[plug] mod_rewrite: Out of chickens! (OT)

Trevor Phillips T.Phillips at murdoch.edu.au
Wed Jan 29 09:58:36 WST 2003 

On Wednesday 29 January 2003 08:36, James Devenish wrote:
>
> 	"Options FollowSymLinks or SymLinksIfOwnerMatch is off which implies
> 	that RewriteRule directive is forbidden"
> Trevor, are you saying that this is an error message that is given by
> Apache? And what version of Apache are you running? Apache 1 or 2?
> A recent Apache 1? Why leads you to suspect anything to do with the
> FollowSymLinks and SymLinksIfOwnerMatch options?

That is a cut-n-paste error from the error log, minus the IP and date, and 
that it's an error. The result of going to a CGI is a 403 Forbidden, the 
above error message explaining why it is forbidden.

It's apache 1.3.26, Debian Woody package - this is NOT a dinky server. This is 
a production (well, intranet development mostly - but our Prod/public server 
uses the same config) server.

Why do I suspect the FollowSymLinks and SymLinksIfOwnerMatch options? Because 
that's what it says in the error log? And the error makes sense?

> > I understand what it's doing: Because the scope of the rewrite engine
> > also covers the cgi-bin dir, it's balking at accessing anything in
> > cgi-bin, because for that dir I have neither Options FollowSymLinks
> > nor SymLinksIfOwnerMatch - which is a sensible thing to have for a
> > cgi-bin.
>
> Right...those generic terms like "it", "balk" aren't helping.
> Are you saying:
>
>  - when you have the RewriteRule active, Apache returns 403 (forbidden)
>    when you attempt to access URLs in /cgi-bin/...

Yes. That's what I'm saying. That's what the error says too. Forbidden due to 
neither FollowSymLinks nor SymLinksIfOwnerMatch being defined, as such making 
mod_rewrite not trust security.

> We could attempt to recreate your situation but would have to do
> this by guesswork since I haven't seen the context within your
> Apache configuration. How are you designating the cgi-bin directory
> as a script directory? The only thing that comes to mind is whether
> you are SURE you want the rewrite rules to be inside a Directory
> block? The rewriting is about URLs, not files, after all.

Right, I've done some more testing. Ignore the fact that it's a CGI dir - it 
has nothing to do with that. As a simple test, do something like this in your 
config:

<Directory /docroot>
  Options FollowSymLinks Includes

  RewriteEngine on
  RewriteBase /
</Directory>

<Directory /docroot/test>
  AllowOverride None
  Options None
</Directory>

With no rules at all, just with turning the Engine on, everything in 
/docroot/test is "Forbidden", due to the aforementioned error message. 

Putting "RewriteEngine off" in the /docroot/test dir does NOT work.

Yes, I could probably do this by turning on the redirect rules over a tighter 
scope. I *want* to do this. But as I said, I haven't got it to work yet. I 
guess I'll just have to try reading the manual & debugging again...

I'd rather NOT use <Location> blocks, because we have other devices which 
remap URIs, and I really want to keep this redirection file-based, not 
URI-based.

-- 
. Trevor Phillips             -           http://jurai.murdoch.edu.au/ . 
: Web Technical Administrator     -          T.Phillips at murdoch.edu.au : 
| IT Services                        -              Murdoch University | 
 >--------------------------------------------------------------------<
| On nights such as this, evil deeds are done. And good deeds, of     /
| course. But mostly evil, on the whole.                             /
 \      -- (Terry Pratchett, Wyrd Sisters)                          /

More information about the plug mailing list