Summary: | RewriteRule in .htaccess ignores 'Require all denied' when 403 ErrorDocument is missing | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Kurt Newman <kurt.newman> |
Component: | mod_rewrite | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED INVALID | ||
Severity: | regression | CC: | jacob.perkins |
Priority: | P2 | Keywords: | FixedInTrunk |
Version: | 2.4.18 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Linux | ||
Attachments: |
Apache configuration file
Logging output when RewriteRule ignores Require directive Logging output when RewriteRule obeys Require directive |
Description
Kurt Newman
2016-01-13 23:58:26 UTC
Created attachment 33436 [details]
Apache configuration file
Created attachment 33437 [details]
Logging output when RewriteRule ignores Require directive
Created attachment 33438 [details]
Logging output when RewriteRule obeys Require directive
Configure Line: ./configure --enable-info=static --disable-v4-mapped --enable-access-compat=static --enable-actions=static --enable-alias=static --enable-asis=static --enable-auth_basic=static --enable-authn_core=static --enable-authn_file=static --enable-authz_core=static --enable-authz_groupfile=static --enable-authz_host=static --enable-authz_user=static --enable-autoindex=static --enable-cgi=static --enable-deflate=static --enable-dir=static --enable-env=static --enable-expires=static --enable-filter=static --enable-headers=static --enable-include=static --enable-log_config=static --enable-logio=static --enable-maintainer-mode --enable-mime=static --enable-modules=none --enable-negotiation=static --enable-proxy=static --enable-proxy-connect=static --enable-proxy-http=static --enable-rewrite=static --enable-setenvif=static --enable-slotmem_shm=static --enable-socache_dbm=static --enable-socache_shmcb=static --enable-ssl=static --enable-status=static --enable-suexec=static --enable-unique-id=static --enable-unixd=static --enable-userdir=static --enable-version=static --prefix=/usr/local/apache --with-crypto --with-included-apr --with-mpm=prefork --with-pcre=/opt/pcre --with-ssl=/usr --with-suexec-caller=nobody --with-suexec-docroot=/ --with-suexec-gidmin=100 --with-suexec-logfile=/usr/local/apache/logs/suexec_log --with-suexec-uidmin=100 --with-suexec-userdir=public_html Are you able to rebuild mod_rewrite? http://people.apache.org/~covener/patches/rewrite-deadloop.diff This should resolve a difference between the relative and absolute substitutions and detecting the looping. Hi Eric, Your patch corrects the issue and lets relative and absolute paths work identically. Thanks for the response! Kurt Hi! ( https://github.com/melezhik/apache-swat - easy way to verify existed apache issues against your environment ) Confirming this issue is resolved against my environment: vagrant@Debian-jessie-vagrant@Debian-jessie-amd64-netboot:~/my/apache-swat$ swat -t 58854/ /home/vagrant/.swat/.cache/9277/prove/58854/granted2/missing.txt/00.GET.t .. ok 1 - GET 127.0.0.1/58854/granted2/missing.txt succeeded # http headers saved to /home/vagrant/.swat/.cache/9277/prove/zCQKWtpYir.hdr # body saved to /home/vagrant/.swat/.cache/9277/prove/zCQKWtpYir ok 2 - output match '200 OK' ok 3 - output match 'goodbye world from root' 1..3 ok /home/vagrant/.swat/.cache/9277/prove/58854/denied/missing.txt/00.GET.t .... ok 1 - GET 127.0.0.1/58854/denied/missing.txt succeeded # http headers saved to /home/vagrant/.swat/.cache/9277/prove/tj_HdkKgk5.hdr # body saved to /home/vagrant/.swat/.cache/9277/prove/tj_HdkKgk5 ok 2 - output match '403 Forbidden' 1..2 ok /home/vagrant/.swat/.cache/9277/prove/58854/granted/missing.txt/00.GET.t ... ok 1 - GET 127.0.0.1/58854/granted/missing.txt succeeded # http headers saved to /home/vagrant/.swat/.cache/9277/prove/Cmkh6umQP9.hdr # body saved to /home/vagrant/.swat/.cache/9277/prove/Cmkh6umQP9 ok 2 - output match '200 OK' ok 3 - output match 'goodbye world from 58854/granted' 1..3 ok All tests successful. Files=3, Tests=8, 1 wallclock secs ( 0.03 usr 0.00 sys + 0.14 cusr 0.01 csys = 0.18 CPU) Result: PASS amd64-netboot:~/my/apache-swat$ sudo ~/apache/bin/apachectl -V Server version: Apache/2.4.18 (Unix) Server built: Jan 30 2016 10:17:37 Server's Module Magic Number: 20120211:52 Server loaded: APR 1.5.1, APR-UTIL 1.5.4 Compiled using: APR 1.5.1, APR-UTIL 1.5.4 Architecture: 64-bit Server MPM: event threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/home/vagrant/apache/" -D SUEXEC_BIN="/home/vagrant/apache//bin/suexec" -D DEFAULT_PIDLOG="logs/httpd.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf" Alexey Melezhik Hi Eric, We've noticed a spike in tickets about RewriteRules no longer working after this patch. Granted, these rewrite rules look conspicuous, as in, they shouldn't work, or will result in looping, however we have enough reports of them that we think this might be a regression in behavior. We've verified these rewrites work before this patch, and now results in a ISE 500 / Max10Redirects after the patch. Example of some rewrites that are now dead looping when they didn't previously: ================================================== <IfModule mod_rewrite.c> RewriteEngine Off RewriteBase /blogg/ RewriteCond %{REQUEST_FILENAME} -f [OR] RewriteCond %{REQUEST_FILENAME} -d RewriteRule ^(.+) - [PT,L] RewriteCond %{REQUEST_URI} !=/favicon.ico RewriteRule ^(.*) index.php RewriteCond %{HTTP:Authorization} !^$ RewriteRule .* - [E=REMOTE_USER:%{HTTP:Authorization}] </IfModule> ================================================== <IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^.*$ htaccess_tester.php </IfModule> ================================================== RewriteRule ^$ ?lang=IT [L] ================================================== RewriteRule ^public public.php [L] RewriteRule ^js.php js.php [L] ================================================== RewriteRule ^(.+) - [PT,L] ================================================== RewriteRule ^(.*) index.php ================================================== Any thoughts on this? (In reply to Jacob P from comment #8) > We've noticed a spike in tickets about RewriteRules no longer working after > this patch. Granted, these rewrite rules look conspicuous, as in, they > shouldn't work, or will result in looping, however we have enough reports of > them that we think this might be a regression in behavior. We've verified > these rewrites work before this patch, and now results in a ISE 500 / > Max10Redirects after the patch. Sorry and thanks for the report. I think I now see what went wrong in the patch -- all different permutations of URLs, paths, and converted paths are handled in this block. Here is a followup that restores the original check and uses a slightly different check at the last moment: http://people.apache.org/~covener/patches/trunk-rewrite-deadloop2.diff I am hoping you can try some of those failing ones. (In reply to Alexey Melezhik from comment #7) > Hi! > > ( https://github.com/melezhik/apache-swat - easy way to verify existed > apache issues against your environment ) > > Confirming this issue is resolved against my environment: > > vagrant@Debian-jessie-vagrant@Debian-jessie-amd64-netboot:~/my/apache-swat$ > swat -t 58854/ > /home/vagrant/.swat/.cache/9277/prove/58854/granted2/missing.txt/00.GET.t .. > ok 1 - GET 127.0.0.1/58854/granted2/missing.txt succeeded > # http headers saved to /home/vagrant/.swat/.cache/9277/prove/zCQKWtpYir.hdr > # body saved to /home/vagrant/.swat/.cache/9277/prove/zCQKWtpYir > ok 2 - output match '200 OK' > ok 3 - output match 'goodbye world from root' > 1..3 > ok > /home/vagrant/.swat/.cache/9277/prove/58854/denied/missing.txt/00.GET.t .... > ok 1 - GET 127.0.0.1/58854/denied/missing.txt succeeded > # http headers saved to /home/vagrant/.swat/.cache/9277/prove/tj_HdkKgk5.hdr > # body saved to /home/vagrant/.swat/.cache/9277/prove/tj_HdkKgk5 > ok 2 - output match '403 Forbidden' > 1..2 > ok > /home/vagrant/.swat/.cache/9277/prove/58854/granted/missing.txt/00.GET.t ... > ok 1 - GET 127.0.0.1/58854/granted/missing.txt succeeded > # http headers saved to /home/vagrant/.swat/.cache/9277/prove/Cmkh6umQP9.hdr > # body saved to /home/vagrant/.swat/.cache/9277/prove/Cmkh6umQP9 > ok 2 - output match '200 OK' > ok 3 - output match 'goodbye world from 58854/granted' > 1..3 > ok > All tests successful. > Files=3, Tests=8, 1 wallclock secs ( 0.03 usr 0.00 sys + 0.14 cusr 0.01 > csys = 0.18 CPU) > Result: PASS > > > > amd64-netboot:~/my/apache-swat$ sudo ~/apache/bin/apachectl -V > Server version: Apache/2.4.18 (Unix) > Server built: Jan 30 2016 10:17:37 > Server's Module Magic Number: 20120211:52 > Server loaded: APR 1.5.1, APR-UTIL 1.5.4 > Compiled using: APR 1.5.1, APR-UTIL 1.5.4 > Architecture: 64-bit > Server MPM: event > threaded: yes (fixed thread count) > forked: yes (variable process count) > Server compiled with.... > -D APR_HAS_SENDFILE > -D APR_HAS_MMAP > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > -D APR_USE_SYSVSEM_SERIALIZE > -D APR_USE_PTHREAD_SERIALIZE > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > -D APR_HAS_OTHER_CHILD > -D AP_HAVE_RELIABLE_PIPED_LOGS > -D DYNAMIC_MODULE_LIMIT=256 > -D HTTPD_ROOT="/home/vagrant/apache/" > -D SUEXEC_BIN="/home/vagrant/apache//bin/suexec" > -D DEFAULT_PIDLOG="logs/httpd.pid" > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > -D DEFAULT_ERRORLOG="logs/error_log" > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > Alexey Melezhik I think this particular test might be questionable. It doesn't fail when I revert the fix. (In reply to Eric Covener from comment #10) > (In reply to Alexey Melezhik from comment #7) > > Hi! > > > > ( https://github.com/melezhik/apache-swat - easy way to verify existed > > apache issues against your environment ) > > > > Confirming this issue is resolved against my environment: > > > > vagrant@Debian-jessie-vagrant@Debian-jessie-amd64-netboot:~/my/apache-swat$ > > swat -t 58854/ > > /home/vagrant/.swat/.cache/9277/prove/58854/granted2/missing.txt/00.GET.t .. > > ok 1 - GET 127.0.0.1/58854/granted2/missing.txt succeeded > > # http headers saved to /home/vagrant/.swat/.cache/9277/prove/zCQKWtpYir.hdr > > # body saved to /home/vagrant/.swat/.cache/9277/prove/zCQKWtpYir > > ok 2 - output match '200 OK' > > ok 3 - output match 'goodbye world from root' > > 1..3 > > ok > > /home/vagrant/.swat/.cache/9277/prove/58854/denied/missing.txt/00.GET.t .... > > ok 1 - GET 127.0.0.1/58854/denied/missing.txt succeeded > > # http headers saved to /home/vagrant/.swat/.cache/9277/prove/tj_HdkKgk5.hdr > > # body saved to /home/vagrant/.swat/.cache/9277/prove/tj_HdkKgk5 > > ok 2 - output match '403 Forbidden' > > 1..2 > > ok > > /home/vagrant/.swat/.cache/9277/prove/58854/granted/missing.txt/00.GET.t ... > > ok 1 - GET 127.0.0.1/58854/granted/missing.txt succeeded > > # http headers saved to /home/vagrant/.swat/.cache/9277/prove/Cmkh6umQP9.hdr > > # body saved to /home/vagrant/.swat/.cache/9277/prove/Cmkh6umQP9 > > ok 2 - output match '200 OK' > > ok 3 - output match 'goodbye world from 58854/granted' > > 1..3 > > ok > > All tests successful. > > Files=3, Tests=8, 1 wallclock secs ( 0.03 usr 0.00 sys + 0.14 cusr 0.01 > > csys = 0.18 CPU) > > Result: PASS > > > > > > > > amd64-netboot:~/my/apache-swat$ sudo ~/apache/bin/apachectl -V > > Server version: Apache/2.4.18 (Unix) > > Server built: Jan 30 2016 10:17:37 > > Server's Module Magic Number: 20120211:52 > > Server loaded: APR 1.5.1, APR-UTIL 1.5.4 > > Compiled using: APR 1.5.1, APR-UTIL 1.5.4 > > Architecture: 64-bit > > Server MPM: event > > threaded: yes (fixed thread count) > > forked: yes (variable process count) > > Server compiled with.... > > -D APR_HAS_SENDFILE > > -D APR_HAS_MMAP > > -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) > > -D APR_USE_SYSVSEM_SERIALIZE > > -D APR_USE_PTHREAD_SERIALIZE > > -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT > > -D APR_HAS_OTHER_CHILD > > -D AP_HAVE_RELIABLE_PIPED_LOGS > > -D DYNAMIC_MODULE_LIMIT=256 > > -D HTTPD_ROOT="/home/vagrant/apache/" > > -D SUEXEC_BIN="/home/vagrant/apache//bin/suexec" > > -D DEFAULT_PIDLOG="logs/httpd.pid" > > -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" > > -D DEFAULT_ERRORLOG="logs/error_log" > > -D AP_TYPES_CONFIG_FILE="conf/mime.types" > > -D SERVER_CONFIG_FILE="conf/httpd.conf" > > > > > > Alexey Melezhik > > I think this particular test might be questionable. It doesn't fail when I > revert the fix. I think the problem is likely the "absolute" paths, which are / in the PR, need to be /58854/granted/... (In reply to Eric Covener from comment #9) > (In reply to Jacob P from comment #8) > > We've noticed a spike in tickets about RewriteRules no longer working after > > this patch. Granted, these rewrite rules look conspicuous, as in, they > > shouldn't work, or will result in looping, however we have enough reports of > > them that we think this might be a regression in behavior. We've verified > > these rewrites work before this patch, and now results in a ISE 500 / > > Max10Redirects after the patch. > > Sorry and thanks for the report. I think I now see what went wrong in the > patch -- all different permutations of URLs, paths, and converted paths are > handled in this block. > > Here is a followup that restores the original check and uses a slightly > different check at the last moment: > > http://people.apache.org/~covener/patches/trunk-rewrite-deadloop2.diff > > I am hoping you can try some of those failing ones. Our initial testing advises that the fix for rewrites looping works, but the original issue persists, that the RewriteRule ignores any Requires.
> Our initial testing advises that the fix for rewrites looping works, but the
> original issue persists, that the RewriteRule ignores any Requires.
I'm fairly sure I originally tested that case, with the regressing patch, but I can no longer get it to fail even with a vanilla 2.4.18. But I am now questioning whether I really did.
mod_rewrite specified in htaccess doesn't even run in the 'require all denied' case. Must be missing something.
(In reply to Eric Covener from comment #13) > > Our initial testing advises that the fix for rewrites looping works, but the > > original issue persists, that the RewriteRule ignores any Requires. > > I'm fairly sure I originally tested that case, with the regressing patch, > but I can no longer get it to fail even with a vanilla 2.4.18. But I am now > questioning whether I really did. > > mod_rewrite specified in htaccess doesn't even run in the 'require all > denied' case. Must be missing something. Something that fuels my doubts is how I worded the fix, wrt looping only. Can anyone share trace8 output for this failure on 2418: Example of Apache 2.4.18 working incorrectly: 1. Create /home/cgihw/public_html/.htaccess: Require all denied RewriteEngine on RewriteRule .* goodbye.txt [L] 2. Remove file: rm -f /home/cgihw/public_html/403.shtml 3. Remove file: rm -f /home/cgihw/public_html/missing.txt 4. Create file: echo "goodbye world" > /home/cgihw/public_html/goodbye.txt 5. Navigate to http://cgihw.loc/missing.txt 6. Observe that you are incorrectly presented with the contents of goodbye.txt 7. Observe that the LimitInternalRecursion limit is never compared against 8. Observe that no Internal server error is presented to the user (In reply to Eric Covener from comment #14) > (In reply to Eric Covener from comment #13) > > > Our initial testing advises that the fix for rewrites looping works, but the > > > original issue persists, that the RewriteRule ignores any Requires. > > > > I'm fairly sure I originally tested that case, with the regressing patch, > > but I can no longer get it to fail even with a vanilla 2.4.18. But I am now > > questioning whether I really did. > > > > mod_rewrite specified in htaccess doesn't even run in the 'require all > > denied' case. Must be missing something. > > Something that fuels my doubts is how I worded the fix, wrt looping only. > Can anyone share trace8 output for this failure on 2418: > > Example of Apache 2.4.18 working incorrectly: > 1. Create /home/cgihw/public_html/.htaccess: > Require all denied > RewriteEngine on > RewriteRule .* goodbye.txt [L] > 2. Remove file: rm -f /home/cgihw/public_html/403.shtml > 3. Remove file: rm -f /home/cgihw/public_html/missing.txt > 4. Create file: echo "goodbye world" > /home/cgihw/public_html/goodbye.txt > 5. Navigate to http://cgihw.loc/missing.txt > 6. Observe that you are incorrectly presented with the contents of > goodbye.txt > 7. Observe that the LimitInternalRecursion limit is never compared against > 8. Observe that no Internal server error is presented to the user Here's trace8 with a patched 2.4.18 (original patch provided by Eric, not the second): [Mon Feb 29 16:09:18.805864 2016] [core:trace5] [pid 8692] protocol.c(616): [client 192.168.122.236:42428] Request received from client: GET /missing.txt HTTP/1.1 [Mon Feb 29 16:09:18.806118 2016] [http:trace4] [pid 8692] http_request.c(394): [client 192.168.122.236:42428] Headers received from client: [Mon Feb 29 16:09:18.806135 2016] [http:trace4] [pid 8692] http_request.c(398): [client 192.168.122.236:42428] User-Agent: curl/7.29.0 [Mon Feb 29 16:09:18.806143 2016] [http:trace4] [pid 8692] http_request.c(398): [client 192.168.122.236:42428] Host: cgihw.tld [Mon Feb 29 16:09:18.806150 2016] [http:trace4] [pid 8692] http_request.c(398): [client 192.168.122.236:42428] Accept: */* [Mon Feb 29 16:09:18.806422 2016] [authz_core:debug] [pid 8692] mod_authz_core.c(809): [client 192.168.122.236:42428] AH01626: authorization result of Require all denied: denied [Mon Feb 29 16:09:18.806447 2016] [authz_core:debug] [pid 8692] mod_authz_core.c(809): [client 192.168.122.236:42428] AH01626: authorization result of <RequireAny>: denied [Mon Feb 29 16:09:18.806457 2016] [authz_core:error] [pid 8692] [client 192.168.122.236:42428] AH01630: client denied by server configuration: /home/cgihw/public_html/missing.txt [Mon Feb 29 16:09:18.806478 2016] [core:trace3] [pid 8692] request.c(119): [client 192.168.122.236:42428] auth phase 'check access' gave status 403: /missing.txt [Mon Feb 29 16:09:18.806560 2016] [rewrite:trace3] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e570d8/initial/redir#1] [perdir /home/cgihw/public_html/] strip per-dir prefix: /home/cgihw/public_html/403.shtm l -> 403.shtml [Mon Feb 29 16:09:18.806578 2016] [rewrite:trace3] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e570d8/initial/redir#1] [perdir /home/cgihw/public_html/] applying pattern '.*' to uri '403.shtml' [Mon Feb 29 16:09:18.806599 2016] [rewrite:trace2] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e570d8/initial/redir#1] [perdir /home/cgihw/public_html/] rewrite '403.shtml' -> 'goodbye.txt' [Mon Feb 29 16:09:18.806626 2016] [rewrite:trace3] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e570d8/initial/redir#1] [perdir /home/cgihw/public_html/] add per-dir prefix: goodbye.txt -> /home/cgihw/public_ html/goodbye.txt [Mon Feb 29 16:09:18.806642 2016] [rewrite:trace2] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e570d8/initial/redir#1] [perdir /home/cgihw/public_html/] strip document_root prefix: /home/cgihw/public_html/go odbye.txt -> /goodbye.txt [Mon Feb 29 16:09:18.806654 2016] [rewrite:trace1] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e570d8/initial/redir#1] [perdir /home/cgihw/public_html/] internal redirect with /goodbye.txt [INTERNAL REDIRECT ] [Mon Feb 29 16:09:18.806742 2016] [rewrite:trace3] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e5ac30/initial/redir#2] [perdir /home/cgihw/public_html/] strip per-dir prefix: /home/cgihw/public_html/goodbye. txt -> goodbye.txt [Mon Feb 29 16:09:18.806757 2016] [rewrite:trace3] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e5ac30/initial/redir#2] [perdir /home/cgihw/public_html/] applying pattern '.*' to uri 'goodbye.txt' [Mon Feb 29 16:09:18.806770 2016] [rewrite:trace2] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e5ac30/initial/redir#2] [perdir /home/cgihw/public_html/] rewrite 'goodbye.txt' -> 'goodbye.txt' [Mon Feb 29 16:09:18.806781 2016] [rewrite:trace3] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e5ac30/initial/redir#2] [perdir /home/cgihw/public_html/] add per-dir prefix: goodbye.txt -> /home/cgihw/public_ html/goodbye.txt [Mon Feb 29 16:09:18.806795 2016] [rewrite:trace1] [pid 8692] mod_rewrite.c(476): [client 192.168.122.236:42428] 192.168.122.236 - - [cgihw.tld/sid#d9f9b8][rid#e5ac30/initial/redir#2] [perdir /home/cgihw/public_html/] initial URL equal rewritten URL: /home/cgihw/public_ht ml/goodbye.txt [IGNORING REWRITE] [Mon Feb 29 16:09:18.806885 2016] [http:trace3] [pid 8692] http_filters.c(1006): [client 192.168.122.236:42428] Response sent with status 403, headers: [Mon Feb 29 16:09:18.806898 2016] [http:trace5] [pid 8692] http_filters.c(1013): [client 192.168.122.236:42428] Date: Mon, 29 Feb 2016 16:09:18 GMT [Mon Feb 29 16:09:18.806908 2016] [http:trace5] [pid 8692] http_filters.c(1016): [client 192.168.122.236:42428] Server: Apache [Mon Feb 29 16:09:18.806917 2016] [http:trace4] [pid 8692] http_filters.c(835): [client 192.168.122.236:42428] Last-Modified: Mon, 29 Feb 2016 16:06:33 GMT [Mon Feb 29 16:09:18.806925 2016] [http:trace4] [pid 8692] http_filters.c(835): [client 192.168.122.236:42428] Accept-Ranges: bytes [Mon Feb 29 16:09:18.806931 2016] [http:trace4] [pid 8692] http_filters.c(835): [client 192.168.122.236:42428] Content-Length: 14 [Mon Feb 29 16:09:18.806938 2016] [http:trace4] [pid 8692] http_filters.c(835): [client 192.168.122.236:42428] Connection: close [Mon Feb 29 16:09:18.806944 2016] [http:trace4] [pid 8692] http_filters.c(835): [client 192.168.122.236:42428] Content-Type: text/plain [Mon Feb 29 16:09:18.806979 2016] [core:trace6] [pid 8692] core_filters.c(525): [client 192.168.122.236:42428] core_output_filter: flushing because of FLUSH bucket [Mon Feb 29 16:09:18.807233 2016] [core:trace6] [pid 8692] core_filters.c(525): [client 192.168.122.236:42428] core_output_filter: flushing because of FLUSH bucket Trace8 after new patch: [Mon Feb 29 16:27:48.520428 2016] [core:trace5] [pid 18816] protocol.c(616): [client 192.168.122.236:42816] Request received from client: GET /missing.txt HTTP/1.1 [Mon Feb 29 16:27:48.520744 2016] [http:trace4] [pid 18816] http_request.c(394): [client 192.168.122.236:42816] Headers received from client: [Mon Feb 29 16:27:48.520764 2016] [http:trace4] [pid 18816] http_request.c(398): [client 192.168.122.236:42816] User-Agent: curl/7.29.0 [Mon Feb 29 16:27:48.520773 2016] [http:trace4] [pid 18816] http_request.c(398): [client 192.168.122.236:42816] Host: cgihw.tld [Mon Feb 29 16:27:48.520781 2016] [http:trace4] [pid 18816] http_request.c(398): [client 192.168.122.236:42816] Accept: */* [Mon Feb 29 16:27:48.521090 2016] [authz_core:debug] [pid 18816] mod_authz_core.c(809): [client 192.168.122.236:42816] AH01626: authorization result of Require all denied: denied [Mon Feb 29 16:27:48.521110 2016] [authz_core:debug] [pid 18816] mod_authz_core.c(809): [client 192.168.122.236:42816] AH01626: authorization result of <RequireAny>: denied [Mon Feb 29 16:27:48.521118 2016] [authz_core:error] [pid 18816] [client 192.168.122.236:42816] AH01630: client denied by server configuration: /home/cgihw/public_html/missing.txt [Mon Feb 29 16:27:48.521127 2016] [core:trace3] [pid 18816] request.c(119): [client 192.168.122.236:42816] auth phase 'check access' gave status 403: /missing.txt [Mon Feb 29 16:27:48.521212 2016] [rewrite:trace3] [pid 18816] mod_rewrite.c(476): [client 192.168.122.236:42816] 192.168.122.236 - - [cgihw.tld/sid#1c22af8][rid#1c3f058/initial/redir#1] [perdir /home/cgihw/public_html/] strip per-dir prefix: /home/cgihw/public_html/403.shtml -> 403.shtml [Mon Feb 29 16:27:48.521240 2016] [rewrite:trace3] [pid 18816] mod_rewrite.c(476): [client 192.168.122.236:42816] 192.168.122.236 - - [cgihw.tld/sid#1c22af8][rid#1c3f058/initial/redir#1] [perdir /home/cgihw/public_html/] applying pattern '.*' to uri '403.shtml' [Mon Feb 29 16:27:48.521264 2016] [rewrite:trace2] [pid 18816] mod_rewrite.c(476): [client 192.168.122.236:42816] 192.168.122.236 - - [cgihw.tld/sid#1c22af8][rid#1c3f058/initial/redir#1] [perdir /home/cgihw/public_html/] rewrite '403.shtml' -> 'goodbye.txt' [Mon Feb 29 16:27:48.521279 2016] [rewrite:trace3] [pid 18816] mod_rewrite.c(476): [client 192.168.122.236:42816] 192.168.122.236 - - [cgihw.tld/sid#1c22af8][rid#1c3f058/initial/redir#1] [perdir /home/cgihw/public_html/] add per-dir prefix: goodbye.txt -> /home/cgihw/public_html/goodbye.txt [Mon Feb 29 16:27:48.521296 2016] [rewrite:trace2] [pid 18816] mod_rewrite.c(476): [client 192.168.122.236:42816] 192.168.122.236 - - [cgihw.tld/sid#1c22af8][rid#1c3f058/initial/redir#1] [perdir /home/cgihw/public_html/] strip document_root prefix: /home/cgihw/public_html/goodbye.txt -> /goodbye.txt [Mon Feb 29 16:27:48.521310 2016] [rewrite:trace1] [pid 18816] mod_rewrite.c(476): [client 192.168.122.236:42816] 192.168.122.236 - - [cgihw.tld/sid#1c22af8][rid#1c3f058/initial/redir#1] [perdir /home/cgihw/public_html/] internal redirect with /goodbye.txt [INTERNAL REDIRECT] [Mon Feb 29 16:27:48.521420 2016] [rewrite:trace3] [pid 18816] mod_rewrite.c(476): [client 192.168.122.236:42816] 192.168.122.236 - - [cgihw.tld/sid#1c22af8][rid#1c42bb0/initial/redir#2] [perdir /home/cgihw/public_html/] strip per-dir prefix: /home/cgihw/public_html/goodbye.txt -> goodbye.txt [Mon Feb 29 16:27:48.521437 2016] [rewrite:trace3] [pid 18816] mod_rewrite.c(476): [client 192.168.122.236:42816] 192.168.122.236 - - [cgihw.tld/sid#1c22af8][rid#1c42bb0/initial/redir#2] [perdir /home/cgihw/public_html/] applying pattern '.*' to uri 'goodbye.txt' [Mon Feb 29 16:27:48.521451 2016] [rewrite:trace2] [pid 18816] mod_rewrite.c(476): [client 192.168.122.236:42816] 192.168.122.236 - - [cgihw.tld/sid#1c22af8][rid#1c42bb0/initial/redir#2] [perdir /home/cgihw/public_html/] rewrite 'goodbye.txt' -> 'goodbye.txt' [Mon Feb 29 16:27:48.521464 2016] [rewrite:trace3] [pid 18816] mod_rewrite.c(476): [client 192.168.122.236:42816] 192.168.122.236 - - [cgihw.tld/sid#1c22af8][rid#1c42bb0/initial/redir#2] [perdir /home/cgihw/public_html/] add per-dir prefix: goodbye.txt -> /home/cgihw/public_html/goodbye.txt [Mon Feb 29 16:27:48.521479 2016] [rewrite:trace1] [pid 18816] mod_rewrite.c(476): [client 192.168.122.236:42816] 192.168.122.236 - - [cgihw.tld/sid#1c22af8][rid#1c42bb0/initial/redir#2] [perdir /home/cgihw/public_html/] initial URL equal rewritten URL: /home/cgihw/public_html/goodbye.txt [IGNORING REWRITE] [Mon Feb 29 16:27:48.521561 2016] [http:trace3] [pid 18816] http_filters.c(1006): [client 192.168.122.236:42816] Response sent with status 403, headers: [Mon Feb 29 16:27:48.521572 2016] [http:trace5] [pid 18816] http_filters.c(1013): [client 192.168.122.236:42816] Date: Mon, 29 Feb 2016 16:27:48 GMT [Mon Feb 29 16:27:48.521581 2016] [http:trace5] [pid 18816] http_filters.c(1016): [client 192.168.122.236:42816] Server: Apache [Mon Feb 29 16:27:48.521590 2016] [http:trace4] [pid 18816] http_filters.c(835): [client 192.168.122.236:42816] Last-Modified: Mon, 29 Feb 2016 16:06:33 GMT [Mon Feb 29 16:27:48.521600 2016] [http:trace4] [pid 18816] http_filters.c(835): [client 192.168.122.236:42816] Accept-Ranges: bytes [Mon Feb 29 16:27:48.521608 2016] [http:trace4] [pid 18816] http_filters.c(835): [client 192.168.122.236:42816] Content-Length: 14 [Mon Feb 29 16:27:48.521615 2016] [http:trace4] [pid 18816] http_filters.c(835): [client 192.168.122.236:42816] Connection: close [Mon Feb 29 16:27:48.521622 2016] [http:trace4] [pid 18816] http_filters.c(835): [client 192.168.122.236:42816] Content-Type: text/plain [Mon Feb 29 16:27:48.521662 2016] [core:trace6] [pid 18816] core_filters.c(525): [client 192.168.122.236:42816] core_output_filter: flushing because of FLUSH bucket [Mon Feb 29 16:27:48.521934 2016] [core:trace6] [pid 18816] core_filters.c(525): [client 192.168.122.236:42816] core_output_filter: flushing because of FLUSH bucket Since we're having a difficult time duplicating the secondary issues, I am closing this bug. Thanks for your help Eric |