ApacheConfigGenerator rewrite pub to viewfile does not work

Hi All,

ApacheConfigGenerator rewrite pub to viewfile does not work

My system:

• Linux version 4.15.0-124-generic (buildd@lgw01-amd64-027) (gcc version 7.5.0 (Ubuntu 7.5.0-3ubuntu1~18.04))
• Foswiki 2.1.6
• Apache 2.4

When I select the following on the Foswiki::Support::ApacheConfigGenerator

Apply Foswiki access controls to attachments by redirecting access to the viewfile script? Check to control attachment access

The config generator creates:

#
#  Protect attachments by rewriting to the "viewfile" script
#

#  Permit some safe exceptions to avoid viewfile overhead
#  Any gif/jpg/ico in /pub, and any files in /pub/System or any WebPreferences:
#  pass through unmodified
RewriteCond  %{REQUEST_URI} ^/+foswiki/pub/[^/]+\.(gif|jpe?g|ico)$  [NC,OR]
RewriteCond  %{REQUEST_URI} ^/+foswiki/pub/System/(.*)$  [OR]
RewriteCond  %{REQUEST_URI} ^/+foswiki/pub/([^/]+/)+WebPreferences/([^/]+)$
RewriteRule  ^/+foswiki/pub/.* - [L,PT]

# Optional - do not rewrite /pub/images if ImageGalleryPlugin is installed - path is incompatible with viewfile
#RewriteRule ^/+foswiki/+pub/+images/+.*$ - [L,PT]

# If it makes it here, rewrite as viewfile
RewriteRule ^/+foswiki/+pub/+(.*)$  /foswiki/bin/viewfile/$1 [L,PT]

It did not get the desired result. The pub URLs were not rewritten.

Tracing rewrite, I find the 3 RewriteCond are checked and then the pub/Sandbox/Topic/Attachment.txt url is passed through.

After reading the Apache Rewrite documentation I believe that is the correct behaviour since the L flag:

RewriteRule  ^/+foswiki/pub/.* - [L,PT]

stops all further rewriting. See; RewriteRule

With that understanding I changed the configuration to:

#
#  Protect attachments by rewriting to the "viewfile" script
#

#  Permit some safe exceptions to avoid viewfile overhead
#  Any gif/jpg/ico in /pub, and any files in /pub/System or any WebPreferences:
#  pass through unmodified
RewriteCond  %{REQUEST_URI} !^/+foswiki/pub/[^/]+\.(gif|jpe?g|ico)$  [NC,OR]   <<< Add ! Negate the match
RewriteCond  %{REQUEST_URI} !^/+foswiki/pub/System/(.*)$  [OR]                 <<< Add ! Negate the match
RewriteCond  %{REQUEST_URI} !^/+foswiki/pub/([^/]+/)+WebPreferences/([^/]+)$   <<< Add ! Negate the match
#RewriteRule  ^/+foswiki/pub/.* - [L,PT]                                       <<< Add # Removed

# Optional - do not rewrite /pub/images if ImageGalleryPlugin is installed - path is incompatible with viewfile
#RewriteRule ^/+foswiki/+pub/+images/+.*$ - [L,PT]

# If it makes it here, rewrite as viewfile
RewriteRule ^/+foswiki/+pub/+(.*)$  /foswiki/bin/viewfile/$1 [L,PT]

Which I read as:

• Do NOT rewrite the URLs matching the RewriteCond
• Rewrite all other /foswiki/pub references as /foswiki/bin/viewfile references.

Two questions:

1. does my change break anything?
2. is there a bug in the current ApacheConfigGenerator?

Thanks for your help

-- BramVanOosterhout - 07 Dec 2021

I am not an apache guy, still some remarks:

• ImageGalleryPlugin is not storing thumbnails in /pub/images/ anymore
• ImageGalleryPlugin as well as ImagePlugins create thumbnails called /pub/web/topic/igp_hexcode.png
• For performance reasons it might be a good idea to prevent igp_... thumbnails from running through viewfile
• Not sure if excluding any gifs, jpegs and icos from ACL checking is a good thing. These are not a safe exception
• In general it is better to replace viewfile with xsendfile. See XSendFileContrib for more infos.

-- MichaelDaum - 06 Oct 2022

Commenting is disabled while not logged in