'Prevent Apache for opening files with similar name to url

My .htaccess:

RewriteEngine On

RewriteBase /

RewriteCond %{REQUESTFILENAME} !-f
RewriteCond %{REQUESTFILENAME} !-d

RewriteRule ^login/generic_oauth$ auth0-callback.php [L]
RewriteRule ^(.*)$ index.php?page=$1 [L]

My vhost file:

<VirtualHost *:443>
    DocumentRoot /home/blabla/www/frontend/
    ServerName some-domain.net
    ServerAlias www.some-domain.net
    SSLEngine on
    SSLCertificateFile /etc/apache2/crt/cert.pem
    SSLCertificateKeyFile /etc/apache2/crt/key.pem
    <Directory />
              Options -Indexes +FollowSymLinks -MultiViews
              AllowOverride All
              Require all granted
     </Directory>
     <Directory /home/blabla/www/>
              Options -Indexes +FollowSymLinks -MultiViews
              AllowOverride All
              Require all granted
     </Directory>
</VirtualHost>

The problem is when I try to access https://www.some-domain.net/login/generic_oauth Apache is loading login.php (which exists). Problem disappears when I rename the file to loggin.php for example.

apachemod-rewrite


Solution 1:[1]

The problem is when I try to access https://www.some-domain.net/login/generic_oauth Apache is loading login.php (which exists). Problem disappears when I rename the file to loggin.php for example.

This problem is symptomatic of having MultiViews enabled. Although, you appear to be disabling MultiViews in the server config, except that you are not targeting the DocumentRoot with your <Directory> containers...

 DocumentRoot /home/blabla/www/frontend/
 :
 <Directory />
          Options -Indexes +FollowSymLinks -MultiViews
          AllowOverride All
          Require all granted
 </Directory>
 <Directory /home/blabla/www/>
          Options -Indexes +FollowSymLinks -MultiViews
          AllowOverride All
          Require all granted
 </Directory>

You should not be setting AllowOveride All and Require all granted in the <Directory /> container, ie. the entire drive! You should be disabling access instead and this should already be defined outside of the <VirtualHost> container, in the main server config.

You are then granting access to /home/blabla/www/, but this is the directory above the DocumentRoot?! Do you have another .htaccess in this parent directory? Do you have another <Directory> container that matches the DocumentRoot?

So, your config should look more like this:

<Directory />
    Options SymLinksIfOwnerMatch 
    AllowOverride None
    Require all denied
</Directory>

<VirtualHost *:443>
    ServerName some-domain.net
    ServerAlias www.some-domain.net

    SSLEngine on
    SSLCertificateFile /etc/apache2/crt/cert.pem
    SSLCertificateKeyFile /etc/apache2/crt/key.pem

    DocumentRoot /home/blabla/www/frontend/

    <Directory /home/blabla/www/frontend>
        Options +FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

As with any changes to the server config, you need to restart Apache.

If this does not resolve the issue then you need to look for any other places in the config that could be enabling MultiViews. And if all else fails, explicitly disable MultiViews in the .htaccess file itself:

Options -MultiViews

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1

Related Questions