1

Problem

I'm running an Apache server off of an Amazon EC2 instance running Amazon Linux and running into the following issue. For example, when I enter the URL(s):

"https://example.com/index.php/some-directory" or "https://example.com/about/index.php/some-directory"

Rather than 404ing out as I would expect, the page is attempting to load what looks like the parent folder's contents. For instance, in the second example, it's trying to haphazardly load the "about" folder's contents.

I've never seen this happen before. I have a feeling it must be something I've mis-configured in the .htaccess or the root configurations of the server.

Desired Outcome

Ideally, my outcome would be the above examples to, at least, end up showing a 404.

Steps I've Thus Far Taken

I've been scouring the .conf and .htaccess configurations, and I'm sure I'm missing something, but I'm unsure as to what even the erroneous config might look like.

Primary Contents of .htaccess File

<IfModule mod_headers.c>
  <Files *.mp4>
    Header set Accept-Ranges bytes 
  </Files>
</IfModule>


# Enable Compression
<IfModule mod_deflate.c>
  AddOutputFilterByType DEFLATE application/javascript
  AddOutputFilterByType DEFLATE application/rss+xml
  AddOutputFilterByType DEFLATE application/vnd.ms-fontobject
  AddOutputFilterByType DEFLATE application/x-font
  AddOutputFilterByType DEFLATE application/x-font-opentype
  AddOutputFilterByType DEFLATE application/x-font-otf
  AddOutputFilterByType DEFLATE application/x-font-truetype
  AddOutputFilterByType DEFLATE application/x-font-ttf
  AddOutputFilterByType DEFLATE application/x-javascript
  AddOutputFilterByType DEFLATE application/xhtml+xml
  AddOutputFilterByType DEFLATE application/xml
  AddOutputFilterByType DEFLATE font/opentype
  AddOutputFilterByType DEFLATE font/otf
  AddOutputFilterByType DEFLATE font/ttf
  AddOutputFilterByType DEFLATE image/svg+xml
  AddOutputFilterByType DEFLATE image/x-icon
  AddOutputFilterByType DEFLATE text/css
  AddOutputFilterByType DEFLATE text/html
  AddOutputFilterByType DEFLATE text/javascript
  AddOutputFilterByType DEFLATE text/plain
</IfModule>
<IfModule mod_gzip.c>
  mod_gzip_on Yes
  mod_gzip_dechunk Yes
  mod_gzip_item_include file .(html?|txt|css|js|php|pl)$
  mod_gzip_item_include handler ^cgi-script$
  mod_gzip_item_include mime ^text/.*
  mod_gzip_item_include mime ^application/x-javascript.*
  mod_gzip_item_exclude mime ^image/.*
  mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>

# Leverage Browser Caching
<IfModule mod_expires.c>
  ExpiresActive On
  ExpiresByType image/jpg "access 1 day"
  ExpiresByType image/jpeg "access 1 day"
  ExpiresByType image/gif "access 1 years"
  ExpiresByType image/webp "access 1 day"
  ExpiresByType image/png "access 1 years"
  ExpiresByType text/css "access 1 day"
  ExpiresByType text/html "access 10 minute"
  ExpiresByType application/pdf "access 1 week"
  ExpiresByType text/x-javascript "access 1 day"
  ExpiresByType application/x-shockwave-flash "access 1 years"
  ExpiresByType image/x-icon "access 1 years"
  ExpiresDefault "access 1 day"
</IfModule>
<IfModule mod_headers.c>
  <filesmatch "\.(ico|flv|jpg|jpeg|png|gif|css|swf|svg|mp4|mpeg|webp|woff2|ttf)$">
  Header set Cache-Control "max-age=86400, public"
  </filesmatch>
  <filesmatch "\.(html|htm|php)$">
  Header set Cache-Control "max-age=600, public, must-revalidate"
  </filesmatch>
  <filesmatch "\.(pdf)$">
  Header set Cache-Control "max-age=86400, public"
  </filesmatch>
  <filesmatch "\.(js)$">
  Header set Cache-Control "max-age=86400, public"
  </filesmatch>
</IfModule>

ErrorDocument 300 /404/index.php
ErrorDocument 403 /404/index.php
ErrorDocument 404 /404/index.php


Options +FollowSymLinks
RewriteEngine On


#Allow for case-flexible directories
#The mod_speling module must be activated within the EC2 server itself prior to this working
<IfModule mod_speling.c>
    CheckSpelling On
    CheckCaseOnly On
</IfModule>

<IfModule mod_brotli.c>
    AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/javascript
</IfModule>





RewriteEngine On

# match any URL with www and rewrite it to https without the www
RewriteCond %{HTTP_HOST} ^(www\.)(.*) [NC]
RewriteRule (.*) https://%2%{REQUEST_URI} [L,R=301]

# match urls that are non https (without the www)
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} !^(www\.)(.*) [NC]
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Follow-up, Further Investigation

It looks like this may be similar to: What happens when i put a slash (/) after a .php url?

It appears to be related to a unique setting when you've got an Apache server serving PHP pages, "AcceptPathInfo." I'm going to attempt to disable this completely to see if this allows the page to 404 as I would hope via:

AcceptPathInfo Off

The above should disable the issue described, but won't allow me to use the PATH_INFO within PHP.

Further Investigation Update 2:

Digging deeper, it seems that the problem might lie with Apache's MultiViews option and the PHP/Apache AcceptPathInfo configuration.

I've tried turning both of them off; however, the problem still persists and any directory after index.php, such as https://example.com/index.php/this-for-example/ still returns a broken attempt at rendering, in that example, the home page of the website.

Update 3

Looking deeper, I've also found that MultiViews might be a portion of the issue? I've attempted to turn that off as well, using explicit -MultiViews directives in both the .htaccess and the root httpd.conf (I know I shouldn't leverage .htaccess if I have root httpd.conf access; this is due to specific client needs) -- this still hasn't fixed the issue.

halfer
  • 19,824
  • 17
  • 99
  • 186
Jonathan LeRoux
  • 413
  • 3
  • 12
  • `something I've mis-configured in the .htaccess or the root configurations of the server`...well we're not going to be able to help you figure that out unless you show us relevant bits of that. – ADyson Sep 22 '22 at 17:47
  • @ADyson Hi, Dyson. I appreciate the constructive comment. Before I begin posting config files, I wasn't aware if whether or not the problem was more commonplace wherein a solution -- that eludes me, perhaps due to inexperience -- was more plain-as-day than I could have known. Thanks again! – Jonathan LeRoux Sep 22 '22 at 18:01
  • Hey, @ADyson. Thanks again for the tip about posting the .htaccess configuration file. Would there be anything in here that seems like it may be causing the problem. Thanks again for all of your help and insight. – Jonathan LeRoux Sep 22 '22 at 18:09
  • Personally I know very little about htaccess beyond the basics, sorry. I was just trying to prompt you to provide more concrete detail for people to look at – ADyson Sep 22 '22 at 18:39
  • It _should_ be `AcceptPathInfo On` that is causing this behavior. (MultiViews is unlikely to affect this situation you have here, that is mainly for selection between several file suffix versions, or to fix minor typos.) The "Override" level for AcceptPathInfo is `FileInfo` - but I would assume you already have that, otherwise directives such as ErrorDocument should also not work. (Those _do_ work, yes? For a 404 for example you get your specific error doc, and not Apache's default one?) – CBroe Sep 23 '22 at 08:40
  • @Cbroe Thanks for your response. I'll admit I'm beyond confused at this point. I've attempted to explicitly turn off AcceptPathInfo as well as MultiViews via the root httpd.conf, but nothing seems to be fixing the issue. I've restarted the apache server service as well, but to no avail. To answer your question, yes, the 403 and 404 errors do redirect to our custom 404 as per our directives in the .htaccess file. Any thoughts? – Jonathan LeRoux Sep 23 '22 at 15:36

0 Answers0