Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 11473200D28 for ; Mon, 23 Oct 2017 20:03:21 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 0FB3C1609E0; Mon, 23 Oct 2017 18:03:21 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 07B581609DF for ; Mon, 23 Oct 2017 20:03:19 +0200 (CEST) Received: (qmail 57015 invoked by uid 500); 23 Oct 2017 18:03:18 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 57005 invoked by uid 99); 23 Oct 2017 18:03:18 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Oct 2017 18:03:18 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 8FF99180725 for ; Mon, 23 Oct 2017 18:03:17 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.979 X-Spam-Level: * X-Spam-Status: No, score=1.979 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=2, KAM_SHORT=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd3-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=nshenevada.onmicrosoft.com Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id 73cz8ulvYHEl for ; Mon, 23 Oct 2017 18:03:13 +0000 (UTC) Received: from NAM02-CY1-obe.outbound.protection.outlook.com (mail-cys01nam02on0059.outbound.protection.outlook.com [104.47.37.59]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTPS id 4062A5FE43 for ; Mon, 23 Oct 2017 18:03:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nshenevada.onmicrosoft.com; s=selector1-nshe-nevada-edu; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=8nz/Wy9EJFD3qA2PoHjHCM1OFkrHZDvYlbSnnYZZMQI=; b=LiDVywFIVQNm1YdLzCZN++NchZO3F4pJXF4rfd+L/3D+ZqcrI/jWc3KL7mbTdsHzQZHyWEUFQOefUBJmYOwmiV5o7pCcGcSl0JsrUo5nwfOnaaLkSMHRl96UnP3zcIvlTQg2DmGREvL24KtEU8QFESSVKC6Bf0ruPqmd+J/D2do= Received: from BN6PR08MB2915.namprd08.prod.outlook.com (10.175.190.145) by BN6PR08MB2916.namprd08.prod.outlook.com (10.175.190.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.156.4; Mon, 23 Oct 2017 18:03:04 +0000 Received: from BN6PR08MB2915.namprd08.prod.outlook.com ([10.175.190.145]) by BN6PR08MB2915.namprd08.prod.outlook.com ([10.175.190.145]) with mapi id 15.20.0156.007; Mon, 23 Oct 2017 18:03:04 +0000 From: Ian Veach To: "users@httpd.apache.org" Thread-Topic: ErrorDocument doesn't work with non-pathed (root) URL? Thread-Index: AdNMJvEoJvVolIe7QdG6CVr9n7iN1A== Date: Mon, 23 Oct 2017 18:03:03 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=IVEACH@nshe.nevada.edu; x-originating-ip: [134.197.253.50] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;BN6PR08MB2916;6:w0ptmJ5hNU2OauIJcpEB2KMoBvhe6N0PEAIUXFCGxX9WINyxoYtUKx5MxkoYEfiRap0A3NI9ePJE/jqBKoO7l9kjsvTJEcCq5vl+MALDz705QpEyt5thv5OzpqNXc0f4/FZOAm5mMSoOn4NxwVQ2thIyaIEq2zVjhLEgdYGxPXYqm27qAyOj7JTx9kKFty5CqXm4xeXFeAQRBNDPL7SdUgfZckKnNBTmOfMtuuBYienQE22+EFVLwoYh3cr7aw04j7+bLIUCRi4wCLZJhl6TS5xGGcY/kMPUmLlOFlAyJcu8UyP+KQr9NXbUoslO/iPaHo3tiUWdaDJWUYSePV7I5A==;5:HIjRzbJtjRlKf5V7opA+d9rB3e+JqVKNskbPM+bBoZnL1f372ehEwS2EDb/eyn6DULiThrLmwc81WpJ6sqSAv1WcgTEmJHD0g20wrXz2K9Tr14rnozlbHaWv1qNds6/pEljLxPhHLoWzk6BMsOndlg==;24:uruYV9Avtf5Er4MB5e3ISFBYQ8uILB8vXVebIxSwRVKAd3EZZQBCGjsFd6dwZho/Ku2K8e3r9dHoa0nUMj6qmgLQTnIgFSM3v6V/CXZLTt8=;7:hs2RGln+PgJQjQsiKaWfxos0AEu2Qc9RgEb+CLelrZtfI5QJ7iHS2rwMPcQ4/oYme0snioBI6kZhRlbyzJj7PnfmTC7HV5NlAKDeknEC7Pwf2yFRRmgDzl4bvYQJqTPi+FNLWOV8Ahs2ETsN6yGnezChyjkqrqDYxzGknfZbgj54I0dzZqdtHGB8WdFpUbLeWGR8xQD8Dqkgj/KzdgnhHTlmo6yoZPyRiLhowmtX5yQ= x-ms-exchange-antispam-srfa-diagnostics: SSOS; x-ms-office365-filtering-correlation-id: fe4138f7-afd6-4dfe-aff4-08d51a404e8a x-microsoft-antispam: UriScan:(249459944947939);BCL:0;PCL:0;RULEID:(22001)(4534020)(4602075)(4627075)(201703031133081)(201702281549075)(2017052603199);SRVR:BN6PR08MB2916; x-ms-traffictypediagnostic: BN6PR08MB2916: x-exchange-antispam-report-test: UriScan:(158342451672863)(21748063052155); x-microsoft-antispam-prvs: x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(2401047)(8121501046)(5005006)(93006095)(93001095)(100000703101)(100105400095)(10201501046)(3002001)(3231020)(6041248)(20161123558100)(20161123564025)(20161123560025)(201703131423075)(201702281529075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095);SRVR:BN6PR08MB2916;BCL:0;PCL:0;RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095);SRVR:BN6PR08MB2916; x-forefront-prvs: 046985391D x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(346002)(376002)(189002)(199003)(50986999)(54356999)(106356001)(105586002)(786003)(2906002)(88552002)(3280700002)(478600001)(5660300001)(3660700001)(5640700003)(316002)(2351001)(42882006)(1730700003)(66066001)(189998001)(25786009)(6506006)(14454004)(15974865002)(81156014)(81166006)(8936002)(2900100001)(6916009)(606006)(8676002)(68736007)(33656002)(77096006)(7696004)(72206003)(966005)(101416001)(6116002)(75432002)(6436002)(102836003)(790700001)(3846002)(86362001)(55016002)(7736002)(99286003)(9686003)(236005)(6306002)(53936002)(2501003)(54896002)(97736004)(74316002);DIR:OUT;SFP:1101;SCL:1;SRVR:BN6PR08MB2916;H:BN6PR08MB2915.namprd08.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; received-spf: None (protection.outlook.com: nshe.nevada.edu does not designate permitted sender hosts) spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: multipart/alternative; boundary="_000_BN6PR08MB2915C8AD9BFB281B3C507F4097460BN6PR08MB2915namp_" MIME-Version: 1.0 X-OriginatorOrg: nshe.nevada.edu X-MS-Exchange-CrossTenant-Network-Message-Id: fe4138f7-afd6-4dfe-aff4-08d51a404e8a X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2017 18:03:03.9171 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 8ff9d11a-9e07-4150-ac21-6eedccccc3d3 X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR08MB2916 Subject: [users@httpd] ErrorDocument doesn't work with non-pathed (root) URL? archived-at: Mon, 23 Oct 2017 18:03:21 -0000 --_000_BN6PR08MB2915C8AD9BFB281B3C507F4097460BN6PR08MB2915namp_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I've got a virtual server with Wordpress installed in it (base dir install)= . Apache 2.4.6 (latest for RHEL). Apps group has a requirement that their= entire site be protected (only certain "users" can access), and so a compl= ex RequireAny was set up. That has been working fine for some time. Now, the application group would like to add a custom page for any 403 for= people who do not meet the RequireAny requirements. I've added an ErrorDo= cument (pointing to a different vserver, since this site is otherwise prote= cted from even serving a 403). That directive does get triggered, so I kno= w it's working. But it only gets triggered when some pathing is used (e.g.= https://FQDN/path/file) with the vserver name. If I browse to https://FQ= DN or https://FQDN/, The ErrorDocument does not seem to get triggered. Why= ? More details: For this question, I'm protecting the name of the server, and using www.foo= .com and www.bar.com. Apache 2.4, with typical LAMP and a variety of virtual servers. I've verifi= ed with find/grep there are no other ErrorDocument directives in other [bas= e/parent] config files. Virtual server (root) is protected with a complex R= equireAny, which works fine - requires a certain IP set or Referer (yes, I = know - client insisted). In my virtual server config file, I have the follo= wing: ErrorDocument 403 https://www.bar.com/something-went-wrong/ The vserver runs wordpress, so there's a .htaccess (with no ErrorDocument d= irective, but probably a plugin), but I believe the vserver config takes pr= ecedence in either case, anyway. Testing: For testing, I modified the RequireAny to exclude my IP (so I get the 403).= When I try things like this: www.foo.com/nosuchfile www.foo.com/direxists/file.exists the ErrorDocument directive works GREAT and AS EXPECTED (takes me to bar.co= m/something-went-wrong): However, when I try things like this (base FQDN, with or without the ending= /): www.foo.com www.foo.com/ it results in the dreaded Forbidden You don't have permission to access / on this server. Additionally, a 403 Forbidden error was encountered while trying to use= an ErrorDocument to handle the request. Is there a known reason ErrorDocument might not handle the base FQDN case? = It seems like the ErrorDocument directive works except for those cases (and= I need it to). I've even tried moving the ErrorDocument directive to the = base httpd.conf, and still no joy. Logs don't seem to show anything useful= . Thanks for any assistance! cheers and thanks, Ian 'ivo' Veach, Senior Systems Analyst System Computing Services, Nevada System of Higher Education PUBLIC RECORDS NOTICE: In accordance with NRS Chapter 239, this email and r= esponses, unless otherwise made confidential by law, may be subject to the = Nevada Public Records laws and may be disclosed to the public upon request. --_000_BN6PR08MB2915C8AD9BFB281B3C507F4097460BN6PR08MB2915namp_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

 

I’ve got a virtual server with Wordpress insta= lled in it (base dir install).  Apache 2.4.6 (latest for RHEL).  = Apps group has a requirement that their entire site be protected (only cert= ain “users” can access), and so a complex RequireAny was set up.  That has been working fine for some time.

 

Now, the  application group would like to add a= custom page for any 403 for people who do not meet the RequireAny requirem= ents.  I’ve added an ErrorDocument (pointing to a different vser= ver, since this site is otherwise protected from even serving a 403).  That directive does get triggered, so I know it̵= 7;s working.  But it only gets triggered when some pathing is used (e.= g. https://FQDN/path/file) with the vserver name.   If I browse t= o https://FQDN or https://FQDN/, The ErrorDocument does not seem to get triggered.  Why?

 

More details:

 

For this question, I'm protecting the name of the se= rver, and using www.foo.com and www.bar.com.

 

Apache 2.4, with typical LAMP and a variety of virtu= al servers. I've verified with find/grep there are no other ErrorDocument d= irectives in other [base/parent] config files. Virtual server (root) is pro= tected with a complex RequireAny, which works fine - requires a certain IP set or Referer (yes, I know - cli= ent insisted). In my virtual server config file, I have the following:=

 

ErrorDocument 403 https://www.bar.com/something-went-wrong/

 

The vserver runs wordpress, so there's a .htaccess (= with no ErrorDocument directive, but probably a plugin), but I believe the = vserver config takes precedence in either case, anyway.

 

Testing:

 

For testing, I modified the RequireAny to exclude my= IP (so I get the 403). When I try things like this:

     www.foo.com/nosuchfile=

     www.foo.com/direxists/file.exists<= /p>

 

the ErrorDocument directive works GREAT and AS EXPEC= TED (takes me to bar.com/something-went-wrong):

 

However, when I try things like this (base FQDN, wit= h or without the ending /):

    www.foo.com

    w= ww.foo.com/

 

it results in the dreaded

     Forbidden

     You don't have permission t= o access / on this server.

 

    Additionally, a 403 Forbidden err= or was encountered while trying to use an ErrorDocument to handle the reque= st.

 

Is there a known reason ErrorDocument might not hand= le the base FQDN case? It seems like the ErrorDocument directive works exce= pt for those cases (and I need it to).  I’ve even tried moving t= he ErrorDocument directive to the base httpd.conf, and still no joy.  Logs don’t seem to show anything useful.

 

 

Thanks for any assistance!

 

 

cheers and thanks,

Ian ‘ivo’ Veach, Senior Systems Analyst<= o:p>

System Computing Services, Nevada System of Higher E= ducation

 

PUBLIC RECORDS NOTICE: In accordance with NRS Chapter 239, this email and r= esponses, unless otherwise made confidential by law, may be subject to the = Nevada Public Records laws and may be disclosed to the public upon request. --_000_BN6PR08MB2915C8AD9BFB281B3C507F4097460BN6PR08MB2915namp_--