Add note about `RewriteOptions Inherit`

[jamieburchell]

If you use the h5bp Apache config in a server configuration, and add a virtual host and a directory block with custom rewrite rules, none of the h5bp rewrite rules will work. This is because the new rewrite rules overwrite existing ones by default.

Do you think it's worth mentioning this anywhere?

E.g.

Let's say you have this (taken from h5bp) in your main config file:

<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
    RewriteCond %{SCRIPT_FILENAME} -d [OR]
    RewriteCond %{SCRIPT_FILENAME} -f
    RewriteRule "(^|/)\." - [F]
</IfModule>

You then create a virtual host configuration:

<VirtualHost *:80>
    ServerName example.com
    # ...
    <Directory /var/www/httpdocs/>
        RewriteEngine On
        # Without inheritance of rewrite rules, none of the h5bp rules take effect :(
        RewriteCond %{REQUEST_FILENAME} !-f
        RewriteCond %{REQUEST_FILENAME} !-d
        RewriteRule . /index.php [L]
    </Directory>
</VirtualHost>

For blocking access to hidden files I prefer to use Require all denied with a LocationMatch, but this is just an example.

It strikes me that it's not immediately obvious that the rules from h5bp have no effect in certain situations. At least, it wasn't to me.

Ref: https://httpd.apache.org/docs/current/mod/mod_rewrite.html#rewriteoptions

[LeoColomb]

Thanks for opening this issue @jamieburchell. What about adding the following directive to the H5BP rewrite block?

RewriteOptions InheritDown

[jamieburchell]

My concern would be that it has the potential to break existing configurations since it then becomes necessary to explicitly ignore inheritance where it would have been the default behaviour.

[LeoColomb]

Indeed, you are right. Then yes, a commented out directive with a line or two docs would make sense in virtual host config templates. 👍