[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 199
  • Last Modified:

Apache rewrite rule troubles

I have the following in DocumentRoot/.htaccess:
RewriteEngine On
RewriteCond %{HTTPS} !^on
RewriteRule .* https://%{SERVER_NAME}%{REQUEST_URI} [L,R]

Open in new window

The idea is that if the user supplies "http" instead of "https" it will rewrite to "https", thus forcing all requests to secure. That works fine for all files in and subordinate to DocumentRoot, even with subordinate .htaccess files, except I have on sub-directory that has its own .htaccess file that appears to be canceling out the upper directory .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^favicon\.ico$ skins/larry/images/favicon.ico

# security rules:
# - deny access to files not containing a dot or starting with a dot
#   in all locations except installer directory
RewriteRule ^(?!installer)(\.?[^\.]+)$ - [F]
# - deny access to some locations
RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
# - deny access to some documentation files
RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ - [F]
</IfModule>

Open in new window

For pages in this directory, if the user specifies https, fine, but if the user specified http, it does not get converted to https. I think something in this sub-folder's .htaccess rewrite rule is canceling out the superior rule, but I can't figure out what.
0
jmarkfoley
Asked:
jmarkfoley
1 Solution
 
Steve BinkCommented:
The upper-level .htaccess file will always be processed first, so the lower-level file should not even come into play.  There may be some other part of your configuration that is interfering with this.  What actually happens when you browse to that directory without SSL?

Also, try enabling your rewrite log to see what is actually being processed.  Post a single failed attempt here, and we can help analyze it.
0
 
Lucas BishopClick TrackerCommented:
Add this to your .htaccess in the sub-directory:

RewriteOptions Inherit

Open in new window


This will cause the sub-directory rules to be evaluated, then the parent directory rules on the second pass.
0
 
jmarkfoleyAuthor Commented:
Steve Bink:
The upper-level .htaccess file will always be processed first, so the lower-level file should not even come into play.
One would think so.
Post a single failed attempt here, and we can help analyze it.
I did the trace and the rewrite:trace messages did not appear to have the upper level .htaccess. However ...

Lucas Bishop: Yes, that did work! And the rewrite:trace shows it doing so. Thanks.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now