We help IT Professionals succeed at work.

Apache always generates 302 Found when a page doesn't exist

Medium Priority
5,945 Views
Last Modified: 2012-05-12
I can't figure out why Apache always generates a 302 Found status even though it is (correctly) going to an error page.

It's causing me to fail PCI compliance scans because they are testing to see if I have badevilscript.php on my server, so they check www.mydomain.com/badevilscript.php and it returns "302 Found" even though the file doesn't exist.

What could cause this?
Comment
Watch Question

Jayachandran PalanisamyTechnical Consultant - Linux
CERTIFIED EXPERT

Commented:
I have never seen a status code 302 referred to as error code 302. It is a server status code indicating that a redirect is taking place. It is not technically an error code. The word "Found" is being returned by the Apache server. Some configurations use "302 Found" while others use "302 Moved Temporarily".

It might be due to redirect problem on your website.
If you do have a redirect problem.

1) Do you have a redirect set up in the .htaccess file? If so, post the code here so that we can look at it.

2) If you do not have a redirect set up, are you using a domain forwarding feature at your domain registrar to point the domain to your web site? They are redirects that can sometimes screw up the status codes.

You can check your website status here.
http://www.metachecker.net/Analise.aspx
http://web-sniffer.net/

Good luck...

Regards,
Jay

Author

Commented:
I never called it an "error code".  You know who did?  Some person on another website... you know, the website you copy/pasted this text from.

If you're going to steal other people's work at least take the time to make sure it makes sense in the context of the original question.  I thought the first paragraph was obnoxious when I saw it on the other website and doubly so when it was directed at my post where I never even referenced "error code 302".

Also, if you're going to include links that you took from another post on another website, at least make sure they both work.

To answer the questions for someone who does care to help:
1. There is not even an .htaccess file on the sites in question.
2. Domain forwarding is not being used.
Jayachandran PalanisamyTechnical Consultant - Linux
CERTIFIED EXPERT

Commented:
Sorry jeff_zucker,  one of my friend searched and pasted the above reply under my Login. Just now I have seen that.


Author

Commented:
No problem.  Thanks for following up.

Anyone out there know the answer to this?
Most Valuable Expert 2011
Author of the Year 2014

Commented:
Have a look at the first sentence of this article:
http://en.wikipedia.org/wiki/HTTP_302

There is some good discussion here:
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html

In my installation I have a 404 handler and a .htaccess that points to it with this statement.  
ErrorDocument 404 /404handler.php

In certain circumstances my 404 handler may redirect the client to the home page with header("Location /");

What is your domain name?
Top Expert 2006

Commented:
Your apache configuration has a redirect (possibly to error pages?)

http://httpd.apache.org/docs/1.3/misc/howto.html#redirect

You do not need to specify a redirect to a standard error page. Apache will handle them by itself. Have a look through your apache2.conf/httpd.con (and any inc files) for mechanisms mentioned in this URL given above and correct. (probably a mod_alias, or redirect issue?)

HTH:)

Tony McCreathTechnical SEO Consultant

Commented:
I've seen several cases where 404 errors are incorrectly handled and cause 302s or 301 to a 200 page.

What type of server do you have?
What language is your website written in?
Are you using a CMS?

I think ASPX (Microsoft) based websites used to have this problem.

Author

Commented:
Ok, so if I'm understanding this right, my problem is most likely with these lines in my httpd.conf:
ErrorDocument 403 http://www.<mydomain>.com/404.shtml
ErrorDocument 404 http://www.<mydomain>.com/404.shtml

The reason they are written this way is because for PCI Compliance I need 403 and 404 errors to produce the exact same output.  For more information, go here: http://www.experts-exchange.com/Software/Server_Software/Web_Servers/Apache/Q_27259009.html

Maybe there is something else I should be doing to make 403 and 404 responses look the same, yet not look like 302's?

Also, here are the answers to the questions above:
- Don't want to include my domain name for privacy reasons
- Using LAMP
- No CMS.

Any help would be greatly appreciated.

Commented:
Maybe you have an application written in PHP that use Rewrite Rules to control the flow.
I.E. If the app was written in Zend or Symfony or Cake, they use a redirect (302 status code) to show the erro message.

Check your Virtual Host definition to see if you have something like

RewriteRule ....

Cause, even if you try to get an url like http://www.domain.com/some/stuff it will be rewritten to  http://www.domain.com/index.php?controller=some&view=stuff that always is a valid path for Apache, but can be invalid for the application
Tony McCreathTechnical SEO Consultant

Commented:
As @NoiS said, it looks like you have something else intercepting 404s and dealing with them.

What URL doe the 302 Redirect take you to? This may give you a clue as to what it is doing it.

A correct 404 page does not do a redirect. You will still be on the page requested and your 404.shtml page should be displayed.

Is it displaying the content of your 404.shtml page?

Author

Commented:
I don't think there's any php redirect going on.  I'm the only one who writes php (or anything for that matter) on the server and I don't use Zend or any of those products.

Whether I go to a page that is forbidden (mydomain.com/~root) or a page that does not exist (mydomain.com/~randomstringofcharacters), I get the following:

1. Requesting: http://mydomain.com/~root 
GET /~root HTTP/1.1
Connection: Keep-Alive
Keep-Alive: 300
Accept:*/*
Host: mydomain.com
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 6.0)

Server Response:
HTTP/1.1 302 Found Date: Tue, 15 Nov 2011 20:09:29 GMT Server: Apache Location: http://www.mydomain.com/404.shtml Connection: close Content-Type: text/html; charset=iso-8859-1


Note: I do want forbidden and not found to generate the same error message, just not a 302.
Tony McCreathTechnical SEO Consultant
Commented:
Just as a test, if you remove the ErrorDocument statements does it still do the redirect?
Ok, I figured it out.  As I noted before, my httpd.conf had my ErrorRedirect set up like this:
ErrorDocument 403 http://www.<mydomain>.com/404.shtml
ErrorDocument 404 http://www.<mydomain>.com/404.shtml

They should have been set up like this:
ErrorDocument 403 /<internalpathtofile>/404.shtml
ErrorDocument 404 /<internalpathtofile>/404.shtml

As soon as I changed the path, it stopped returning the 302.  

Author

Commented:
Although I ended up solving this on my own, Tiggerito helped get me there, so awarding some points to him/her.
Tony McCreathTechnical SEO Consultant

Commented:
Good discovery, so absolute URLs cause it to think it needs to 302 redirect instead of rewrite.

Cheers for the points