag but they are different).
Update 3
I think my issue is not about wildcards certificates since I just want a redirection from https://www.example.com to https://example.com (don't take into account of the UPDATE 2 above. Surely a simple rewrite rule should be enough. Before my current OS (Debian 10), I was running well all my config files that I try to use again now. Especially, I was using only one certificate generated with the option "-d example.com" (I didn't use a second domain "www.example.com").
I am going to try to modify these rewrite rules to get this redirection without being obliged to generate a www.example.com certificate files.

You could try running this minor update to your original certbot-auto command to get your certificate to include the additional www.example.com domain name
(I believe this is what John Hanley was talking about in his comment on your original question)
Please note, according to one source (letsencrypt community link below) you may have to remove URL rewrite rules if you already have them set up, before the certification process will work. (if you run the command and get an error, that might be why)
./certbot-auto certonly --no-bootstrap --no-self-upgrade --renew-by-default -a standalone -d example.com -d www.example.com --rsa-key-size 4096
references that might be helpful:
command paramter reference for certbot (man page)
https://certbot.eff.org/docs/man/certbot.html?highlight=bootstrap
letsencrypt community discussion of adding a new domain
https://community.letsencrypt.org/t/add-a-domain-using-certbot-auto/33660
letsencrypt documentation for updating an existing certificate
https://certbot.eff.org/docs/using.html#re-creating-and-updating-existing-certificates
note, according to the man page, --renew-by-default implies --expand, which is used in these examples
(--expand just prevents you from having to answer whether you are intentionally updating the existing certificate)
I think your rewrite rule looks mostly fine as it is, as mentioned before it might need to be removed temporarily to get you certificate generated. And you may need "RewriteEngine On" before those rules:
RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{REQUEST_URI} !^/podcast [NC]
RewriteRule ^ https://example.com%{REQUEST_URI} [L,NE,R=301]
And to the question about wildcard certificates, they are supported but only with the help of additional plugins. See more here:
https://certbot.eff.org/docs/using.html?highlight=wildcard#id14

LetsEncrypt offers wildcard certificates in order to do *.example.com however they can only be issued via DNS-01 level challenges.
You're using HTTP validation, where a specific file is uploaded to prove ownership, however this is insufficient for proving that you have ownership of an entire domain.
Certbot has limited support for being able to issue wildcard certs automatically, but this may be of use to you if you scroll to the wildcard section. It's limited in terms of which OS + Server + DNS provider that you have. Basically you need to be able to automatically create and modify DNS TXT records with your registrar.
I've found that using the acme.sh project to issue wildcard certs is much more flexible and works with more DNS providers, although it's a bit more of a manual process.
If your main DNS provider for your domain isn't supported, you can look into "alias mode" where you can use a subdomain or other domain on another DNS provider that is supported to act as your proxy-domain for validating that you own your main domain.

Is it possible within Apache or a CGI script to tell if the request was redirected from domain xyz.com (301 redirect)?

I have a CGI script that sometimes has people arriving there redirected from a 301 redirect from a URL at another domain.
I have made a trial run with http://default.jonathanscorner.com/project/redirector to redirect:
RewriteRule ^/project/redirector$ http://jonathanscorner.com/project/printenv.cgi [R=301,L]
http://jonathanscorner.com/project/printenv.cgi is just what its name would suggest:
#!/bin/bash
echo 'Content-type: text/plain'
echo ''
printenv
The environmental variables printed by the CGI script do not seem to reference the originating domain, default.jonathanscorner.com:
SERVER_SIGNATURE=<address>Apache/2.2.16 (Debian) Server at jonathanscorner.com Port 80</address>
HTTP_USER_AGENT=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36
SERVER_PORT=80
HTTP_HOST=jonathanscorner.com
DOCUMENT_ROOT=/home/cjsh/mirror
SCRIPT_FILENAME=/home/cjsh/mirror/project/printenv.cgi
REQUEST_URI=/project/printenv.cgi
SCRIPT_NAME=/project/printenv.cgi
SCRIPT_URI=http://jonathanscorner.com/project/printenv.cgi
HTTP_CONNECTION=keep-alive
REMOTE_PORT=54506
PATH=/usr/local/bin:/usr/bin:/bin
SCRIPT_URL=/project/printenv.cgi
PWD=/home/cjsh/mirror/project
SERVER_ADMIN=CJSHayward#POBox.com
HTTP_ACCEPT_LANGUAGE=en-US,en;q=0.8,fr;q=0.6
HTTP_ACCEPT=text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
REMOTE_ADDR=98.253.179.182
SHLVL=1
SERVER_NAME=jonathanscorner.com
SERVER_SOFTWARE=Apache/2.2.16 (Debian)
QUERY_STRING=
SERVER_ADDR=69.163.221.78
GATEWAY_INTERFACE=CGI/1.1
SERVER_PROTOCOL=HTTP/1.1
HTTP_ACCEPT_ENCODING=gzip,deflate,sdch
REQUEST_METHOD=GET
HTTP_COOKIE=__atuvc=10%7C25%2C10%7C26%2C5%7C27%2C33%7C28
_=/usr/bin/printenv
It doesn't look like the information I want can be obtained that way.
Are there other ways to detect if one was redirected from a particular domain to the new domain? If site xyz.com links to http://default.jonathanscorner.com/project/redirector and that redirects to http://jonathanscorner.com/project/printenv.cgi, from Apache's point of view is the referrer domain http://default.jonathanscorner.com/project/redirector or the xyz.com URL?
Can it be done from Apache config?
Thanks,

If you'd like to set the domain statically (following example uses set of 2 domains) then you can try adding the following to .htaccess:
RewriteCond %{HTTP_HOST} ^www\.(domain1|domain2)(\.com)$ [NC]
RewriteRule ^(.*)$ /www.%1%2/$1 [L]

Apache mod_rewrite RewriteCond -U flag false positive

This is what I'm trying to do: any URI that doesn't resolve on one machine gets bumped to another via reverse proxy. The configuration looks like this:
RewriteEngine On
RewriteCond %{REQUEST_URI} !-U
RewriteRule ^/(.*)$ http://other.site/$1 [P,NS]
Now, what that is supposed to say is "if I can't find anything locally by running a subrequest, punt it to the proxy."
Only problem is, it doesn't do that. With the RewriteLogLevel jacked, I get this:
31.3.3.7 - - [29/Jul/2012:00:26:18 --0700] [internet.srs.bznz/sid#7fc6099fa228][rid#7fc609bf2bf0/initial] (5) RewriteCond URI (-U) check: path=/ -> status=200
31.3.3.7 - - [29/Jul/2012:00:26:18 --0700] [internet.srs.bznz/sid#7fc6099fa228][rid#7fc609bf2bf0/initial] (4) RewriteCond: input='/' pattern='!-U' => not-matched
There is nothing at / on that machine. It should return 403. So my question is: where the hell is that 200 OK coming from? It's a brand-new Debian VPS, so it's not like there's any pollution in the config. I tried this same thing elsewhere (Ubuntu 12.04) and same thing.
How do I find out what's causing that errant success code?

Same problem. Moreover, I enhanced config by adding
RewriteCond %{IS_SUBREQ} =false
as the first test condition. I think it would be neverending recursion otherwise.
But my experience is, that any existing or non-existing URI is evaluated OK (200). I don't know why, but it may test just server configuration for that URI - whether path is allowed or denied by something like Deny from all or RewriteRule [F]