Link to home
Start Free TrialLog in
Avatar of jeff_zucker
jeff_zucker

asked on

Apache always generates 302 Found when a page doesn't exist

I can't figure out why Apache always generates a 302 Found status even though it is (correctly) going to an error page.

It's causing me to fail PCI compliance scans because they are testing to see if I have badevilscript.php on my server, so they check www.mydomain.com/badevilscript.php and it returns "302 Found" even though the file doesn't exist.

What could cause this?
Avatar of Jayachandran Palanisamy
Jayachandran Palanisamy
Flag of India image

I have never seen a status code 302 referred to as error code 302. It is a server status code indicating that a redirect is taking place. It is not technically an error code. The word "Found" is being returned by the Apache server. Some configurations use "302 Found" while others use "302 Moved Temporarily".

It might be due to redirect problem on your website.
If you do have a redirect problem.

1) Do you have a redirect set up in the .htaccess file? If so, post the code here so that we can look at it.

2) If you do not have a redirect set up, are you using a domain forwarding feature at your domain registrar to point the domain to your web site? They are redirects that can sometimes screw up the status codes.

You can check your website status here.
http://www.metachecker.net/Analise.aspx
http://web-sniffer.net/

Good luck...

Regards,
Jay
Avatar of jeff_zucker
jeff_zucker

ASKER

I never called it an "error code".  You know who did?  Some person on another website... you know, the website you copy/pasted this text from.

If you're going to steal other people's work at least take the time to make sure it makes sense in the context of the original question.  I thought the first paragraph was obnoxious when I saw it on the other website and doubly so when it was directed at my post where I never even referenced "error code 302".

Also, if you're going to include links that you took from another post on another website, at least make sure they both work.

To answer the questions for someone who does care to help:
1. There is not even an .htaccess file on the sites in question.
2. Domain forwarding is not being used.
Sorry jeff_zucker,  one of my friend searched and pasted the above reply under my Login. Just now I have seen that.


No problem.  Thanks for following up.

Anyone out there know the answer to this?
Have a look at the first sentence of this article:
http://en.wikipedia.org/wiki/HTTP_302

There is some good discussion here:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

In my installation I have a 404 handler and a .htaccess that points to it with this statement.  
ErrorDocument 404 /404handler.php

In certain circumstances my 404 handler may redirect the client to the home page with header("Location /");

What is your domain name?
Your apache configuration has a redirect (possibly to error pages?)

http://httpd.apache.org/docs/1.3/misc/howto.html#redirect

You do not need to specify a redirect to a standard error page. Apache will handle them by itself. Have a look through your apache2.conf/httpd.con (and any inc files) for mechanisms mentioned in this URL given above and correct. (probably a mod_alias, or redirect issue?)

HTH:)

I've seen several cases where 404 errors are incorrectly handled and cause 302s or 301 to a 200 page.

What type of server do you have?
What language is your website written in?
Are you using a CMS?

I think ASPX (Microsoft) based websites used to have this problem.
Ok, so if I'm understanding this right, my problem is most likely with these lines in my httpd.conf:
ErrorDocument 403 http://www.<mydomain>.com/404.shtml
ErrorDocument 404 http://www.<mydomain>.com/404.shtml

The reason they are written this way is because for PCI Compliance I need 403 and 404 errors to produce the exact same output.  For more information, go here: https://www.experts-exchange.com/questions/27259009/Apache-Error-Documents.html

Maybe there is something else I should be doing to make 403 and 404 responses look the same, yet not look like 302's?

Also, here are the answers to the questions above:
- Don't want to include my domain name for privacy reasons
- Using LAMP
- No CMS.

Any help would be greatly appreciated.
Maybe you have an application written in PHP that use Rewrite Rules to control the flow.
I.E. If the app was written in Zend or Symfony or Cake, they use a redirect (302 status code) to show the erro message.

Check your Virtual Host definition to see if you have something like

RewriteRule ....

Cause, even if you try to get an url like http://www.domain.com/some/stuff it will be rewritten to  http://www.domain.com/index.php?controller=some&view=stuff that always is a valid path for Apache, but can be invalid for the application
As @NoiS said, it looks like you have something else intercepting 404s and dealing with them.

What URL doe the 302 Redirect take you to? This may give you a clue as to what it is doing it.

A correct 404 page does not do a redirect. You will still be on the page requested and your 404.shtml page should be displayed.

Is it displaying the content of your 404.shtml page?
I don't think there's any php redirect going on.  I'm the only one who writes php (or anything for that matter) on the server and I don't use Zend or any of those products.

Whether I go to a page that is forbidden (mydomain.com/~root) or a page that does not exist (mydomain.com/~randomstringofcharacters), I get the following:

1. Requesting: http://mydomain.com/~root 
GET /~root HTTP/1.1
Connection: Keep-Alive
Keep-Alive: 300
Accept:*/*
Host: mydomain.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

Server Response:
HTTP/1.1 302 Found Date: Tue, 15 Nov 2011 20:09:29 GMT Server: Apache Location: http://www.mydomain.com/404.shtml Connection: close Content-Type: text/html; charset=iso-8859-1


Note: I do want forbidden and not found to generate the same error message, just not a 302.
SOLUTION
Avatar of Tony McCreath
Tony McCreath
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Although I ended up solving this on my own, Tiggerito helped get me there, so awarding some points to him/her.
Good discovery, so absolute URLs cause it to think it needs to 302 redirect instead of rewrite.

Cheers for the points