https://bz.apache.org/bugzilla/show_bug.cgi?id=66167
Bug ID: 66167
Summary: Require all granted in vhost matches, not parsing
rewrite rules in .htaccess
Product: Apache httpd-2
Version: 2.4.53
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: mod_authz_core
Assignee: bugs@httpd.apache.org
Reporter: lonesomewal...@web.de
Target Milestone: ---
Apache latest in Debian stable
vhost:
--- --- ---
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName sub.domain.tld
ServerAdmin webmas...@domain.tld
DocumentRoot "/var/www/xxx"
<Directory "/var/www/xxx">
Options FollowSymlinks
AllowOverride All
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
LogLevel debug rewrite:trace8
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE text/javascript
AddOutputFilterByType DEFLATE image/svg+xml
AddOutputFilterByType DEFLATE image/x-icon
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
DeflateCompressionLevel 9
# Browser specific settings
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4\.0[678] no-gzip
BrowserMatch \bMSIE !no-gzip !gzip-only-text/html
BrowserMatch \bOpera !no-gzip
</IfModule>
Header unset ETag
FileETag None
<IfModule mod_expires.c>
ExpiresActive On
ExpiresDefault "access plus 5 seconds"
ExpiresByType image/x-icon "access plus 604800 seconds"
ExpiresByType image/jpeg "access plus 604800 seconds"
ExpiresByType image/jpg "access plus 604800 seconds"
ExpiresByType image/png "access plus 604800 seconds"
ExpiresByType image/gif "access plus 604800 seconds"
ExpiresByType image/svg+xml "access plus 604800 seconds"
ExpiresByType application/x-shockwave-flash "access plus 604800 seconds"
ExpiresByType text/css "access plus 604800 seconds"
ExpiresByType text/javascript "access plus 604800 seconds"
ExpiresByType application/javascript "access plus 604800 seconds"
ExpiresByType application/x-javascript "access plus 604800 seconds"
ExpiresByType application/font-woff "access plus 604800 seconds"
ExpiresByType application/font-woff2 "access plus 604800 seconds"
ExpiresByType text/html "access plus 600 seconds"
ExpiresByType application/xhtml+xml "access plus 600 seconds"
</IfModule>
<IfModule mod_headers.c>
<filesMatch "\.(ico|jpe?g|png|gif|swf|svg)$">
Header set Cache-Control "public"
</filesMatch>
<filesMatch "\.(css)$">
Header set Cache-Control "public"
</filesMatch>
<filesMatch "\.(js)$">
Header set Cache-Control "private"
</filesMatch>
<filesMatch "\.(x?html?|php)$">
Header set Cache-Control "private, must-revalidate"
</filesMatch>
</IfModule>
SSLCertificateFile /etc/letsencrypt/live/sub.domain.tld/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sub.domain.tld/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
--- --- ---
.htaccess in /var/www/xxx
--- --- ---
RewriteEngine On
# Disables access to myfile.php/something
AcceptPathInfo Off
# Prevent execution of PHP from directories used for different types of uploads
RedirectMatch 403
^/app/(?!courses/proxy)(cache|courses|home|logs|upload|Resources/public/css)/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403
^/main/default_course_document/images/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/main/lang/.*\.ph(p[3457]?|t|tml|ar)$
RedirectMatch 403 ^/web/.*\.ph(p[3457]?|t|tml|ar)$
# http://sub.domain.tld/certificates/?id=123 to
http://sub.domain.tld/certificates/index.php?id=123
RewriteCond %{QUERY_STRING} ^id=(.*)$
RewriteRule ^certificates/$ certificates/index.php?id=%1 [L]
# Course redirection
RewriteRule ^courses/([^/]+)/?$ main/course_home/course_home.php?cDir=$1
[QSA,L]
RewriteRule ^courses/([^/]+)/index.php$
main/course_home/course_home.php?cDir=$1 [QSA,L]
# Rewrite everything in the scorm folder of a course to the download script
# except JS, CSS and some image files, which can be served directly
RewriteRule ^courses/([^/]+)/scorm/(.*([\.js|\.css|\.png|\.jpg|\.jpeg|\.gif]))$
app/courses/$1/scorm/$2 [QSA,L]
RewriteRule ^courses/([^/]+)/scorm/(.*)$
main/document/download_scorm.php?doc_url=/$2&cDir=$1 [QSA,L]
# Rewrite everything in the document folder of a course to the download script
# Except certificate resources, which might need to be accessible publicly to
all
RewriteRule ^courses/([^/]+)/document/certificates/(.*)$
app/courses/$1/document/certificates/$2 [QSA,L]
RewriteRule ^courses/([^/]+)/document/(.*)$
main/document/download.php?doc_url=/$2&cDir=$1 [QSA,L]
# Optimize load of custom per-course icons in courses (avoid
download_uploaded_files.php)
RewriteRule
^courses/([^/]+)/upload/course_home_icons/(.*([\.js|\.css|\.png|\.jpg|\.jpeg|\.gif]))$
app/courses/$1/upload/course_home_icons/$2 [QSA,L]
# Course upload files
RewriteRule ^courses/([^/]+)/upload/([^/]+)/(.*)$
main/document/download_uploaded_files.php?code=$1&type=$2&file=$3 [QSA,L]
# Rewrite everything in the work folder
RewriteRule ^courses/([^/]+)/work/(.*)$
main/work/download.php?file=work/$2&cDir=$1 [QSA,L]
RewriteRule ^courses/([^/]+)/course-pic85x85.png$
main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_image_source
[QSA,L]
RewriteRule ^courses/([^/]+)/course-pic.png$
main/inc/ajax/course.ajax.php?a=get_course_image&code=$1&image=course_image_large_source
[QSA,L]
# Redirect all courses/ to app/courses/
RewriteRule ^courses/([^/]+)/(.*)$ app/courses/$1/$2 [QSA,L]
# About session
RewriteRule ^session/(\d{1,})/about/?$ main/session/about.php?session_id=$1
[QSA,L]
# About course
RewriteRule ^course/(\d{1,})/about/?$ main/course_info/about.php?course_id=$1
[QSA,L]
# Issued individual badge friendly URL
RewriteRule ^badge/(\d{1,})/?$ main/badge/issued.php?issue=$1 [QSA,L]
# Issued badges friendly URL
RewriteRule ^skill/(\d{1,})/user/(\d{1,})/?$
main/badge/issued_all.php?skill=$1&user=$2 [L]
# Support deprecated URL (avoid 404)
RewriteRule ^badge/(\d{1,})/user/(\d{1,})/?$
main/badge/issued_all.php?skill=$1&user=$2 [L]
# Support old URLs using the exercice (with a c) folder rather than exercise
RewriteRule ^main/exercice/(.*)$ main/exercise/$1 [QSA,L]
# Support old URLs using the newscorm folder rather than lp
RewriteRule ^main/newscorm/(.*)$ main/lp/$1 [QSA,L]
# service Information
RewriteRule ^service/(\d{1,})$
plugin/buycourses/src/service_information.php?service_id=$1 [L]
# LTI outcome service
RewriteRule ^lti/os$ plugin/ims_lti/outcome_service.php [L]
# This rule is very generic and should always remain at the bottom of .htaccess
# http://my.chamilo.net/jdoe to http://my.chamilo.net/user.php?jdoe
RewriteRule ^([^/.]+)/?$ user.php?$1 [L]
# Deny direct access to user my files
RewriteRule ^app/upload/users/([^/]+)/([^/]+)/my_files/(.*)$
main/social/download_my_files.php?user_id=$2&file=$3 [QSA,L]
# Deny access
RewriteRule ^(tests|.git) - [F,L,NC]
# Add caching of woff font files to avoid loading 2*15KB each time with Chamilo
# default OpenSans font
AddType application/font-woff .woff .woff2
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType application/font-woff "access plus 1 month"
</IfModule>
--- --- ---
When visiting:
https://sub.domain.tld/app/upload/users/1/1/my_files/image.png
this rule from htaccess should apply:
# Deny direct access to user my files
RewriteRule ^app/upload/users/([^/]+)/([^/]+)/my_files/(.*)$
main/social/download_my_files.php?user_id=$2&file=$3 [QSA,L]
However, trace says:
--- --- ---
[authz_core:debug] mod_authz_core.c(815): [client xxx] AH01626: authorization
result of Require all granted: granted, referer:
https://sub.domain.tld/app/upload/users/1/1/my_files/image.png
[authz_core:debug] mod_authz_core.c(815): [client xxx] AH01626: authorization
result of <RequireAny>: granted, referer:
https://sub.domain.tld/app/upload/users/1/1/my_files/image.png
No rewrite pattern applied.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscr...@httpd.apache.org
For additional commands, e-mail: bugs-h...@httpd.apache.org
