Strange directory access in apache with mutliple servicestack applications hosted with mod_mono

Question

I have a webserver (Linux, Ubuntu 16.04) running a apache. I use it to host some ASP.NET applications with mono developed using the ServiceStack framework. Here is my vhost configuration

<VirtualHost *:443>
    ServerName myhost

    ServerAdmin me@myhost
    DocumentRoot /var/www/

    ErrorLog ${APACHE_LOG_DIR}/myhost-error.log
    CustomLog ${APACHE_LOG_DIR}/myhost-access.log combined

    SSLEngine on
    SSLCertificateFile    /etc/letsencrypt/live/myhost/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/myhost/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/myhost/fullchain.pem

    Header always set Strict-Transport-Security "max-age=15768000"

    <Directory /var/www>
       AllowOverride Nonehackathon
       deny from all
    </Directory>

    # Configure the myservice backend and frontend

    <Directory /var/www/myservice/backend>
       AllowOverride None
       Order allow,deny
       allow from all
    </Directory>

    Alias /myservice "/var/www/myservice/frontend"
    Alias /csc "/var/www/myservice/frontend"
    <Directory /var/www/myservice/frontend>
       AllowOverride None
       Order allow,deny
       allow from all
    </Directory>

    MonoMaxActiveRequests 150 
    MonoMaxWaitingRequests 150 
    MonoSetEnv MONO_THREADS_PER_CPU=100

    MonoServerPath "/usr/bin/mod-mono-server4"
    MonoServerPath backend "/usr/bin/mod-mono-server4"
    MonoApplications backend "/myservice/backend:/var/www/myservice/backend"
    KeepAliveTimeout 5
    Alias /myservice/backend "/var/www/myservice/backend"

    <Location /myservice/backend>
       Allow from all
       Order allow,deny
       MonoSetServerAlias backend
       SetHandler mono
    </Location>
    <Directory /var/www/myservice/backend>
       AllowOverride None
       Order allow,deny
       allow from all
    </Directory>

    # Configure the test sites for the myservice

    <Directory /var/www/test/myservice/backend>
       AllowOverride None
       Order allow,deny
       allow from all
    </Directory>

    Alias /test/myservice "/var/www/test/myservice/frontend"
    Alias /test/csc "/var/www/test/myservice/frontend"
    <Directory /var/www/test/myservice/frontend>
       AllowOverride None
       Order allow,deny
       allow from all
    </Directory>

    MonoServerPath test_backend "/usr/bin/mod-mono-server4"
    MonoApplications test_backend "/test/myservice/backend:/var/www/test/myservice/backend"

    <Location /test/myservice/backend>
       Allow from all
       Order allow,deny
       MonoSetServerAlias test_backend
       SetHandler mono
    </Location>


    # Configure WebDav access

    Alias /webdav "/var/www/webdav"
    <Location /webdav>
       Options Indexes
       DAV On
       AuthType Basic
       AuthName "webdav"
       AuthUserFile /etc/apache2/webdav.password
       Require valid-user
       Order allow,deny
       allow from all
    </Location>
</VirtualHost>

This works, more or less, but it still causes some error in the apache logs:

==> /var/log/apache2/myhost-error.log <==
[Tue Jun 13 09:00:27.874100 2017] [access_compat:error] [pid 62595:tid 140403123173120] [client 1.2.3.4:53342] AH01797: client denied by server configuration: /var/www/items, referer: https://myhost/csc/

==> /var/log/apache2/myhost-access.log <==
1.2.3.4 - - [13/Jun/2017:09:00:27 +0200] "GET /myservice/backend/items/42 HTTP/1.1" 200 578 "https://myhost/csc/" "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; SD; rv:11.0) like Gecko"

So, the client tries to access a valid route in the backend (/myservice/backend/items/42) via the frotend (myhost/csc) and gets a correct result from the service, but for some reason apache tries to access that item directly from the htdocs directory (/var/www/items) first. Does somebody see, where this error is coming from?

Answer 1

So looking through for bits of configuration which might match your request, I see the following which might match the /myservice/backend/items/42 path:

Alias /myservice "/var/www/myservice/frontend"
Alias /myservice/backend "/var/www/myservice/backend"
<Location /myservice/backend>

All of that seems pretty conflicting and confusing. Figuring out which takes effect comes down to a more careful reading of the processing rules than you'd hope to need. Clean up!

I urge you to try and arrange things such that:

• it's not necessary to know whether an Alias directive or a Location directive takes effect first.
• The most specific Alias directive comes first in your file. The latter one presumably has no effect.
• Alias directives are mostly for mapping requests to areas outside the document root. Within the document root, I'd use mod_rewrite. Consider making it a client side redirect in order that you don't have multiple URLs pointing to the same content.
• Read the notes about using location blocks for access control, and make sure you aren't doing that. I'm not familiar with Mono, but I imagine it shouldn't be using paths inside your document root?
• Should your webdav stuff use a <Directory> block rather than a <Location>?

After the URL path gets mapped to a directory, you don't want to have multiple definitions for <Directory /var/www/myservice/backend>. They look equivalent at present, but could diverge over time and create confusion.

I'm not sure what happened with your request, but are you sure that those two log lines are match? You've got an error on the one hand, and a 200 status on the other. Consider using curl rather than a browser, so you can avoid firing sub-requests.

I suspect that by the time you've tidied up your configuration, one way or another, your problem will have gone away. Maybe you will have understood it along the way, or maybe it'll just disappear, or maybe it wasn't even there to start with (e.g. was a product of confused log entries from different requests). If not those things, could that error have come from your mono application?