.htaccess Rewriting Configuration Differences

[adamcoppard]

Hi all,

I seem to have hit a snag with URL rewriting. The same .htaccess file is running in two different locations, one of which will rewrite correctly, and the other fails miserably.
Correctly, it will rewrite /admin to admin.php and admin/terms to say admin_terms.php or /admin/logs to admin_logs.php.
However, on my own server at home (with exactly the same .htaccess file) it will rewrite /admin to admin.php AND /admin/terms or /admin/logs to admin.php, which is obviously incorrect, and driving me bonkers!
What simple trick am I missing?

[Dan Grossman]

Essential context for helping you: Apache version and the contents of this .htaccess file

[adamcoppard]

Here is the contents of the .htaccess file:

PHP Code:

Options +FollowSymLinks
Options -Indexes
RewriteEngine On

RewriteRule ^confirm/(\d+)?/(\w+)/?$ confirm_user.php?userID=$1&hash=$2 [L]
RewriteCond %{THE_REQUEST} confirm_user\.php
RewriteRule ^confirm_user\.php - [F]
RewriteRule ^forgotpassword/?$ forgot_pass.php [L]
RewriteCond %{THE_REQUEST} forgot_pass\.php
RewriteRule ^forgot_pass\.php - [F]
RewriteRule ^recoverpassword/(\d+)?/(\w+)/?$ recover_pass.php?userID=$1&hash=$2 [L]
RewriteCond %{THE_REQUEST} recover_pass\.php
RewriteRule ^recover_pass\.php - [F]
RewriteRule ^book/([A-Za-z0-9]+)/(([0-9][0-9][0-9][0-9])-([0-1][0-9])-([0-3][0-9]))/([A-Za-z0-9]+)/?$ book.php?roomID=$1&date=$2&period=$6 [L]
RewriteCond %{THE_REQUEST} book\.php
RewriteRule ^book\.php - [F]
RewriteRule ^bookings(/(\w+))?(/(\d+))?/?$ bookings.php?type=$2&id=$4 [L]
RewriteCond %{THE_REQUEST} bookings\.php
RewriteRule ^bookings\.php - [F]
RewriteRule ^availability(/([^/]+))?(/([^/]+))?(/([^/]+))?/?$ availability.php?week=$2&year=$4&tab=$6 [L]
RewriteCond %{THE_REQUEST} availability\.php
RewriteRule ^availability\.php - [F]
RewriteRule ^facilities/?$ facilities.php [L]
RewriteCond %{THE_REQUEST} facilities\.php
RewriteRule ^facilities\.php - [F]
RewriteRule ^preferences/?$ preferences.php [L]
RewriteCond %{THE_REQUEST} preferences\.php
RewriteRule ^perefences\.php - [F]
RewriteRule ^admin/?$ admin.php [L]
RewriteCond %{THE_REQUEST} admin\.php
RewriteRule ^admin\.php - [F]
RewriteRule ^admin/users(/(\w+)?/(\d+))?/?$ admin_users.php?action=$2&userID=$3 [L]
RewriteCond %{THE_REQUEST} admin_users\.php
RewriteRule ^admin_users\.php - [F]
RewriteRule ^admin/notes/?$ admin_notes.php [L]
RewriteCond %{THE_REQUEST} admin_notes\.php
RewriteRule ^admin_notes\.php - [F]
RewriteRule ^admin/terms(/(\w+)?/(\w+)?/(\d+))?/?$ admin_terms.php?type=$2&action=$3&ID=$4 [L]
RewriteCond %{THE_REQUEST} admin_terms\.php
RewriteRule ^admin_terms\.php - [F]
RewriteRule ^admin/periods(/(\w+)?/(\d+))?/?$ admin_periods.php?action=$2&periodID=$3 [L]
RewriteCond %{THE_REQUEST} admin_periods\.php
RewriteRule ^admin_periods\.php - [F]
RewriteRule ^admin/rooms/?$ admin_rooms.php [L]
RewriteCond %{THE_REQUEST} admin_rooms\.php
RewriteRule ^admin_rooms\.php - [F]
RewriteRule ^admin/backup(/([0-9]+))?/?$ admin_backup.php?backup=$2 [L]
RewriteCond %{THE_REQUEST} admin_backup\.php
RewriteRule ^admin_backup\.php - [F]
RewriteRule ^admin/logs(/([a-z]+))?(/([0-9]+))?/?$ admin_logs.php?method=$2&id=$4 [L]
RewriteCond %{THE_REQUEST} admin_logs\.php
RewriteRule ^admin_logs\.php - [F]
RewriteRule ^admin/settings/?$ admin_settings.php [L]
RewriteCond %{THE_REQUEST} admin_settings\.php
RewriteRule ^admin_settings\.php - [F]
RewriteRule ^login/?$ login.php [L]
RewriteCond %{THE_REQUEST} login\.php
RewriteRule ^login\.php - [F]
RewriteRule ^privacy/?$ privacy.php [L]
RewriteCond %{THE_REQUEST} privacy\.php
RewriteRule ^privacy\.php - [F]
RewriteRule ^logout/?$ login.php?action=logout [L]
RewriteRule ^ajax/?$ ajax_wrapper.php [L]
RewriteCond %{THE_REQUEST} ajax_wrapper\.php
RewriteRule ^ajax_wrapper\.php - [F]
RewriteRule ^help/?$ help.php [L]
RewriteCond %{THE_REQUEST} help\.php
RewriteRule ^help\.php - [F]

RewriteCond %{THE_REQUEST} ajax\.php
RewriteRule ^ajax\.php - [F]
RewriteCond %{THE_REQUEST} cron\.php
RewriteRule ^cron\.php - [F]

RewriteRule ^api/?$ api.php [L]
RewriteCond %{THE_REQUEST} api\.php
RewriteRule ^api\.php - [F]
#RewriteRule ^api/docs/?$ api_docs.php [L]
#RewriteCond %{THE_REQUEST} api_docs\.php
#RewriteRule ^api_docs\.php - [F]
#RewriteRule ^api/get/bookings/?$ bookings.xml [L]
#RewriteCond %{THE_REQUEST} bookings\.xml
#RewriteRule ^bookings\.xml - [F]
#RewriteRule ^api/get/today/?$ today.xml [L]
#RewriteCond %{THE_REQUEST} today\.xml
#RewriteRule ^today\.xml - [F]
#RewriteRule ^api/post/book/?$ api_post.php [L]
#RewriteCond %{THE_REQUEST} api_post\.php
#RewriteRule ^api_post\.php - [F]

RewriteRule ^error/401?$ 401.php [L]
RewriteCond %{THE_REQUEST} 401\.php
RewriteRule ^401\.php - [F]
RewriteRule ^error/404?$ 404.php [L]
RewriteCond %{THE_REQUEST} 404\.php
RewriteRule ^404\.php - [F]
RewriteRule ^error/403?$ 403.php [L]
RewriteCond %{THE_REQUEST} 403\.php
RewriteRule ^403\.php - [F]
RewriteRule ^error/500?$ 500.php [L]
RewriteCond %{THE_REQUEST} 500\.php
RewriteRule ^500\.php - [F]

ErrorDocument 401 /error/401
ErrorDocument 404 /error/404
ErrorDocument 403 /error/403
ErrorDocument 500 /error/500 


As for versions: 2.2.12 on the non working server and 2.2.13 on the working server.

[dklynn]

Hi Adam!

There should be NO difference between Apache 2.x versions. However, I suspect that there may be something in the VirtualHost setup which is different between your hosted and home servers (the location of the DocumentRoot in each - but I didn't see anything like that below) OR there may be something that the WinDoze version doesn't like (but I didn't see anything in this regard).

Argh! I don't like going through masses of code (especially using {THE_REQUEST}) but, since the problem is with the admin redirections ...

Code:

Options +FollowSymLinks
Options -Indexes
RewriteEngine On

RewriteRule ^confirm/(\d+)?/(\w+)/?$ confirm_user.php?userID=$1&hash=$2 [L]
RewriteCond %{THE_REQUEST} confirm_user\.php
RewriteRule ^confirm_user\.php - [F]
RewriteRule ^forgotpassword/?$ forgot_pass.php [L]
RewriteCond %{THE_REQUEST} forgot_pass\.php
RewriteRule ^forgot_pass\.php - [F]
RewriteRule ^recoverpassword/(\d+)?/(\w+)/?$ recover_pass.php?userID=$1&hash=$2 [L]
RewriteCond %{THE_REQUEST} recover_pass\.php
RewriteRule ^recover_pass\.php - [F]
RewriteRule ^book/([A-Za-z0-9]+)/(([0-9][0-9][0-9][0-9])-([0-1][0-9])-([0-3][0-9]))/([A-Za-z0-9]+)/?$ book.php?roomID=$1&date=$2&period=$6 [L]
RewriteCond %{THE_REQUEST} book\.php
RewriteRule ^book\.php - [F]
RewriteRule ^bookings(/(\w+))?(/(\d+))?/?$ bookings.php?type=$2&id=$4 [L]
RewriteCond %{THE_REQUEST} bookings\.php
RewriteRule ^bookings\.php - [F]
RewriteRule ^availability(/([^/]+))?(/([^/]+))?(/([^/]+))?/?$ availability.php?week=$2&year=$4&tab=$6 [L]
RewriteCond %{THE_REQUEST} availability\.php
RewriteRule ^availability\.php - [F]
RewriteRule ^facilities/?$ facilities.php [L]
RewriteCond %{THE_REQUEST} facilities\.php
RewriteRule ^facilities\.php - [F]
RewriteRule ^preferences/?$ preferences.php [L]
RewriteCond %{THE_REQUEST} preferences\.php
RewriteRule ^perefences\.php - [F]

RewriteRule ^admin/?$ admin.php [L]

Almost invariably, the use of an optional trailing slash will cause problems - and it will certainly not match the next mod_rewrite block as you're dealing with {THE_REQUEST} which does not change with the {REQUEST_URI} changes made by mod_rewrite
RewriteCond %{THE_REQUEST} admin\.php
RewriteRule ^admin\.php - [F]

RewriteRule ^admin/users(/(\w+)?/(\d+))?/?$ admin_users.php?action=$2&userID=$3 [L]
This should NEVER match as you've redirected admin/? above to admin.php.
RewriteCond %{THE_REQUEST} admin_users\.php
RewriteRule ^admin_users\.php - [F]
Ditto
RewriteRule ^admin/notes/?$ admin_notes.php [L]
[indent]et al ... Sorry, I gave up here.[indent]
RewriteCond %{THE_REQUEST} admin_notes\.php
RewriteRule ^admin_notes\.php - [F]
RewriteRule ^admin/terms(/(\w+)?/(\w+)?/(\d+))?/?$ admin_terms.php?type=$2&action=$3&ID=$4 [L]
RewriteCond %{THE_REQUEST} admin_terms\.php
RewriteRule ^admin_terms\.php - [F]
RewriteRule ^admin/periods(/(\w+)?/(\d+))?/?$ admin_periods.php?action=$2&periodID=$3 [L]
RewriteCond %{THE_REQUEST} admin_periods\.php
RewriteRule ^admin_periods\.php - [F]
RewriteRule ^admin/rooms/?$ admin_rooms.php [L]
RewriteCond %{THE_REQUEST} admin_rooms\.php
RewriteRule ^admin_rooms\.php - [F]
RewriteRule ^admin/backup(/([0-9]+))?/?$ admin_backup.php?backup=$2 [L]
RewriteCond %{THE_REQUEST} admin_backup\.php
RewriteRule ^admin_backup\.php - [F]
RewriteRule ^admin/logs(/([a-z]+))?(/([0-9]+))?/?$ admin_logs.php?method=$2&id=$4 [L]
RewriteCond %{THE_REQUEST} admin_logs\.php
RewriteRule ^admin_logs\.php - [F]
RewriteRule ^admin/settings/?$ admin_settings.php [L]
RewriteCond %{THE_REQUEST} admin_settings\.php
RewriteRule ^admin_settings\.php - [F]
RewriteRule ^login/?$ login.php [L]
RewriteCond %{THE_REQUEST} login\.php
RewriteRule ^login\.php - [F]
RewriteRule ^privacy/?$ privacy.php [L]
RewriteCond %{THE_REQUEST} privacy\.php
RewriteRule ^privacy\.php - [F]
RewriteRule ^logout/?$ login.php?action=logout [L]
RewriteRule ^ajax/?$ ajax_wrapper.php [L]
RewriteCond %{THE_REQUEST} ajax_wrapper\.php
RewriteRule ^ajax_wrapper\.php - [F]
RewriteRule ^help/?$ help.php [L]
RewriteCond %{THE_REQUEST} help\.php
RewriteRule ^help\.php - [F]

RewriteCond %{THE_REQUEST} ajax\.php
RewriteRule ^ajax\.php - [F]
RewriteCond %{THE_REQUEST} cron\.php
RewriteRule ^cron\.php - [F]

RewriteRule ^api/?$ api.php [L]
RewriteCond %{THE_REQUEST} api\.php
RewriteRule ^api\.php - [F]
#RewriteRule ^api/docs/?$ api_docs.php [L]
#RewriteCond %{THE_REQUEST} api_docs\.php
#RewriteRule ^api_docs\.php - [F]
#RewriteRule ^api/get/bookings/?$ bookings.xml [L]
#RewriteCond %{THE_REQUEST} bookings\.xml
#RewriteRule ^bookings\.xml - [F]
#RewriteRule ^api/get/today/?$ today.xml [L]
#RewriteCond %{THE_REQUEST} today\.xml
#RewriteRule ^today\.xml - [F]
#RewriteRule ^api/post/book/?$ api_post.php [L]
#RewriteCond %{THE_REQUEST} api_post\.php
#RewriteRule ^api_post\.php - [F]

RewriteRule ^error/401?$ 401.php [L]
RewriteCond %{THE_REQUEST} 401\.php
RewriteRule ^401\.php - [F]
RewriteRule ^error/404?$ 404.php [L]
RewriteCond %{THE_REQUEST} 404\.php
RewriteRule ^404\.php - [F]
RewriteRule ^error/403?$ 403.php [L]
RewriteCond %{THE_REQUEST} 403\.php
RewriteRule ^403\.php - [F]
RewriteRule ^error/500?$ 500.php [L]
RewriteCond %{THE_REQUEST} 500\.php
RewriteRule ^500\.php - [F]

ErrorDocument 401 /error/401
ErrorDocument 404 /error/404
ErrorDocument 403 /error/403
ErrorDocument 500 /error/500

I would have thought that the [F] needed the Last flag to terminate those block statements but, "if it ain't broke, don't fix it!"

Now, using {THE_REQUEST} (e.g., "GET /index.html HTTP/1.1") is a terrible way to go as you must parse the middle of the string to find the initial file requested (and has NOTHING to do with the result of a redirection (i.e., {REQUEST_URI}). Moreover, having these {THE_REQUEST} variables interleaved with {REQUEST_URI} (RewriteRules can ONLY attempt to match the {REQUEST_URI} string) is horribly confusing!

Tip:

Group the core directives (Options, ErrorDocument and Redirect statements) first then get into the mod_rewrite. When dealing with mod_rewrite, order by the most specific rules first then go to the more generic (being sure not to undo the earlier redirections unintentionally).

Regards,

DK

[adamcoppard]

Hi,

Sorry for my long delay in replying, been very busy with a few other things.

Either I'm missing something stupidly simple, or my rewrites are all a little bit messed up! I edited the admin part to what you suggested, but it still rewrites /admin and /admin/users to admin.php whatever I try! I can even get rid of every rewrite in the damned .htaccess file and the rewriting still occurs!

[Dan Grossman]

I can even get rid of every rewrite in the damned .htaccess file and the rewriting still occurs!

Are there rules in your httpd.conf file, or is there another .htaccess in play such as in the /admin folder itself?

[adamcoppard]

The httpd.conf file is completely empty, and there are no other .htaccess files at all in the DocumentRoot. The rewrite engine itself has now been disabled, and there are no .htaccess files, yet, the application still carries out simple rewrites, like login.php to login and admin.php to admin!

[Stomme poes]

Are you absolutely sure that Apache is doing the rewriting then, and not some weirdo PHP module?

[adamcoppard]

I don't think so. It's a complete stock install of the LAMP stack, which just had mod_rewrite installed. This is also occurring, wierdly, on two servers, running Ubuntu, now (one the latest LTS and one 9.10). On a RedHat server it's absolutely fine.

[dklynn]

Adam,

I didn't see any Redirect statements (which take precedence over mod_rewrite as mod_alias is a core feature) but your PHP scripts will likely require login.php to be called to satisfy a $_SESSIONS requirement.

Code:

RewriteRule ^admin/?$ admin.php [L]
# and
RewriteRule ^login/?$ login.php [L]

in your .htaccess will cause redirections from domain/admin to admin.php and login/ to login.php. Ha! ONLY if mod_rewrite is enabled! Did you comment out all the code or use

Code:

RewriteEngine off

to turn mod_rewrite OFF for your latest test? Using RewriteEngine off ... RewriteEngine on is like /* ... */ in PHP: It's a great way to comment out a lot of code without #'s.

Regards,

DK

[dklynn]

Adam,

LAMP, eh? The 'nix version of Apache uses different filenames for the config files so check your system as you may have something hidden in there.

Regards,

DK

[Stomme poes]

I was just going to say... the stock "main config file" (httpd.conf) is empty in Ubuntu. My rewrites are lounging around the poker table at
/etc/apache2/apache2.conf

Something other non-Debian 'nix distros don't do, apparently.

[adamcoppard]

Well, when it was loaded mod_rewrite was loaded in /etc/apahe2/apache2.conf. It fails being enabled in httpd.conf. There was nothing in httpd.conf. Now, to turn off all the URL rewriting I: completely removed the .htaccess file, ran a2dismod rewrite command, and removed the <IfModule> block from the apache2.conf file, and restarted Apache and the erronous redirects still continued. I took a look at phpinfo() output from the working and non working servers and they seem almost identical. The interesting rewrite section, is exactly the same. I'm almost all out of ideas now. Oh, and the Directory is ~/www for the root Apache default site.

[dklynn]

Adam,

Did you check for an equivalent of the httpd-vhosts.conf file (look for an include at the end of your apache2.conf)? Your "hidden directives" may be there!

Regards,

DK

[adamcoppard]

Just been having a good old poke around in Apache, and looked for all of my included files. Looked in conf.d folder, and there's nothing there, as well as httpd.conf a bit on the empty side! Other than that, can't see anything else being included from apache2.conf

However, just poked my nose into sites-enabled/000-default and for some reason (although don't ask me why!) this seems a little bit suspicious.

Code:

        DocumentRoot /home/adam/www
        <Directory />
                Options FollowSymLinks
                AllowOverride All
        </Directory>
        <Directory /home/adam/www>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

[adamcoppard]

Now then, time to play spot the idiot. Removed the MultiViews from that and it works fine. Thanks for everyones time, and invaluable advice. I've learnt a fair bit from going on the wild goose chase, through almost every Apache config file imaginable!

[dklynn]

Adam,

Options MultiViews is such a PITA! On the other hand, kudos to you for spotting that and fixing the problem without assistance.

Others:

MultiViews allows you to insert the filename of a script in the middle of a {path_to} string. IMHO, it's a silly way to create URIs and, from Adam's experience, it can safely be said that it causes more problems than it's worth.

Code:

# My recommendation:
Options -MultiViews

Regards,

DK

[Stomme poes]

Great info, then. I checked my setup: it is certainly the default setting, and I've added DK's explanation and -'d the Multiviews.
I wonder why they have it in there.

The effect of MultiViews is as follows: if the server receives a request for /some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does not exist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements.

Hm, someone must have thought it helps keep stuff working even if a mistake in pathnames was made. Silent errors kinda bother me.

*edit I asked hubby what this was good for/why it existed.

It's made to deal with things like, client asks for index.html, and then based on for instance client language, the websrv will look for index.html.nl for instance

Still seems like something people should need to consciously set rather than remember to un-set.