#StackBounty: #apache-2.2 #apache-2.4 #reverse-proxy #mod-rewrite #proxypass apache rewriterule and proxypass 404 issue

Bounty: 50

I’m trying to set up group access to certain urls on my reverse proxy gateway. The previous questions that combine proxypass and mod_rewrite do so not for the reasons that I am doing so. I am combining them because I am trying to force an internal redirect (so I can see the HTTP headers.. This is because mod_rewrite cannot see the headers that I want unless I do an internal redirect). (This is a must, unfortunately)

If I remove the rewrite lines, the proxy works as expected (it’s serving the files correctly). However, the group access is not being enforced.

<VirtualHost *:*>
    ServerName mysubdomain.mydomain.com
    SSLProxyEngine on
    
    #I'm not an apache sys-admin professional so I'm not sure if any of these are necessary
    ProxyPreserveHost On
    ProxyRequests Off
    AllowEncodedSlashes On

    <Location /mypath>
        #this AuthType is what gets the HTTP header that I want (GROUPS)
        AuthType MyApacheAgt
        Order Deny,Allow
        Deny from all
        Allow from all

        RewriteEngine On
        RewriteCond %{ENV:REDIRECT_PASS} !1
        RewriteRule ^(.*)$ /$1 [L,E=PASS:1,PT]
        RewriteCond %{HTTP:GROUPS} !^.*some-group-to-match-to.*$
        RewriteRule ^(.*)$ /$1 [L,R=403,PT]

        ProxyPass        http://my-proxied-webserver.mydomain:8080/mypath disablereuse=On retry=0 nocanon
        ProxyPassReverse http://my-proxied-webserver.mydomain:8080/mypath
    </Location>

</VirtualHost>
        

From my apache logs, I see that I’m getting:

[pid 9:tid 140131688048384] [client XX] AH00128: File does not exist: /var/www/html/proxy:http:/my-proxied-webserver.mydomain:8020/mypath

One thing that alarms me is that there is only one / in the proxied url in the error log. Is this normal?

I am using apache 2.4 (and would prefer 2.4, but most 2.2 can be converted over)

Would it be simpler to merge the rewriterules and the proxy lines (if this is possible?)


Get this bounty!!!

#StackBounty: #htaccess #php #apache #mod-rewrite Rewriting PHP filename and parameters causes PHP code to be printed rather than execu…

Bounty: 50

This question has been driving me nuts. There seem to be hundreds of answers online and on various StackExchange websites, but they either remove index.php, keeping ?page=, like this:

Options +FollowSymLinks -MultiViews
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?$1 [L,QSA]
RewriteCond %{THE_REQUEST} ^[A-Z]{3,}s(.*)/index.php [NC]
RewriteRule ^ %1 [R=301,L]

…or like this:

RewriteBase /
RewriteCond %{HTTP:X-Requested-With} !^XMLHttpRequest$
RewriteCond %{THE_REQUEST} ^[^/]*/index.php [NC]
RewriteRule ^index.php(.*)$ $1 [R=301,NS,L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php/$1 [QSA,L]

…or remove both but cause the page to not work (not be recognized as a PHP file), like this:

Options -MultiViews
RewriteCond %{THE_REQUEST} ^[A-Z]{3,}s/+index.php?page=([^s&]+) [NC]
RewriteRule ^ /%1? [R=302,L]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^([^/]+)/?$ index.php?page=$1 [L,QSA]

How the heck do I remove index.php?page= and still get the remaining file/URL to be recognized as a proper PHP file?

P.S. I’m now considering conflicts in my .htaccess file. Here it is in its entirety:

# Prevent directory listing
Options -Indexes

<IfModule mod_rewrite.c>
  RewriteEngine On

  # Redirect HTTP to HTTPS
  RewriteCond %{HTTPS} off
  RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,NE,L]

  # Remove WWW from URL
  RewriteCond %{HTTP_HOST} ^www.foobar.com [NC]
  RewriteRule ^(.*)$ https://foobar.com/$1 [R=301,NC,L]

  Options -MultiViews
  RewriteCond %{THE_REQUEST} ^[A-Z]{3,}s/+index.php?page=([^s&]+) [NC]
  RewriteRule ^ /%1? [R=302,L]
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteRule ^([^/]+)/?$ index.php?page=$1 [L,QSA]
</IfModule>

# Set custom error pages
ErrorDocument 400 /index.php?p=400
ErrorDocument 401 /index.php?p=401
ErrorDocument 403 /index.php?p=403
ErrorDocument 404 /index.php?p=404
ErrorDocument 500 /index.php?p=500

<ifModule mod_headers.c>
  # Set caching for specified file types for 1 year
  <filesMatch ".(gif|jpg|png|svg|js|xml|txt|webmanifest)$">
    Header set Cache-Control "max-age=31536000, public"
  </filesMatch>

  # Set caching for stylesheets to 24 hours
  <filesMatch ".(css)$">
    Header set Cache-Control "max-age=86400, public"
  </filesMatch>

  # Set strict transport security for 1 year
  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
</ifModule>

# Prevent script kiddies from looking for WordPress
<Files wp-login.php> 
  Order Deny,Allow 
  Deny from All 
</Files>

<Files xmlrpc.php> 
  Order Deny,Allow 
  Deny from All 
</Files>

# php -- BEGIN cPanel-generated handler, do not edit
# Set the “ea-php70” package as the default “PHP” programming language.
<IfModule mime_module>
  AddHandler application/x-httpd-ea-php70___lsphp .php .php7 .phtml
</IfModule>
# php -- END cPanel-generated handler, do not edit


Get this bounty!!!