Bug 1282481 - AliasMatch in manual.conf yields 403 Forbidden for httpd24-httpd-manual.noarch
Summary: AliasMatch in manual.conf yields 403 Forbidden for httpd24-httpd-manual.noarch
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Software Collections
Classification: Red Hat
Component: httpd24
Version: httpd24
Hardware: x86_64
OS: Linux
unspecified
low
Target Milestone: alpha
: 2.1
Assignee: Jan Kaluža
QA Contact: Martin Frodl
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-16 14:49 UTC by Tomas Hajek
Modified: 2016-05-31 10:16 UTC (History)
4 users (show)

Fixed In Version: httpd24-httpd-2.4.18-3.el6 httpd24-httpd-2.4.18-3.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-31 10:16:58 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:1154 0 normal SHIPPED_LIVE httpd24 bug fix and enhancement update 2016-05-31 13:48:49 UTC

Description Tomas Hajek 2015-11-16 14:49:25 UTC 
Description of problem:
Aftering installing the httpd24-httpd-manual.noarch package the configuration file provided yields a 403 Forbidden when trying to access http://localhost/manual/ or http://<servername>/manual/

When installing the package httpd24-httpd-manual.noarch the following file is provided:
/opt/rh/httpd24/root/etc/httpd/conf.d/manual.conf
Which contains the following:
#
# This configuration file allows the manual to be accessed at 
# http://localhost/manual/
#
AliasMatch ^/manual(?:/(?:de|en|fr|ja|ko|ru))?(/.*)?$ "/usr/share/httpd/manual$1"

<Directory "/opt/rh/httpd24/root/usr/share/httpd/manual">
    Options Indexes
    AllowOverride None
    Require all granted
</Directory>

The AliasMatch path does not refer to the path (/usr/share/httpd/manual$1) where the documentation is installed (/opt/rh/httpd24/root/usr/share/httpd/manual) for the SCL version of httpd24, however, the Directory directive appears to be correct.

Note also that the comment specifies that the configuration file allows for access from http://localhost/manual/ but it is not restricted to localhost and if the AliasMatch line was correct it would present the manual path to all hosts and not just localhost.

Version-Release number of selected component (if applicable):
httpd24-httpd-manual-2.4.12-4.el6.2.noarch

How reproducible:
I've reproduced on multiple systems and the results are consistent as would be expected as the configuration file appears to be incorrect.

Steps to Reproduce:
1. sudo yum install httpd24-httpd-manual.noarch
2. sudo /etc/init.d/httpd24-httpd restart
3. Go to http://localhost/manual/

Actual results:
Receive a 403 Forbidden page

Expected results:
Presented with the index for the Apache 2.4 documentation


Additional info:
This testing and installation was performed on Red Hat Enterprise Linux Server release 6.7 (Santiago)

If I change the AliasMatch line to the following then it works:
AliasMatch ^/manual(?:/(?:de|en|fr|ja|ko|ru))?(/.*)?$ "/opt/rh/httpd24/root/usr/share/httpd/manual$1"

However, I do have some concerns that there is no restriction on presenting the ^/manual/ pages to only localhost.
Comment 5 errata-xmlrpc 2016-05-31 10:16:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1154
Note You need to log in before you can comment on or make changes to this bug.