Hi,
I believe I figrued this out (finally I hope :)).
The real solution to this problem is not putting rewrite rule for
proxy to php-fpm in <Directory> but to do the following:
RewriteCond %{REQUEST_URI} -U
RewriteRule (.*\.php)$ fcgi://IP:PORT/$1 [P,L]
Outside of the <Directory> tags and inside of the <VirtualHost> tags.
I tested this, and all of the scenarios I can think of work (access
control, rewrite rules etc).
Thank you.
Sergei.
On 10 July 2014 14:24, Sergei Franco <sergei.franco@xxxxxxxxx> wrote:
> Hi,
>
> It appears that the problem is not solved.
> Here is a scenario where it fails:
>
> having .htaccess with RewriteEngine On (or any RewriteRule) will
> "disable" RewriteRules defined inside of the <Directory> in the site
> conf.
>
> How to replicate:
>
> Have a basic <Directory /var/www/site> with any simple rewrite rule, I
> used 'RewriteRule . - [F]' as example.
> Without rewrite related stuff inside of the .htaccess file the
> response is 403 (as expected)
> Now, inside of the directory (or subdirectory), place an .htaccess
> file, with simple Rewrite Engine On, it completely ignores the rewrite
> rules defined in <Directory>.
>
> I cannot explain this behaviour at all.
>
> Thank you.
>
>
> Sergei.
>
>
> On 9 July 2014 22:35, Edgar Pettijohn <edgar@xxxxxxxxxxxxxxxxxxx> wrote:
>> I'm glad you found it.
>>
>> On 07/08/2014 11:17 PM, Sergei Franco wrote:
>>> Hi Edgar,
>>>
>>> I found that I was wrong about .htaccess not working inside of <Directory> tag:
>>>
>>> RewriteMap and standard rewrite lookup of the user dirs goes here
>>>
>>> <Directory /PATH_TO_WWW/*>
>>> Standard directory conf goes here
>>>
>>> RewriteRule ^(.*\.php)$ fcgi://IP_OF_THE_FPM:FPM_PORT/$1 [P,L]
>>>
>>> </Directory>
>>>
>>> Basically the secret (for me at least) I needed to put rewrite rule
>>> that proxies through inside directory tags that are for common
>>> directory of the users with *.
>>>
>>> so if I have users in /var/www/$username , the directory tag should
>>> look like this: <Directory /var/www/*>
>>>
>>> TL;DR: use proxy rewirte rule inside of directory tags for the common
>>> users directory.
>>>
>>>
>>> Thank you very much,
>>>
>>> Sergei.
>>>
>>> On 9 July 2014 13:35, Sergei Franco <sergei.franco@xxxxxxxxx> wrote:
>>>> Hi,
>>>>
>>>> Here is (redacted) portion of virtual section I use (I replaced real
>>>> IP address with [IP]):
>>>>
>>>> RewriteMap vhost dbm=db:/[somepath]/vhost.db
>>>> RewriteMap port-fpm dbm=db:/[somepath]/fpmports.db
>>>>
>>>> RewriteCond ${lowercase:%{SERVER_NAME}} ^(.+)$
>>>> RewriteRule ^.*$ - [E=WEBSITE:%1]
>>>>
>>>> RewriteCond ${vhost:%{env:WEBSITE}} ^(/.*)$
>>>> RewriteRule ^.*$ - [E=WEBDIR:%1]
>>>>
>>>> RewriteCond ${port-fpm:%{env:WEBSITE}} ^(.+)$
>>>> RewriteRule ^.*$ - [E=PORTFPM:%1]
>>>>
>>>> RewriteCond %{env:WEBDIR} ^(/.*)$
>>>> RewriteRule ^/(.*)$ %1/htdocs/$1
>>>>
>>>> RewriteRule ^/(.*\.php)$ fcgi://REDACTEDIP:%{env:PORTFPM}/$1 [P,L]
>>>>
>>>> rest is pretty standard.
>>>>
>>>> The above rules are there to dynamically assign port and vhost
>>>> directory... This all works really well (were we have nodes behind LVS
>>>> which listen to different port per user). The only thing does not work
>>>> is htaccess being ignored due to apache not considering local requests
>>>> that are rewritten to mod_proxy_fcgi.
>>>>
>>>> Regarding the logs,
>>>>
>>>> Here is the debug (I assume this is picked up from <Directory> definition):
>>>> [Wed Jul 09 13:10:30.072748 2014] [authz_core:debug] [pid 2195]
>>>> mod_authz_core.c(802): [client REDACTEDIP:31561] AH01626:
>>>> authorization result of <RequireAny>: granted, referer:
>>>> http://test.REDACTED/wordpress/wp-login.php?loggedout=true
>>>>
>>>> More rewrite debug:
>>>>
>>>> Here is the result of the 'php' file (expected 403 but got pass through):
>>>> [Wed Jul 09 13:15:30.561226 2014] [rewrite:trace2] [pid 3030]
>>>> mod_rewrite.c(468): [client REDACTEDIP:23497] REDACTEDIP - -
>>>> [test.REDACTED/sid#7f70347d8f30][rid#7f702f4090a0/initial] rewrite
>>>> '/wordpress/wp-login.php' ->
>>>> 'fcgi://REDACTEDIP:PORT/REDACTEDPATH/test.REDACTED/htdocs/wordpress/wp-login.php'
>>>>
>>>> And here is the result of the non-php file (expected 403, got 403):
>>>> [Wed Jul 09 13:15:30.709276 2014] [rewrite:trace2] [pid 3030]
>>>> mod_rewrite.c(468): [client REDACTEDIP:23497] REDACTEDIP - -
>>>> [test.REDACTED/sid#7f70347d8f30][rid#7f70347ad0a0/initial] [perdir
>>>> /REDACTEDPATH/test.REDACTED/htdocs/wordpress/] forcing responsecode
>>>> 403 for /REDACTEDPATH/test.REDACTED/htdocs/wordpress/wp-includes/css/dashicons.min.css,
>>>> referer: http://testREDACTED./wordpress/wp-login.php?loggedout=true
>>>>
>>>>
>>>> Thank you very much.
>>>>
>>>> Sergei.
>>>>
>>>>
>>>> On 9 July 2014 12:36, Edgar Pettijohn <edgar@xxxxxxxxxxxxxxxxxxx> wrote:
>>>>> On 07/08/2014 06:00 PM, Sergei Franco wrote:
>>>>>> Hi,
>>>>>>
>>>>>> I am using apache 2.4.7 with mod_proxy_fcgi for purpose of passing
>>>>>> through php to php-fpm (this will be used for shared hosting
>>>>>> environment).
>>>>>> The htaccess works fine for non php files, but once it hit rewrite
>>>>>> rule that proxies through the php requests, the htaccess is ignored.
>>>>>>
>>>>>> I know why it is happening.
>>>>>>
>>>>>> The question how do I force apache to treat the request to php file as
>>>>>> a request to local file, and then proxy it through?
>>>>>>
>>>>>> I have spent substantial time in researching on this problem, and
>>>>>> following "answers" were given as solution:
>>>>>>
>>>>>> 1) "use apache configuration instead of .htaccess" it is valid
>>>>>> solution, but not for shared hosting environment (I am not going to
>>>>>> give access to apache configuration to shared hosting customers ;)).
>>>>>> 2) "don't use .htaccess, as it has performance/security/other issues",
>>>>>> well how else would shared hosting customers control access/url
>>>>>> rewriting on their site? Besides if the .htaccess was not a
>>>>>> requirement I would simply use nginx.
>>>>>> 3) "put rewrite rule for proxy inside of <directory>" - this is
>>>>>> incorrect, and it does not work.
>>>>>>
>>>>>>
>>>>>> This behaviour appears to be not a bug but a "feature" as per
>>>>>> https://issues.apache.org/bugzilla/show_bug.cgi?id=54887
>>>>>>
>>>>>>
>>>>>> Thank you very much.
>>>>>>
>>>>>>
>>>>>> Sergei.
>>>>>>
>>>>>> ---------------------------------------------------------------------
>>>>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>>>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>>>>
>>>>> Your httpd.conf and logs would be helpful.
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|