https://bz.apache.org/bugzilla/show_bug.cgi?id=66167
Bug ID: 66167 Summary: Require all granted in vhost matches, not parsing rewrite rules in .htaccess Product: Apache httpd-2 Version: 2.4.53 Hardware: PC Status: NEW Severity: normal Priority: P2 Component: mod_authz_core Assignee: bugs@httpd.apache.org Reporter: lonesomewal...@web.de Target Milestone: --- Apache latest in Debian stable vhost: --- --- --- <IfModule mod_ssl.c> <VirtualHost *:443> ServerName sub.domain.tld ServerAdmin webmas...@domain.tld DocumentRoot "/var/www/xxx" <Directory "/var/www/xxx"> Options FollowSymlinks AllowOverride All Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined LogLevel debug rewrite:trace8 <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE text/javascript AddOutputFilterByType DEFLATE image/svg+xml AddOutputFilterByType DEFLATE image/x-icon AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/x-javascript DeflateCompressionLevel 9 # Browser specific settings BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/html BrowserMatch \bOpera !no-gzip </IfModule> Header unset ETag FileETag None <IfModule mod_expires.c> ExpiresActive On ExpiresDefault "access plus 5 seconds" ExpiresByType image/x-icon "access plus 604800 seconds" ExpiresByType image/jpeg "access plus 604800 seconds" ExpiresByType image/jpg "access plus 604800 seconds" ExpiresByType image/png "access plus 604800 seconds" ExpiresByType image/gif "access plus 604800 seconds" ExpiresByType image/svg+xml "access plus 604800 seconds" ExpiresByType application/x-shockwave-flash "access plus 604800 seconds" ExpiresByType text/css "access plus 604800 seconds" ExpiresByType text/javascript "access plus 604800 seconds" ExpiresByType application/javascript "access plus 604800 seconds" ExpiresByType application/x-javascript "access plus 604800 seconds" ExpiresByType application/font-woff "access plus 604800 seconds" ExpiresByType application/font-woff2 "access plus 604800 seconds" ExpiresByType text/html "access plus 600 seconds" ExpiresByType application/xhtml+xml "access plus 600 seconds" </IfModule> <IfModule mod_headers.c> <filesMatch "\.(ico|jpe?g|png|gif|swf|svg)$"> Header set Cache-Control "public" </filesMatch> <filesMatch "\.(css)$"> Header set Cache-Control "public" </filesMatch> <filesMatch "\.(js)$"> Header set Cache-Control "private" </filesMatch> <filesMatch "\.(x?html?|php)$"> Header set Cache-Control "private, must-revalidate" </filesMatch> </IfModule> SSLCertificateFile /etc/letsencrypt/live/sub.domain.tld/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/sub.domain.tld/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule> --- --- --- .htaccess in /var/www/xxx --- --- --- RewriteEngine On # Disables access to myfile.php/something AcceptPathInfo Off # Prevent execution of PHP from directories used for different types of uploads RedirectMatch 403 ^/app/(?!courses/proxy)(cache|courses|home|logs|upload|Resources/public/css)/.*\.ph(p[3457]?|t|tml|ar)$ RedirectMatch 403 ^/main/default_course_document/images/.*\.ph(p[3457]?|t|tml|ar)$ RedirectMatch 403 ^/main/lang/.*\.ph(p[3457]?|t|tml|ar)$ RedirectMatch 403 ^/web/.*\.ph(p[3457]?|t|tml|ar)$ # http://sub.domain.tld/certificates/?id=123 to http://sub.domain.tld/certificates/index.php?id=123 RewriteCond %{QUERY_STRING} ^id=(.*)$ RewriteRule ^certificates/$ certificates/index.php?id=%1 [L] # Course redirection RewriteRule ^courses/([^/]+)/?$ main/course_home/course_home.php?cDir=$1 [QSA,L] RewriteRule ^courses/([^/]+)/index.php$ main/course_home/course_home.php?cDir=$1 [QSA,L] # Rewrite everything in the scorm folder of a course to the download script # except JS, CSS and some image files, which can be served directly RewriteRule ^courses/([^/]+)/scorm/(.*([\.js|\.css|\.png|\.jpg|\.jpeg|\.gif]))$ app/courses/$1/scorm/$2 [QSA,L] RewriteRule ^courses/([^/]+)/scorm/(.*)$ main/document/download_scorm.php?doc_url=/$2&cDir=$1 [QSA,L] # Rewrite everything in the document folder of a course to the download script # Except certificate resources, which might need to be accessible publicly to all RewriteRule ^courses/([^/]+)/document/certificates/(.*)$ app/courses/$1/document/certificates/$2 [QSA,L] RewriteRule ^courses/([^/]+)/document/(.*)$ main/document/download.php?doc_url=/$2&cDir=$1 [QSA,L] # Optimize load of custom per-course icons in courses (avoid download_uploaded_files.php) RewriteRule ^courses/([^/]+)/upload/course_home_icons/(.*([\.js|\.css|\.png|\.jpg|\.jpeg|\.gif]))$ app/courses/$1/upload/course_home_icons/$2 [QSA,L] # Course upload files RewriteRule ^courses/([^/]+)/upload/([^/]+)/(.*)$ main/document/download_uploaded_files.php?code=$1&type=$2&file=$3 [QSA,L] # Rewrite everything in the work folder RewriteRule ^courses/([^/]+)/work/(.*)$ main/work/download.php?file=work/$2&cDir=$1 [QSA,L] RewriteRule ^courses/([^/]+)/course-pic85x85.png$ main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_image_source [QSA,L] RewriteRule ^courses/([^/]+)/course-pic.png$ main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_image_large_source [QSA,L] # Redirect all courses/ to app/courses/ RewriteRule ^courses/([^/]+)/(.*)$ app/courses/$1/$2 [QSA,L] # About session RewriteRule ^session/(\d{1,})/about/?$ main/session/about.php?session_id=$1 [QSA,L] # About course RewriteRule ^course/(\d{1,})/about/?$ main/course_info/about.php?course_id=$1 [QSA,L] # Issued individual badge friendly URL RewriteRule ^badge/(\d{1,})/?$ main/badge/issued.php?issue=$1 [QSA,L] # Issued badges friendly URL RewriteRule ^skill/(\d{1,})/user/(\d{1,})/?$ main/badge/issued_all.php?skill=$1&user=$2 [L] # Support deprecated URL (avoid 404) RewriteRule ^badge/(\d{1,})/user/(\d{1,})/?$ main/badge/issued_all.php?skill=$1&user=$2 [L] # Support old URLs using the exercice (with a c) folder rather than exercise RewriteRule ^main/exercice/(.*)$ main/exercise/$1 [QSA,L] # Support old URLs using the newscorm folder rather than lp RewriteRule ^main/newscorm/(.*)$ main/lp/$1 [QSA,L] # service Information RewriteRule ^service/(\d{1,})$ plugin/buycourses/src/service_information.php?service_id=$1 [L] # LTI outcome service RewriteRule ^lti/os$ plugin/ims_lti/outcome_service.php [L] # This rule is very generic and should always remain at the bottom of .htaccess # http://my.chamilo.net/jdoe to http://my.chamilo.net/user.php?jdoe RewriteRule ^([^/.]+)/?$ user.php?$1 [L] # Deny direct access to user my files RewriteRule ^app/upload/users/([^/]+)/([^/]+)/my_files/(.*)$ main/social/download_my_files.php?user_id=$2&file=$3 [QSA,L] # Deny access RewriteRule ^(tests|.git) - [F,L,NC] # Add caching of woff font files to avoid loading 2*15KB each time with Chamilo # default OpenSans font AddType application/font-woff .woff .woff2 <IfModule mod_expires.c> ExpiresActive On ExpiresByType application/font-woff "access plus 1 month" </IfModule> --- --- --- When visiting: https://sub.domain.tld/app/upload/users/1/1/my_files/image.png this rule from htaccess should apply: # Deny direct access to user my files RewriteRule ^app/upload/users/([^/]+)/([^/]+)/my_files/(.*)$ main/social/download_my_files.php?user_id=$2&file=$3 [QSA,L] However, trace says: --- --- --- [authz_core:debug] mod_authz_core.c(815): [client xxx] AH01626: authorization result of Require all granted: granted, referer: https://sub.domain.tld/app/upload/users/1/1/my_files/image.png [authz_core:debug] mod_authz_core.c(815): [client xxx] AH01626: authorization result of <RequireAny>: granted, referer: https://sub.domain.tld/app/upload/users/1/1/my_files/image.png No rewrite pattern applied. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org For additional commands, e-mail: bugs-h...@httpd.apache.org