Apache DirectorySlash Off - Site breaks

apache .htaccess http-status-code-403
gearsdigital picture gearsdigital · Jul 15, 2010 · Viewed 13.8k times · Source

If i set DirectorySlash Off in my .htaccess file and call the directory without the trailing slash i get an 403-Forbidden from my server. If i call it with slash everything works fine.

Could anyone explain why? Here are my fully anonymized .htaccess:

# GLOBAL CONFIG
Options +FollowSymlinks
DirectorySlash Off
AddDefaultCharset utf-8
php_value post_max_size 256M
php_value upload_max_filesize 256M

# BEGIN WordPress
RewriteEngine On
RewriteBase /folder/
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /folder/index.php [L]
# END WordPress

# REMOVE WWW
RewriteCond %{HTTP_HOST} ^([^.]+)\.domain\.com$ [NC]
RewriteRule ^(.*)$ http://domain.com$1 [R=301,L]

Answer

Tim Stone picture Tim Stone · Jul 17, 2010

As you know per the documentation, when DirectorySlash is set to Off, requests to /folder do not have DirectoryIndex evaluated. This means that the request will not be automatically mapped to /folder/index.php.

mod_dir performs this check in the "fixup" phase of the request processing. mod_rewrite, which is responsible for your RewriteRule definitions, also performs its processing in this phase when you specify the rules in a .htaccess file.

However, it was programmed with an awareness of modules like mod_dir, and includes a check to make sure that the current directory was requested with a trailing slash. If not, it declines to handle the request, since doing so might lead to undefined behaviour.

The request then moves on to the content-generation phase, which, since the request was not mapped to a real file, is handled by mod_autoindex. Given that Indexes are disabled on your host by default, mod_autoindex returns 403 Forbidden which is what you see.

Note that since DirectoryIndex is not evaluated, even if mod_rewrite were to process the request, it would still fail, because no auto-resolution to index.php would occur, and your rule

RewriteRule . /folder/index.php [L]

wouldn't match, because the . requires a match on something (but the request would be blank).

Enabling DirectorySlash prevents this scenario by correcting the prevented actions in all of the previously mentioned scenarios except the last note, which is taken care of by the fact that DirectoryIndex maps the request to index.php anyway.

Related questions

Custom Error 403 Page PHP

I created a .htaccess inside a directory in which I don't want the files to be directly accessed. It works and fires the default 403 page (Access forbidden!) of the Apache server. How can I create a custom 403 page? Thanks!

Read More
Problem redirecting 403 Forbidden to 404 Not Found

The pertinent part of my .htaccess looks like this: Options -Indexes <FilesMatch include> Order allow,deny Deny from all </FilesMatch> RedirectMatch 404 ^/include(/.*)$ And it's generating the following responses: /include 403 /include/ 404 /include/config.inc 403 I can tell …

Read More
htaccess 403 Forbidden error was encountered while trying to use an ErrorDocument

I want to have a custom 403 page in my project. So I added these codes in a .htaccess file: Order deny,allow Deny from all Allow from 192.168.1.0/24 ErrorDocument 403 /403.htm But when the project runs from an out of rang IP, …

Read More