On Wed, May 21, 2025 at 1:12 PM J Lance Wilkinson <jl...@psu.edu> wrote:
>
> On 5/21/2025 1:07 PM, Frank Gingras wrote:
>
>
>
> On Wed, May 21, 2025 at 12:19 PM J Lance Wilkinson <jl...@psu.edu> wrote:
>
>> I have a directory /PMHS72/ which contains a few .html and .php files
>> that I want to present, and all other files in the directory are blocked.
>>
>> I need to rewrite requests for the files in the directory to redirect
>> any explicit requests for files in the directory, UNLESS they are those
>> few whitelisted files, to be sent to one specific one of those
>> whitelisted .php files as a parameter.
>>
>> Here's my configuration -- directory and rewrite rules.
>>
>> RewriteEngine On
>> LogLevel alert rewrite:trace5
>>
>> # Allow direct access to whitelisted PHP and HTML files
>> RewriteCond %{REQUEST_URI}
>> ^/PMHS72/(index|gateway|verify|CodePreview|wrapper|roster)\.php$ [NC,OR]
>> RewriteCond %{REQUEST_URI} ^/PMHS72/(privacy|terms)\.html$ [NC]
>> RewriteRule ^ - [L]
>>
>> # Rewrite everything else under /PMHS72/ to go through wrapper.php
>> #RewriteRule ^PMHS72/(.*)$ /PMHS72/wrapper.php?file=$1 [QSA,L]
>> RewriteRule ^/?PMHS72/(.*)$ /PMHS72/wrapper.php?file=$1 [QSA,L]
>>
>>
>>
>> <DirectoryMatch "^/var/www/html/PMHS72/?$">
>> Options +Indexes
>> Require all granted
>> </DirectoryMatch>
>>
>> <Directory "/var/www/html/PMHS72">
>> Require all denied
>>
>> # Expose all whitelisted files
>> <FilesMatch
>> "^(index|gateway|verify|CodePreview|wrapper|roster)\.php$">
>> Require all granted
>> </FilesMatch>
>>
>> <FilesMatch "^(privacy|terms)\.html$">
>> Require all granted
>> </FilesMatch>
>>
>> DirectoryIndex index.php
>>
>> </Directory>
>>
>> Any attempt to reach /PMHS72/PMHS-72%20Alumni%20Roster.pdf SHOULD be
>> rewritten to to this:
>>
>> /PMHS72/wrapper.php?file=PMHS-72%20Alumni%20Roster.pdf
>>
>> Instead I'm getting a server default 403 response, and even though I've
>> got rewrite set to trace 5 I'm getting NO error log entries.
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
> What context are the rules defined in? The vhost, directly?
>
> In the general configuration. The VHOST is defined but this
> entire configuration is part of the general definitions outside the vhost
> block.
>
> If so, RewriteRule ^/? doesn't make sense, as you'll always see the
> leading slash.
>
> Likely true. But DOES IT HURT my requirement?
>
> Lastly, if you have more than one vhost, run apachectl -S and make sure
> the correct vhost is being accessed / edited.
>
> Only ONE VHOST defined. And the entire server is inside a
> Synology Container Manager (Docker) container with no shell access so I
> don't have control over the apachectl command.
>
> One suggestion has been to open up the protection "temporarily" to
> get the rewrite rules to apply and then lock things down after:
>
> <Directory "/var/www/html/PMHS72">
> Options +Indexes
> AllowOverride None
>
> # Allow access to trigger rewrite rules, but only internally
> Require all granted
>
> # Immediately deny access to files not explicitly allowed
> <FilesMatch
> "^(?!wrapper\.php$|index\.php$|gateway\.php$|verify\.php$|CodePreview\.php$|privacy\.html$|terms\.html$).+$">
> Require all denied
> </FilesMatch>
>
> DirectoryIndex index.php
> </Directory>
>
> Going to try that now.
>
If you define your rules in the server context, you need to add
RewriteOptions inherit in every vhost you want to apply them to.
