Need to allow encoded slashes on Apache
I kept coming across this post for another issue. Let me just explain real quick.
I had the same style URL and was also trying to proxy it.
Example: Proxy requests from /example/
to another server.
/example/http:%2F%2Fwww.someurl.com/
Issue 1: Apache believes that's an invalid url
Solution: AllowEncodedSlashes On
in httpd.conf
Issue 2: Apache decodes the encoded slashes
Solution: AllowEncodedSlashes NoDecode
in httpd.conf (Requires Apache 2.3.12+)
Issue 3: mod_proxy attempts to re-encode (double encode) the URL changing %2F
to %252F
(eg. /example/http:%252F%252Fwww.someurl.com/
)
Solution: In httpd.conf
use the ProxyPass
keyword nocanon
to pass the raw URL thru the proxy.
ProxyPass http://anotherserver:8080/example/ nocanon
httpd.conf file:
AllowEncodedSlashes NoDecode<Location /example/> ProxyPass http://anotherserver:8080/example/ nocanon</Location>
Reference:
This issue is not related to Apache Bug 35256. Rather, it is related to Bug 46830. The AllowEncodedSlashes
setting is not inherited by virtual hosts, and virtual hosts are used in many default Apache configurations, such as the one in Ubuntu. The workaround is to add the AllowEncodedSlashes
setting inside a <VirtualHost>
container (/etc/apache2/sites-available/default
in Ubuntu).
Bug 35256: %2F
will be decoded in PATH_INFO (Documentation to AllowEncodedSlashes
says no decoding will be done)
Bug 46830: If AllowEncodedSlashes On
is set in the global context, it is not inherited by virtual hosts. You must explicitly set AllowEncodedSlashes On
in every <VirtalHost>
container.
The documentation for how the different configuration sections are merged says:
Sections inside
<VirtualHost>
sections are applied after the corresponding sections outside the virtual host definition. This allows virtual hosts to override the main server configuration.
I wasted a great many hours on this problem too. I'm a bit late to the party, but it seems there's a solution now.
As per this thread, there is (was) a bug in Apache such that if you have AllowEncodedSlashes On
, it prevents the 404, but it mistakenly decodes the slashes, which is incorrect according to the RFC.
This comment offers a solution, namely to use:
AllowEncodedSlashes NoDecode