Redirect Loop htaccess on MacOS Server

I’ve been working on installing Passbolt on a MacOS server and its been going well. However, I just created my admin user per the tutorials and on the part to access the link provided, it fails with an infinite redirect loop. When trying to view just the index page, I get the same redirect loop.

I’ve verified mod_rewrite is on and working, and all other prerequisites are met.

Heres my mod_rewrite log:

[Wed Nov 15 12:17:59.964770 2017] [rewrite:trace3] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [/sid#7fb69d827120][rid#7fb69e060ea0/initial] [perdir /Library/Server/Web/Data/Sites/passbolt/] strip per-dir prefix: /Library/Server/Web/Data/Sites/passbolt/ ->
[Wed Nov 15 12:17:59.964799 2017] [rewrite:trace3] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [sid#7fb69d827120][rid#7fb69e060ea0/initial] [perdir /Library/Server/Web/Data/Sites/passbolt/] applying pattern ‘^$’ to uri ‘’
[Wed Nov 15 12:17:59.964819 2017] [rewrite:trace2] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [/sid#7fb69d827120][rid#7fb69e060ea0/initial] [perdir /Library/Server/Web/Data/Sites/passbolt/] rewrite ‘’ -> ‘app/webroot/’
[Wed Nov 15 12:17:59.964836 2017] [rewrite:trace3] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [/sid#7fb69d827120][rid#7fb69e060ea0/initial] [perdir /Library/Server/Web/Data/Sites/passbolt/] add per-dir prefix: app/webroot/ -> /Library/Server/Web/Data/Sites/passbolt/app/webroot/
[Wed Nov 15 12:17:59.964855 2017] [rewrite:trace2] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [/sid#7fb69d827120][rid#7fb69e060ea0/initial] [perdir /Library/Server/Web/Data/Sites/passbolt/] strip document_root prefix: /Library/Server/Web/Data/Sites/passbolt/app/webroot/ -> /app/webroot/
[Wed Nov 15 12:17:59.964871 2017] [rewrite:trace1] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [/sid#7fb69d827120][rid#7fb69e060ea0/initial] [perdir /Library/Server/Web/Data/Sites/passbolt/] internal redirect with /app/webroot/ [INTERNAL REDIRECT]
[Wed Nov 15 12:17:59.965049 2017] [rewrite:trace3] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [/sid#7fb69d827120][rid#7fb69e04e7d8/initial/redir#1] [perdir /Library/Server/Web/Data/Sites/passbolt/app/webroot/] strip per-dir prefix: /Library/Server/Web/Data/Sites/passbolt/app/webroot/ ->
[Wed Nov 15 12:17:59.965076 2017] [rewrite:trace3] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [sid#7fb69d827120][rid#7fb69e04e7d8/initial/redir#1] [perdir /Library/Server/Web/Data/Sites/passbolt/app/webroot/] applying pattern ‘^’ to uri ‘’
[Wed Nov 15 12:17:59.965102 2017] [rewrite:trace1] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [/sid#7fb69d827120][rid#7fb69e04e7d8/initial/redir#1] [perdir /Library/Server/Web/Data/Sites/passbolt/app/webroot/] pass through /Library/Server/Web/Data/Sites/passbolt/app/webroot/
[Wed Nov 15 12:17:59.965171 2017] [rewrite:trace3] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [/sid#7fb69d827120][rid#7fb69e064ea0/subreq] [perdir /Library/Server/Web/Data/Sites/passbolt/app/webroot/] strip per-dir prefix: /Library/Server/Web/Data/Sites/passbolt/app/webroot/index.html -> index.html
[Wed Nov 15 12:17:59.965191 2017] [rewrite:trace3] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [/sid#7fb69d827120][rid#7fb69e064ea0/subreq] [perdir /Library/Server/Web/Data/Sites/passbolt/app/webroot/] applying pattern ‘^’ to uri ‘index.html’
[Wed Nov 15 12:17:59.965214 2017] [rewrite:trace2] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [/sid#7fb69d827120][rid#7fb69e064ea0/subreq] [perdir /Library/Server/Web/Data/Sites/passbolt/app/webroot/] rewrite ‘index.html’ -> ‘index.php’
[Wed Nov 15 12:17:59.965231 2017] [rewrite:trace3] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [sid#7fb69d827120][rid#7fb69e064ea0/subreq] [perdir /Library/Server/Web/Data/Sites/passbolt/app/webroot/] add per-dir prefix: index.php -> /Library/Server/Web/Data/Sites/passbolt/app/webroot/index.php
[Wed Nov 15 12:17:59.965248 2017] [rewrite:trace2] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [/sid#7fb69d827120][rid#7fb69e064ea0/subreq] [perdir /Library/Server/Web/Data/Sites/passbolt/app/webroot/] strip document_root prefix: /Library/Server/Web/Data/Sites/passbolt/app/webroot/index.php -> /app/webroot/index.php
[Wed Nov 15 12:17:59.965265 2017] [rewrite:trace1] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [/sid#7fb69d827120][rid#7fb69e064ea0/subreq] [perdir /Library/Server/Web/Data/Sites/passbolt/app/webroot/] internal redirect with /app/webroot/index.php [INTERNAL REDIRECT]
[Wed Nov 15 12:17:59.965310 2017] [rewrite:trace3] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [sid#7fb69d827120][rid#7fb69e062ea0/subreq] [perdir /Library/Server/Web/Data/Sites/passbolt/app/webroot/] strip per-dir prefix: /Library/Server/Web/Data/Sites/passbolt/app/webroot/index.php -> index.php
[Wed Nov 15 12:17:59.965331 2017] [rewrite:trace3] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [/sid#7fb69d827120][rid#7fb69e062ea0/subreq] [perdir /Library/Server/Web/Data/Sites/passbolt/app/webroot/] applying pattern ‘^’ to uri ‘index.php’
[Wed Nov 15 12:17:59.965358 2017] [rewrite:trace1] [pid 53274] mod_rewrite.c(480): [client 127.0.0.1:56333] 127.0.0.1 - - [/sid#7fb69d827120][rid#7fb69e062ea0/subreq] [perdir /Library/Server/Web/Data/Sites/passbolt/app/webroot/] pass through /Library/Server/Web/Data/Sites/passbolt/app/webroot/index.php

Healthcheck shell

Environment

[PASS] PHP version 7.1.7
[PASS] PCRE compiled with unicode support
[PASS] The temporary directory and its content are writable
[PASS] The public image directory and its content are writable

Config files

[PASS] The core config file is present
[PASS] The database config file is present
[PASS] The email config file is present
[PASS] The application config file is present

Core config

[PASS] Debug mode is off.
[PASS] Cache is working.
[PASS] Unique value set for security.salt
[PASS] Unique value set for security.cipherSeed
[PASS] Full base url is set to https://passbolt.monigle.com/
[PASS] App.fullBaseUrl validation OK.
[FAIL] Could not reach the /healthcheck/status with the url specified in App.fullBaseUrl
[HELP] Check that the domain name is correct in app/Config/core.php
[HELP] Check the network settings

SSL Certificate

[FAIL] SSL peer certificate does not validate
[FAIL] Hostname does not match when validating certificates.
[WARN] Using a self-signed certificate

Database

[PASS] Configured to use a supported database backend
[PASS] The application is able to connect to the database
[PASS] Not using a prefix for database tables
[PASS] 20 tables found
[PASS] Some default content is present
[PASS] The database schema up to date.

GPG Configuration

[PASS] PHP GPG Module is installed and loaded
[PASS] The server gpg key is not the default one
[PASS] The environment variable GNUPGHOME is set to /Users/macadmin/.gnupg
[PASS] The directory /Users/macadmin/.gnupg containing the keyring is writable by the user the webserver is running as.
[PASS] The public key file is defined in app/config.php and readable.
[PASS] The private key file is defined in app/config.php and readable.
[PASS] The server key fingerprint matches the one defined in app/config.php.
[PASS] The server key defined in the app/Config.php is in the keyring.
[PASS] There is a valid email id defined for the server key.
[PASS] The public key can be used to encrypt and sign a message.
[PASS] The private key can be used to decrypt a message.

Application configuration

[PASS] Using latest passbolt version (1.6.5)
[PASS] Passbolt is configured to force SSL use
[PASS] App.fullBaseUrl is set to HTTPS
[PASS] Selenium API endpoints are disabled.
[PASS] Search engine robots are told not to index content.
[PASS] Registration is closed, only administrators can add users.
[PASS] Serving the compiled version of the javascript app
[PASS] All email notifications will be sent.

Development Tools (optional)

[PASS] Phpunit is installed
[PASS] Phpunit version is 3.7.38

3 error(s) found. Hang in there!

I’ve tried the setup from scratch a few times and still get the redirect loop. My error_log is clear of anything except the rewrite logging and the passbolt error log doesn’t exist, so I assume it never got to error out.

I’ve run htaccess tests and by visiting the domain I have set (passbolt.monigle.url in the test it eventually gives an output url of passbolt.monigle.url/index.php after stripping everything else from the url away.

But my browser never shows this url in the bar, gives me the 301 error and thats it. Could it be the passthrough line that is causing it to fail?

I’ve put a phpinfo.php file in the app directory and as long as the .htaccess file exists in that directory, I get the 301 as expected, but soon as I remove and access the phpinfo, it works fine.

So its definitely something with the url rewriting.

Using:

Apache 2.4.7
PHP 7.1.8
Mysql 5.7.2

Thanks for your help

Checklist
[x] I have read intro post: About the Installation Issues category
[x] I have read the tutorials, help and searched for similar issues
[x] I provide relevant information about my server (component names and versions, etc.)
[x] I provide a copy of my logs and healthcheck
[x] I describe the steps I have taken to trouble shoot the problem
[x] I describe the steps on how to reproduce the issue

Can you share your apache / virtualhost config?

Heres my httpd.conf

#
# macOS Server
#
# When macOS Server is installed and set up (promoted), this file is copied
# to /Library/Server/Web/Config/apache2/httpd_server_app.conf. Both macOS
# and macOS Server use the same httpd executable, but macOS uses the config
# file in /etc/apache2.httpd.conf while macOS Server's Websites service uses
# this config file.
#
# The <IfDefine WEBSERVICE_ON> blocks segregate directives that only apply when
# Websites Service (as opposed to certain other Server services that need Apache)
# is on. The launchd plist sets appropriate Define parameters.
# Custom virtual hosts are only activated when Websites Service is on.

# Parameterized to pick up env vars (set by launchd.plist) for
# SERVER_INSTALL_PATH_PREFIX

# See <URL:http://httpd.apache.org/docs/2.4> for detailed information.
# In particular, see 
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned.  
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log" 
# will be interpreted as '/logs/access_log'.

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used.  If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/usr"

#
# Mutex: Allows you to set the mutex mechanism and mutex file directory
# for individual mutexes, or change the global defaults
#
# Uncomment and change the directory if mutexes are file-based and the default
# mutex file directory is not on a local disk or is not appropriate for some
# other reason.
#
# Mutex default:/private/var/run

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to 
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule authn_file_module libexec/apache2/mod_authn_file.so
#LoadModule authn_dbm_module libexec/apache2/mod_authn_dbm.so
#LoadModule authn_anon_module libexec/apache2/mod_authn_anon.so
#LoadModule authn_dbd_module libexec/apache2/mod_authn_dbd.so
#LoadModule authn_socache_module libexec/apache2/mod_authn_socache.so
LoadModule authn_core_module libexec/apache2/mod_authn_core.so
LoadModule authz_host_module libexec/apache2/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache2/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache2/mod_authz_user.so
#LoadModule authz_dbm_module libexec/apache2/mod_authz_dbm.so
#LoadModule authz_owner_module libexec/apache2/mod_authz_owner.so
#LoadModule authz_dbd_module libexec/apache2/mod_authz_dbd.so
LoadModule authz_core_module libexec/apache2/mod_authz_core.so
LoadModule access_compat_module libexec/apache2/mod_access_compat.so
#LoadModule auth_basic_module libexec/apache2/mod_auth_basic.so
#LoadModule auth_form_module libexec/apache2/mod_auth_form.so
#LoadModule auth_digest_module libexec/apache2/mod_auth_digest.so
#LoadModule allowmethods_module libexec/apache2/mod_allowmethods.so
#LoadModule file_cache_module libexec/apache2/mod_file_cache.so
LoadModule cache_module libexec/apache2/mod_cache.so
LoadModule cache_disk_module libexec/apache2/mod_cache_disk.so
#LoadModule cache_socache_module libexec/apache2/mod_cache_socache.so
LoadModule socache_shmcb_module libexec/apache2/mod_socache_shmcb.so
LoadModule socache_dbm_module libexec/apache2/mod_socache_dbm.so
LoadModule socache_memcache_module libexec/apache2/mod_socache_memcache.so
#LoadModule watchdog_module libexec/apache2/mod_watchdog.so
#LoadModule macro_module libexec/apache2/mod_macro.so
#LoadModule dbd_module libexec/apache2/mod_dbd.so
LoadModule dumpio_module libexec/apache2/mod_dumpio.so
#LoadModule echo_module libexec/apache2/mod_echo.so
#LoadModule buffer_module libexec/apache2/mod_buffer.so
#LoadModule data_module libexec/apache2/mod_data.so
#LoadModule ratelimit_module libexec/apache2/mod_ratelimit.so
LoadModule reqtimeout_module libexec/apache2/mod_reqtimeout.so
#LoadModule ext_filter_module libexec/apache2/mod_ext_filter.so
#LoadModule request_module libexec/apache2/mod_request.so
#LoadModule include_module libexec/apache2/mod_include.so
LoadModule filter_module libexec/apache2/mod_filter.so
#LoadModule reflector_module libexec/apache2/mod_reflector.so
LoadModule substitute_module libexec/apache2/mod_substitute.so
#LoadModule sed_module libexec/apache2/mod_sed.so
#LoadModule charset_lite_module libexec/apache2/mod_charset_lite.so
LoadModule deflate_module libexec/apache2/mod_deflate.so
#LoadModule xml2enc_module libexec/apache2/mod_xml2enc.so
#LoadModule proxy_html_module libexec/apache2/mod_proxy_html.so
LoadModule mime_module libexec/apache2/mod_mime.so
LoadModule log_config_module libexec/apache2/mod_log_config.so
#LoadModule log_debug_module libexec/apache2/mod_log_debug.so
LoadModule log_forensic_module libexec/apache2/mod_log_forensic.so
LoadModule logio_module libexec/apache2/mod_logio.so
LoadModule env_module libexec/apache2/mod_env.so
LoadModule mime_magic_module libexec/apache2/mod_mime_magic.so
LoadModule expires_module libexec/apache2/mod_expires.so
LoadModule headers_module libexec/apache2/mod_headers.so
LoadModule usertrack_module libexec/apache2/mod_usertrack.so
#LoadModule unique_id_module libexec/apache2/mod_unique_id.so
LoadModule setenvif_module libexec/apache2/mod_setenvif.so
LoadModule version_module libexec/apache2/mod_version.so
LoadModule remoteip_module libexec/apache2/mod_remoteip.so
LoadModule proxy_module libexec/apache2/mod_proxy.so
LoadModule proxy_connect_module libexec/apache2/mod_proxy_connect.so
#LoadModule proxy_ftp_module libexec/apache2/mod_proxy_ftp.so
LoadModule proxy_http_module libexec/apache2/mod_proxy_http.so
LoadModule proxy_fcgi_module libexec/apache2/mod_proxy_fcgi.so
LoadModule proxy_scgi_module libexec/apache2/mod_proxy_scgi.so
#LoadModule proxy_fdpass_module libexec/apache2/mod_proxy_fdpass.so
LoadModule proxy_wstunnel_module libexec/apache2/mod_proxy_wstunnel.so
LoadModule proxy_ajp_module libexec/apache2/mod_proxy_ajp.so
LoadModule proxy_balancer_module libexec/apache2/mod_proxy_balancer.so
LoadModule proxy_express_module libexec/apache2/mod_proxy_express.so
#LoadModule session_module libexec/apache2/mod_session.so
#LoadModule session_cookie_module libexec/apache2/mod_session_cookie.so
#LoadModule session_dbd_module libexec/apache2/mod_session_dbd.so
LoadModule slotmem_shm_module libexec/apache2/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache2/mod_slotmem_plain.so
# Do not enable both ssl_module and secure_transport_module
LoadModule ssl_module libexec/apache2/mod_ssl.so
#LoadModule dialup_module libexec/apache2/mod_dialup.so
LoadModule lbmethod_byrequests_module libexec/apache2/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module libexec/apache2/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module libexec/apache2/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_heartbeat_module libexec/apache2/mod_lbmethod_heartbeat.so
LoadModule unixd_module libexec/apache2/mod_unixd.so
#LoadModule heartbeat_module libexec/apache2/mod_heartbeat.so
#LoadModule heartmonitor_module libexec/apache2/mod_heartmonitor.so
LoadModule dav_module libexec/apache2/mod_dav.so
LoadModule status_module libexec/apache2/mod_status.so
LoadModule autoindex_module libexec/apache2/mod_autoindex.so
LoadModule asis_module libexec/apache2/mod_asis.so
LoadModule info_module libexec/apache2/mod_info.so
LoadModule cgi_module libexec/apache2/mod_cgi.so
LoadModule dav_fs_module libexec/apache2/mod_dav_fs.so
LoadModule dav_lock_module libexec/apache2/mod_dav_lock.so
LoadModule vhost_alias_module libexec/apache2/mod_vhost_alias.so
LoadModule negotiation_module libexec/apache2/mod_negotiation.so
LoadModule dir_module libexec/apache2/mod_dir.so
LoadModule actions_module libexec/apache2/mod_actions.so
LoadModule speling_module libexec/apache2/mod_speling.so
#LoadModule userdir_module libexec/apache2/mod_userdir.so
LoadModule alias_module libexec/apache2/mod_alias.so
LoadModule rewrite_module libexec/apache2/mod_rewrite.so
LoadModule php7_module libexec/apache2/libphp7.so

#Apple-specific client modules
LoadModule hfs_apple_module libexec/apache2/mod_hfs_apple.so

#Server-specific modules
# SERVER_INSTALL_PATH_PREFIX should be set as Environment variable in launchd.plist
#LoadModule apple_userdir_module ${SERVER_INSTALL_PATH_PREFIX}/usr/libexec/apache2/mod_userdir_apple.so
LoadModule bonjour_module ${SERVER_INSTALL_PATH_PREFIX}/usr/libexec/apache2/mod_bonjour.so
LoadModule auth_digest_apple_module ${SERVER_INSTALL_PATH_PREFIX}/usr/libexec/apache2/mod_auth_digest_apple.so
LoadModule apple_auth_module ${SERVER_INSTALL_PATH_PREFIX}/usr/libexec/apache2/mod_auth_apple.so
#LoadModule spnego_auth_module ${SERVER_INSTALL_PATH_PREFIX}/usr/libexec/apache2/mod_spnego_apple.so
#LoadModule apple_digest_module ${SERVER_INSTALL_PATH_PREFIX}/usr/libexec/apache2/mod_digest_apple.so
#LoadModule wsgi_module ${SERVER_INSTALL_PATH_PREFIX}/usr/libexec/apache2/mod_wsgi.so
LoadModule xsendfile_module ${SERVER_INSTALL_PATH_PREFIX}/usr/libexec/apache2/mod_xsendfile.so
#LoadModule secure_transport_module ${SERVER_INSTALL_PATH_PREFIX}/usr/libexec/apache2/mod_secure_transport.so

# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.  
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User _www
Group _www

# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition.  These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.  This address appears on some server-generated pages, such
# as error documents.  e.g. admin@your-domain.com
#
ServerAdmin you@example.com

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80

DocumentRoot /var/empty

<IfModule mod_auth_digest_apple.c>
    BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
</IfModule>
<IfModule mod_headers.c>
    Header add MS-Author-Via "DAV"
    RequestHeader set X_FORWARDED_PROTO 'https' env=https
    RequestHeader set X_FORWARDED_PROTO 'http' env=!https
    RequestHeader unset Proxy early
</IfModule>
<Directory ${SERVER_INSTALL_PATH_PREFIX}/usr/share/web/customerror>
	AllowOverride None
	Options MultiViews FollowSymlinks
	Require all granted
	Header Set Cache-Control no-cache
</Directory>
Alias /customerror ${SERVER_INSTALL_PATH_PREFIX}/usr/share/web/customerror

#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<FilesMatch "^\.([Hh][Tt]|[Dd][Ss]_[Ss])">
    Require all denied
</FilesMatch>

#
# Apple specific filesystem protection.
#
<Files "rsrc">
    Require all denied
</Files>
<DirectoryMatch ".*\.\.namedfork">
    Require all denied
</DirectoryMatch>

#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "/private/var/log/apache2/error_log"

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    # Note the use of %a, managed by mod_remoteip for correct IP address with macOS Server 5.x,
    # where port 80/443 websites are behind the service proxy, and websites using other ports are not.
    # (Note that %a does not pick up HostNameLookups which is not recommended anyway.)
    #
    LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%v %a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combinedvhost
    LogFormat "%a %l %u %t \"%r\" %>s %b" common
    LogFormat "%v %a %l %u %t \"%r\" %>s %b" commonvhost
    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
      LogFormat "%v %a %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinediovhost
    </IfModule>

    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    CustomLog "/var/log/apache2/access_log" common

    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    #CustomLog "/private/var/log/apache2/access_log" combined
</IfModule>

<IfModule alias_module>
    #
    # Redirect: Allows you to tell clients about documents that used to 
    # exist in your server's namespace, but do not anymore. The client 
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo http://www.example.com/bar

    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a <Directory> section to allow access to
    # the filesystem path.

    #
    # ScriptAlias: This controls which directories contain server scripts. 
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    #
    ScriptAliasMatch ^/cgi-bin/((?!(?i:webobjects)).*$) "/Library/Server/Web/Data/CGI-Executables/$1"
</IfModule>

#
# "/Library/WebServer/CGI-Executables" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/Library/Server/Web/Data/CGI-Executables">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig /private/etc/apache2/mime.types

    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    AddHandler cgi-script .cgi .pl .rb .py

    # For type maps (negotiated resources):
    #AddHandler type-map var

    #
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    <IfModule mod_include.c>
        AddType text/html .shtml
        AddOutputFilter INCLUDES .shtml
    </IfModule>
</IfModule>

#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type.  The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
#MIMEMagicFile /private/etc/apache2/magic

#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#

#
# EnableMMAP and EnableSendfile: On systems that support it, 
# memory-mapping or the sendfile syscall is used to deliver
# files.  This usually improves server performance, but must
# be turned off when serving from networked-mounted 
# filesystems or if support for these functions is otherwise
# broken on your system.
#
#EnableMMAP off
#EnableSendfile off

TraceEnable off

# Supplemental configuration
#
# The configuration files in the /private/etc/apache2/extra/ directory can be 
# included to add extra features or to modify the default configuration of 
# the server, or you may simply copy their contents here and change as 
# necessary.

# Server-pool management (MPM prefork specific)
StartServers 1
MinSpareServers 1
MaxSpareServers 1
ListenBackLog 512
MaxConnectionsPerChild 100000
MaxRequestWorkers 256
ServerLimit 256

# Timeout: The number of seconds before receives and sends time out.
#
Timeout 300

# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On

# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15

# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100

# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client.  When set "On", Apache will use the value of the
# ServerName directive.
#
UseCanonicalName Off

#
# AccessFileName: The name of the file to look for in each directory
# for additional configuration directives.  See also the AllowOverride
# directive.
#
AccessFileName .htaccess

# ServerTokens
# This directive configures what you return as the Server HTTP response
# Header. The default is 'Full' which sends information about the OS-Type
# and compiled in modules.
# Set to one of:  Full | OS | Minor | Minimal | Major | Prod
# where Full conveys the most information, and Prod the least.
#
ServerTokens Prod

# Optionally add a line containing the server version and virtual host
# name to server-generated pages (internal error documents, FTP directory
# listings, mod_status and mod_info output etc., but not CGI generated
# documents or custom error documents).
# Set to "EMail" to also include a mailto: link to the ServerAdmin.
# Set to one of:  On | Off | EMail
#
ServerSignature On

# HostnameLookups: Log the names of clients or just their IP addresses
# e.g., www.apache.org (on) or 204.62.129.132 (off).
# The default is off because it'd be overall better for the net if people
# had to knowingly turn this feature on, since enabling it means that
# each client request will result in AT LEAST one lookup request to the
# nameserver.
#
HostnameLookups Off

# PidFile: The file in which the server should record its process
# identification number when it starts.
PidFile /var/run/server-httpd.pid

Mutex default mpm-accept

# Language settings
Include /private/etc/apache2/extra/httpd-languages.conf

# Multi-language error messages
#Include /private/etc/apache2/extra/httpd-multilang-errordoc.conf

# Fancy directory listings
#Include /private/etc/apache2/extra/httpd-autoindex.conf

# User home directories
#Include /private/etc/apache2/extra/httpd-userdir.conf

# Real-time info on requests and configuration
#Include /private/etc/apache2/extra/httpd-info.conf

# Virtual hosts
#Include /private/etc/apache2/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual
#Include /private/etc/apache2/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)
#Include /private/etc/apache2/extra/httpd-dav.conf

# Certain generated config files, such as migrated forward proxy configs from SnowLeopard
IncludeOptional /Library/Server/Web/Config/apache2/other/*.conf

# Secure (SSL/TLS) connections
<IfModule mod_ssl.c>
    SSLProtocol -all +TLSv1.2
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    SSLPassPhraseDialog exec:/Library/Server/Web/Config/apache2/getsslpassphrase
    SSLSessionCache shmcb:/var/run/ssl_scache(512000)
    SSLSessionCacheTimeout 300
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    AddType application/x-x509-ca-cert crt
    AddType application/x-pkcs7-crl crl
</IfModule>

<IfModule mod_secure_transport.c>
    MSTProtocolRange TLSv1.2 TLSv1.2
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    MSTUseSessionCache on
    AddType application/x-x509-ca-cert crt
    AddType application/x-pkcs7-crl crl
</IfModule>

<IfModule php7_module>
    AddType application/x-httpd-php .php
    AddType application/x-httpd-php-source .phps
    <IfModule dir_module>
        DirectoryIndex index.html index.php
    </IfModule>
</IfModule>

<IfModule remoteip_module>
   RemoteIPHeader X-Forwarded-For
</IfModule>

RewriteEngine On
LogLevel alert rewrite:trace3

<IfDefine WEBSERVICE_ON>
    Include /Library/Server/Web/Config/apache2/sites/*.conf
</IfDefine>
<IfDefine !WEBSERVICE_ON>
    Include /Library/Server/Web/Config/apache2/sites/virtual_host_global.conf
    Include /Library/Server/Web/Config/apache2/sites/0000_127.0.0.1_34580_.conf
    Include /Library/Server/Web/Config/apache2/sites/0000_127.0.0.1_34543_.conf
</IfDefine>

and heres the vhost

<VirtualHost 127.0.0.1:34543>
	ServerName https://passbolt.monigle.com:443
	ServerAdmin admin@example.com
	DocumentRoot "/Library/Server/Web/Data/Sites/passbolt.monigle.com"
	DirectoryIndex index.html index.php default.html
	CustomLog /var/log/apache2/access_log combinedvhost
	ErrorLog /var/log/apache2/error_log
	<IfModule mod_ssl.c>
		SSLEngine Off
		SSLCipherSuite "HIGH:MEDIUM:!MD5:!RC4:!3DES"
		SSLProtocol -all +TLSv1.2
		SSLProxyEngine Off
		SSLCertificateFile "/etc/certificates/mamacdc1.monigle.com.F76062C1C1E48FB5D468AA78E5EE6BC5DDEA7E0A.cert.pem"
		SSLCertificateKeyFile "/etc/certificates/mamacdc1.monigle.com.F76062C1C1E48FB5D468AA78E5EE6BC5DDEA7E0A.key.pem"
		SSLCertificateChainFile "/etc/certificates/mamacdc1.monigle.com.F76062C1C1E48FB5D468AA78E5EE6BC5DDEA7E0A.chain.pem"
		SSLProxyProtocol -all +TLSv1.2
		SSLProxyCheckPeerCN off
		SSLProxyCheckPeerName off
	</IfModule>
	<IfModule mod_secure_transport.c>
		MSTEngine Off
		MSTCipherSuite HIGH, MEDIUM
		MSTProtocolRange TLSv1.2 TLSv1.2
		MSTProxyEngine On
		MSTIdentity SHA-256:b8b51082676a004921d2c578137bbdd526be2395932c1c0e97c56b9f8bf1eca2:"mamacdc1.monigle.com"
		MSTProxyProtocolRange TLSv1.2 TLSv1.2
	</IfModule>
	<Directory "/Library/Server/Web/Data/Sites/passbolt.monigle.com">
		Options All -Indexes +ExecCGI +Includes +MultiViews
		AllowOverride All
		<IfModule mod_dav.c>
			DAV Off
		</IfModule>
		<IfDefine !WEBSERVICE_ON>
			Require all denied
			ErrorDocument 403 /customerror/websitesoff403.html
		</IfDefine>
	</Directory>
</VirtualHost>

Hello @daedalusprospect,

If it can help you, there is an example of a working apache config from this medium post :

<IfModule mod_ssl.c>
<VirtualHost _default_:443>
    ServerAdmin webmaster@localhost
    ServerName passbolt.dev

    DocumentRoot /var/www/passbolt

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLCertificateFile /etc/apache2/ssl/apache.crt
    SSLCertificateKeyFile /etc/apache2/ssl/apache.key
 
    <Directory /var/www/passbolt>
        Options FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    <FilesMatch “\.(php)$”>
        SSLOptions +StdEnvVars
    </FilesMatch>

    BrowserMatch “MSIE [2–6]” \
      nokeepalive ssl-unclean-shutdown \
      downgrade-1.0 force-response-1.0
    BrowserMatch “MSIE [17–9]” ssl-unclean-shutdown

</VirtualHost>
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

What I can see here without a clear understanding of your setup (And I’m not a sysop), is

  • The ServerName config shouldn’t contain any protocol or port, it should be only relative to your domain.
  • The port 34543 is relative to a specific setup, or there is glitch here and it should be 443 ?

Cheers,

Unfortunately, using Mac OS X Server’s Webserver, rather than just a normal apache2 installed on the mac requires special config files since things are run a little differently. Thats why my httpd.conf is so different compared to a normal.

The 34543 is not actually the port number, its an identifier used by the MacOS X Server for each host and it uses it to do its own magic when bringing the server online. Even though it lists it as 34543 the host responds on the 443 port. My server has multiple domains all pointing to it and they all use the same ports, so this is just OS Xs way of differentiating between the two and serving the correct data. The servername with the port 443 in it is part of this process. (When creating the hosts in the server manager it creates the vhosts files with the servername as you see and the weird “port” identifier.)

To add more info:
I tested a very basic htaccess file on my server and it works just fine in the passbolt directory. It just seems like the .htaccess files that come with passbolt are having issues. Possibly one of the lines in the app/webroot htaccess is causing the issue. I’m not an expert on htaccess files and actions so can’t troubleshoot much.

The basic htaccess file I tested was in an empty directory with a test.php file. It correctly redirected my browser to test.php

RewriteEngine On
RewriteRule ^.*$ test.php

Indeed, it explains why it is so different.

Looking at the documentation of CakePHP, they mention mac OSX as following :

On Mac OSX, another solution is to use the tool virtualhostx to make a Virtual Host to point to your folder.
see : https://book.cakephp.org/2.0/en/installation/url-rewriting.html#apache-and-mod-rewrite-and-htaccess

It lets me think that it should work almost out of the box (“On Mac OSX, another solution”). Maybe we are missing something in your configuration. I can see the FollowSymLinks options and other conf everywhere except in your conf. Maybe it worst it to test the following :

<Directory "/Library/Server/Web/Data/Sites/passbolt.monigle.com">
    Options All -Indexes +ExecCGI +Includes +MultiViews +FollowSymLinks
    AllowOverride All
    Require all granted
    ....
</Directory>

That is an interesting use case, I’ll give it a try the next week on my machine.
Cheers

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.