You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jason Keltz <ja...@cs.yorku.ca> on 2006/01/31 22:19:08 UTC
[users@httpd] using mod_rewrite to get around unknown directive in .htaccess
An Apache module is enabled on our 1.3.34 https server, and not on our
http server. The http and https servers serve the same document tree.
One .htaccess file in a users web tree (say, ~user/secure/.htaccess)
contains directives that will only work on the https server. When a
user visits the page on the http tree, they get an "Internal Server
Error" message. This, I would expect.
However, I would like to make it so that when the user tries to view the
page VIA http, he is automatically redirected to the https page using
mod_rewrite. Now, the directives in the .htaccess file exist, and
everything works. The problem is that even though I include the rewrite
directives in the upper level (~user/.htaccess) file that will may
http://server/~user/secure to https://server/~user/secure, the server
still tries http://server/~user/secure/.htaccess first, and dies with
the internal server error, so it does not end up redirecting.
Is there a simple way around this?
Thanks in advance..
Jason.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] using mod_rewrite to get around unknown directive in .htaccess
Posted by Joshua Slive <jo...@slive.ca>.
On 1/31/06, Joshua Slive <jo...@slive.ca> wrote:
> On 1/31/06, Jason Keltz <ja...@cs.yorku.ca> wrote:
> > On Tue, 31 Jan 2006, Joshua Slive wrote:
>
> > > Use httpd.conf to turn off .htacess processing (AllowOverride) in the
> > > relevant directory inside the <VirtualHost> section for the non-ssl
> > > host.
> >
> > Hi Joshua,
> >
> > Unfortunately, this won't do it since multiple users can use the
> > directives on the https server in any directory. Is there no
> > "IgnoreErrors" directive in .htaccess? What I really don't get is that if
> > I redefine the error message in the top-level .htaccess, that does indeed
> > get read which shows that the server reads the top-level .htaccess before
> > reading the bottom-level one. How come an Error code web page
> > redefinition works, but a mod_rewrite rule does not..
>
> It does work. It is just that apache must ALSO read the .htaccess
> file in the subdirectory, since it may have additional RewriteRules
> (or other directives) that will change the parent directory
> configuration. And simply ignoring config-file syntax errors would be
> a security problem. You could, of course, simply create a stub module
> that impliments the directive as a no-op. That would be relatively
> easy.
>
> You haven't fully specified your problem, so it is difficult to
> suggest solutions. The obvious one is to use
> AccessFileName .htaccess-secure .htaccess
> on the ssl site. Then if anyone is using directives that work only on
> the ssl server, tell them to rename their .htaccess to
> .htaccess-secure.
Oh, and a third alternative is to use an
ErrorDocument 500 /cgi-bin/go-to-ssl.cgi
which could then issue the redirect without the client ever seeing the error.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] using mod_rewrite to get around unknown directive in .htaccess
Posted by Joshua Slive <jo...@slive.ca>.
On 1/31/06, Jason Keltz <ja...@cs.yorku.ca> wrote:
> On Tue, 31 Jan 2006, Joshua Slive wrote:
> > Use httpd.conf to turn off .htacess processing (AllowOverride) in the
> > relevant directory inside the <VirtualHost> section for the non-ssl
> > host.
>
> Hi Joshua,
>
> Unfortunately, this won't do it since multiple users can use the
> directives on the https server in any directory. Is there no
> "IgnoreErrors" directive in .htaccess? What I really don't get is that if
> I redefine the error message in the top-level .htaccess, that does indeed
> get read which shows that the server reads the top-level .htaccess before
> reading the bottom-level one. How come an Error code web page
> redefinition works, but a mod_rewrite rule does not..
It does work. It is just that apache must ALSO read the .htaccess
file in the subdirectory, since it may have additional RewriteRules
(or other directives) that will change the parent directory
configuration. And simply ignoring config-file syntax errors would be
a security problem. You could, of course, simply create a stub module
that impliments the directive as a no-op. That would be relatively
easy.
You haven't fully specified your problem, so it is difficult to
suggest solutions. The obvious one is to use
AccessFileName .htaccess-secure .htaccess
on the ssl site. Then if anyone is using directives that work only on
the ssl server, tell them to rename their .htaccess to
.htaccess-secure.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] using mod_rewrite to get around unknown directive
in .htaccess
Posted by Jason Keltz <ja...@cs.yorku.ca>.
On Tue, 31 Jan 2006, Joshua Slive wrote:
> On 1/31/06, Jason Keltz <ja...@cs.yorku.ca> wrote:
>> An Apache module is enabled on our 1.3.34 https server, and not on our
>> http server. The http and https servers serve the same document tree.
>>
>> One .htaccess file in a users web tree (say, ~user/secure/.htaccess)
>> contains directives that will only work on the https server. When a
>> user visits the page on the http tree, they get an "Internal Server
>> Error" message. This, I would expect.
>>
>> However, I would like to make it so that when the user tries to view the
>> page VIA http, he is automatically redirected to the https page using
>> mod_rewrite. Now, the directives in the .htaccess file exist, and
>> everything works. The problem is that even though I include the rewrite
>> directives in the upper level (~user/.htaccess) file that will may
>> http://server/~user/secure to https://server/~user/secure, the server
>> still tries http://server/~user/secure/.htaccess first, and dies with
>> the internal server error, so it does not end up redirecting.
>>
>> Is there a simple way around this?
>
> Use httpd.conf to turn off .htacess processing (AllowOverride) in the
> relevant directory inside the <VirtualHost> section for the non-ssl
> host.
Hi Joshua,
Unfortunately, this won't do it since multiple users can use the
directives on the https server in any directory. Is there no
"IgnoreErrors" directive in .htaccess? What I really don't get is that if
I redefine the error message in the top-level .htaccess, that does indeed
get read which shows that the server reads the top-level .htaccess before
reading the bottom-level one. How come an Error code web page
redefinition works, but a mod_rewrite rule does not..
Jas.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] using mod_rewrite to get around unknown directive in .htaccess
Posted by Joshua Slive <jo...@slive.ca>.
On 1/31/06, Jason Keltz <ja...@cs.yorku.ca> wrote:
> An Apache module is enabled on our 1.3.34 https server, and not on our
> http server. The http and https servers serve the same document tree.
>
> One .htaccess file in a users web tree (say, ~user/secure/.htaccess)
> contains directives that will only work on the https server. When a
> user visits the page on the http tree, they get an "Internal Server
> Error" message. This, I would expect.
>
> However, I would like to make it so that when the user tries to view the
> page VIA http, he is automatically redirected to the https page using
> mod_rewrite. Now, the directives in the .htaccess file exist, and
> everything works. The problem is that even though I include the rewrite
> directives in the upper level (~user/.htaccess) file that will may
> http://server/~user/secure to https://server/~user/secure, the server
> still tries http://server/~user/secure/.htaccess first, and dies with
> the internal server error, so it does not end up redirecting.
>
> Is there a simple way around this?
Use httpd.conf to turn off .htacess processing (AllowOverride) in the
relevant directory inside the <VirtualHost> section for the non-ssl
host.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org