Samuel Jackson Samuel Jackson - 3 months ago 16
Apache Configuration Question

Nested RewriteRules on Apache 2.4 causing 500 errors

I have a site running on cPanel, where wordpress is installed in the root. I also have a custom application I have written which is located in a subfolder named 'gallery'. Within the gallery subfolder is an 'admin' folder. The root folder of gallery (no rewrite) controls the display of information, where the root of 'gallery/admin' grants the user administrative access to the application. The path structure is redirected and handled (custom MVC framework), which is primarily directed by the following .htaccess directives :

Require all granted

RewriteEngine On
RewriteCond %{REQUEST_URI} !\.(jpg|png|bmp|gif|css|js|map|ttf|woff|woff2|svg|eot)$
RewriteRule ^(.*)$ controller.php?page=$1 [NC,L,QSA]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ controller.php?page=error&rewritten=1&missing=$1 [NC,L,QSA]


The .htaccess for wordpress is customized for compression, expiring/caching of different types, in addition to handling traditional wordpress stuff and is as follows (pasting in full) :

Options -Indexes
# BEGIN WordPress

# Expires Caching (Leverage Browser Caching)
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 2 week"
ExpiresByType image/jpeg "access 2 week"
ExpiresByType image/gif "access 2 week"
ExpiresByType image/png "access 2 week"
ExpiresByType text/css "access 2 week"
ExpiresByType application/pdf "access 2 week"
ExpiresByType text/x-javascript "access 2 week"
ExpiresByType application/x-shockwave-flash "access 2 week"
ExpiresByType image/x-icon "access 2 week"
ExpiresDefault "access 2 week"
</IfModule>

# Enable GZIP Compression (compress text, html, javascript, css, xml and so on) ##
<ifModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</ifModule>
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
#AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript
</IfModule>

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_HOST} !^www\.example\.org
RewriteRule (.*) http://www.example.org/$1 [R=301,L]
#RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteRule ^sitemap.xml /sitemap.php?p=xml [L]
RewriteRule ^sitemap.xsl /sitemap.php?p=xsl [L]
RewriteRule ^sitemap.css /sitemap.php?p=css [L]
RewriteRule ^sitemap.js /sitemap.php?p=js [L]
RewriteRule ^robots.txt /sitemap.php?p=txt [L]
RewriteRule ^gallery - [L]
RewriteRule ^controller\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress


The reason behind the double check
RewriteCond %{REQUEST_FILENAME} !-f
was because of another issue I had when trying to handle only files of a specific type where the file does not exist physically. (pretty 404 not found page when jpg/etc are missing).

As you can see,
controller.php
does all the grunt work for authentication, etc. If I comment out any of the lines containing
^(.*)$ controller.php?
I don't get 500 errors unless I call the controller directly and let it redirect based on the application root path.

This works flawlessly on my Debian 8, and Ubuntu 11 boxes, as well as on Windows 10. The admin is based on the open source project otp-thing and works well. Just am having some trouble handling the redirects when the almighty wordpress is in the root of the site.

There doesn't appear to be any code issues (if so, they would have cropped up in other tests on Debian 8, Ubuntu 11, and especially Windows 10).

The server software running on this build of cPanel are as follows :

Server version: Apache/2.4.18 (Unix)
Server built: Mar 1 2016 10:43:46
Cpanel::Easy::Apache v3.32.10 rev9999
Server's Module Magic Number: 20120211:52
Server loaded: APR 1.5.2, APR-UTIL 1.5.4
Compiled using: APR 1.5.2, APR-UTIL 1.5.4
Architecture: 64-bit
Server MPM: prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses disabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/usr/local/apache"
-D SUEXEC_BIN="/usr/local/apache/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"


And PHP

PHP 5.6.18 (cli) (built: Mar 1 2016 10:47:52)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
with the ionCube PHP Loader v4.7.5, Copyright (c) 2002-2014, by ionCube Ltd., and
with Zend Guard Loader v3.3, Copyright (c) 1998-2014, by Zend Technologies


Also, if you look at the project source for otp-thing, you will notice some of the nested directories intentionally block public access (app/cache, app/templates_c, etc)

The error that is reported by Apache in
/usr/local/apache/error_log
is :


[Thu Aug 25 21:33:21.323468 2016] [core:error] [pid 15805] [client XX.XX.XX.XX:XXXXX] AH00124: Request exceeded the limit of 10 internal redirects due to probable configuration error. Use 'LimitInternalRecursion' to increase the limit if necessary. Use 'LogLevel debug' to get a backtrace.


The message is identical if I comment out any combination of the
RewriteRule
lines from the
gallery/admin/.htaccess
file.


I have tried adding had paths preceding 'controller.php', however this exacerbates the problem, but overall, no change to the issue at hand here.

What can I do to make sure that all this stuff works, or even as a workaround, how can I move the htaccess rules for otp-thing into the wordpress htaccess file as above by merging them (how can the directives be adjusted).

Answer

This should work in /gallery/admin/.htaccess:

RewriteEngine On
RewrtieBase /gallery/admin/

# skip any rule below this for controller.php or for valid files / directories
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d [OR]
RewriteCond %{REQUEST_URI} /controller\.php$ [NC]
RewriteRule ^ - [L]

# rewrite all except certain static resource extensions to controller.php
RewriteCond %{REQUEST_URI} !\.(jpe?g|png|bmp|gif|css|js|map|ttf|woff|woff2|svg|eot)$
RewriteRule ^.*$ controller.php?page=$0 [L,QSA]

# rewrite not found static resource extensions
RewriteRule ^.*$ controller.php?page=error&rewritten=1&missing=$0 [L,QSA]
Comments