Apache DirectorySlash Off - Site Breakdown

Question

Apache DirectorySlash Off - Site Breakdown

If I set DirectorySlash Off to my .htaccess file and call the directory without a trailing slash, I get 403-Forbidden from my server. If I call him a slash, everything will be fine.

Can anyone explain why? Here is my completely anonymous .htaccess :

 # GLOBAL CONFIG Options +FollowSymlinks DirectorySlash Off AddDefaultCharset utf-8 php_value post_max_size 256M php_value upload_max_filesize 256M # BEGIN WordPress RewriteEngine On RewriteBase /folder/ RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /folder/index.php [L] # END WordPress # REMOVE WWW RewriteCond %{HTTP_HOST} ^([^.]+)\.domain\.com$ [NC] RewriteRule ^(.*)$ http://domain.com$1 [R=301,L]

+6

http-status-code-403 apache .htaccess

gearsdigital Jul 15 '10 at 18:51

source share

3 answers

With Apache 2.4, you can enable overwriting .htaccess files by setting RewriteOptions AllowNoSlash .

  Changes with Apache 2.3.16 ... *) mod_rewrite: Add the AllowNoSlash RewriteOption, which makes it possible for RewriteRules to be placed in .htaccess files that match the directory with no trailing slash. PR 48304. [Matthew Byng-Maddick <matthew byng-maddick bbc.co.uk>] ...

See Apache Documentation for mod_rewrite

+8

Tom Feb 23 '12 at 8:47

source share

I think because when you turn off DirectorySlash, it will turn off URL auto-correction and try to show a list of directories, but, fortunately, you probably disabled it somewhere (or in file permissions), so it sends 403-Forbidden . I think when you turn it on, it works fine. From what I understand from the docs, it's not very good to use DirectorySlash for security. http://httpd.apache.org/docs/2.1/mod/mod_dir.html

+2

laurent Jul 15 '10 at 19:15

source share

Tim stone · Accepted Answer · 2010-07-17T21:59:54+0000

As you know in the documentation, when DirectorySlash set to Off , /folder requests do not have DirectoryIndex . This means that the request will not automatically display on /folder/index.php .

mod_dir performs this check in the “fix” phase of request processing. mod_rewrite , which is responsible for your RewriteRule definitions, also does its processing at this point when you specify the rules in the .htaccess file.

However, it was programmed for modules of type mod_dir and includes a check to ensure that the current directory is requested with a trailing slash. If not, it refuses to process the request, as this may lead to undefined behavior.

Then the request proceeds to the content creation phase, which, since the request was not attached to a real file, is processed by mod_autoindex . Given that Indexes disabled on your host by default, mod_autoindex returns 403 Forbidden , what you see.

Note that since DirectoryIndex not evaluated, even if mod_rewrite should have handled the request, it will still fail because there will not be automatic permission for index.php , and your rule

 RewriteRule . /folder/index.php [L]

will not match because . requires a match for something (but the request will be empty).

Enabling DirectorySlash prevents this scenario by correcting the prevented actions in all of the above scenarios, with the exception of the last note, which takes care of the fact that DirectoryIndex still displays a request for index.php .

Apache DirectorySlash Off - Site Breakdown

More articles: