I use VirtualMin/Webmin (https://www.virtualmin.com/) for my hosting server. There must have been an update, but I am honestly still not sure what exactly happened, but since last few days all of a sudden I noticed index.php and other mod_rewrite pages get downloaded by browser instead of executing.
I am using mod_rewrite in htaccess, and many URLs are being rewritten. I did not write these but these came predefined by the makers of the forum software (phpBB). The weird thing is pages such as search.php, or advertise.php, or even faq.php all get rewritten and work fine. However, some pages using /viewforum.php such as /2-demerit-points/ get executed however the same script rewritten to /6-demerit-points/ gets downloaded by browser.
I have tried updating Apache to version Apache/2.4.58 and have tried all PHP versions from PHP 7.1, 7.2, 7.3, 7.4, and 8.0 but same issue persists.
Server Info:
CentOS Linux 7.9.2009
Virtualmin version 7.9.0 Pro
PHP-FPM 7.3.33 Server
PHP-FPM 7.0.27 Server
PHP-FPM 7.4.33 Server
PHP-FPM 8.0.30 Server
Apache 2.4.58
I have tried all the AddTypes and Handlers for PHP in main httpd.conf:
<FilesMatch \.php$>
SetHandler application/x-httpd-php
</FilesMatch>
<IfModule dir_module>
DirectoryIndex index.html index.php
</IfModule>
The website is: https://www.ontariohighwaytrafficact.com/
As you may see https://www.ontariohighwaytrafficact.com/index.php gets downloaded.
However, https://www.ontariohighwaytrafficact.com/index.php? or https://www.ontariohighwaytrafficact.com/? works.
/etc/httpd/conf/httpd.conf:
ServerName ontariohighwaytrafficact.com
ServerAlias www.ontariohighwaytrafficact.com
ServerAlias webmail.ontariohighwaytrafficact.com
ServerAlias admin.ontariohighwaytrafficact.com
ServerAlias autoconfig.ontariohighwaytrafficact.com
ServerAlias autodiscover.ontariohighwaytrafficact.com
DocumentRoot /home/ontariohighwaytrafficact/public_html
ErrorLog /var/log/virtualmin/ontariohighwaytrafficact.com_error_log
CustomLog /var/log/virtualmin/ontariohighwaytrafficact.com_access_log combined
ScriptAlias /cgi-bin/ /home/ontariohighwaytrafficact/cgi-bin/
ScriptAlias /awstats/ /home/ontariohighwaytrafficact/cgi-bin/
ScriptAlias /AutoDiscover/AutoDiscover.xml /home/ontariohighwaytrafficact/cgi-bin/autoconfig.cgi
ScriptAlias /Autodiscover/Autodiscover.xml /home/ontariohighwaytrafficact/cgi-bin/autoconfig.cgi
ScriptAlias /autodiscover/autodiscover.xml /home/ontariohighwaytrafficact/cgi-bin/autoconfig.cgi
DirectoryIndex index.php index.html index.htm index.php index.php4 index.php5
Protocols h2 h2c http/1.1
ProtocolsHonorOrder Off
H2EarlyHints on
<Location />
H2PushResource /assets/javascript/core.js
H2PushResource /styles/prosilver/theme/stylesheet.css
H2PushResource /styles/prosilver/theme/foundation/css/foundation.min.css
H2PushResource /ext/vse/scrollpage/styles/all/theme/scrollpage.css
</Location>
<Directory /home/ontariohighwaytrafficact/public_html>
Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks
Require all granted
</Directory>
<Directory /home/ontariohighwaytrafficact/cgi-bin>
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch,FollowSymLinks
Require all granted
</Directory>
RewriteEngine on
RewriteCond %{HTTP_HOST} =webmail.ontariohighwaytrafficact.com
RewriteRule ^(.*) https://ontariohighwaytrafficact.com:20000/ [R]
RewriteCond %{HTTP_HOST} =admin.ontariohighwaytrafficact.com
RewriteRule ^(.*) https://ontariohighwaytrafficact.com:10000/ [R]
SSLEngine on
SSLCertificateFile /home/ontariohighwaytrafficact/ssl.cert
SSLCertificateKeyFile /home/ontariohighwaytrafficact/ssl.key
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
<Files awstats.pl>
AuthName "ontariohighwaytrafficact.com statistics"
AuthType Basic
AuthUserFile /home/ontariohighwaytrafficact/.awstats-htpasswd
require valid-user
</Files>
SSLCACertificateFile /home/ontariohighwaytrafficact/ssl.ca
Redirect /mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
Redirect /.well-known/autoconfig/mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
<FilesMatch \.php$>
SetHandler proxy:unix:/run/php-fpm/153206603119132.sock|fcgi://127.0.0.1
</FilesMatch>`
.htaccess:
DirectoryIndex index.php index.html index.htm
<IfModule mime_module>
AddHandler application/x-httpd-php .php .php7 .html .phtml
</IfModule>
<IfModule mod_rewrite.c>
# You may need to un-comment the following lines
# Options +FollowSymlinks
# To make sure that rewritten dir or file (/|.html) will not load dir.php in case it exist
# Options -MultiViews
# REMEBER YOU ONLY NEED TO STARD MOD REWRITE ONCE
Options -Indexes -MultiViews +FollowSymLinks
RewriteEngine On
# Uncomment the statement below if you want to make use of
# HTTP authentication and it does not already work.
# This could be required if you are for example using PHP via Apache CGI.
# RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
# REWRITE BASE
RewriteBase /
# force https
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
RewriteCond %{SERVER_PORT}s ^(443(s)|[0-9]+s)$
RewriteRule ^.*$ - [env=HttpFullProto:http%2://]
RewriteCond %{HTTP_HOST} !^www\.ontariohighwaytrafficact\.com$ [NC]
RewriteRule ^(.*)$ %{ENV:HttpFullProto}www.ontariohighwaytrafficact.com/$1 [B,QSA,L,R=301]
# rewrite index.php to /
RewriteRule ^index\.php$ / [B,R=301,L]
# DO NOT GO FURTHER IF THE REQUESTED FILE / DIR DOES EXISTS
RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule . - [L]
# FORUM INDEX REWRITERULE WOULD STAND HERE IF USED. "forum" REQUIRES TO BE SET AS FORUM INDEX
# RewriteRule ^forum\.html$ /index.php [QSA,L,NC]
# FORUM ALL MODES
RewriteRule ^(forum|[a-z0-9_-]*-f)([0-9]+)/?(page([0-9]+)\.html)?$ /viewforum.php?f=$2&start=$4 [B,QSA,L,NC]
# TOPIC WITH VIRTUAL FOLDER ALL MODES
RewriteRule ^(forum|[a-z0-9_-]*-f)([0-9]+)/(topic|[a-z0-9_-]*-t)([0-9]+)(-([0-9]+))?\.html$ /viewtopic.php?f=$2&t=$4&start=$6 [B,QSA,L,NC]
# TOPIC WITHOUT FORUM ID & DELIM ALL MODES
RewriteRule ^([a-z0-9_-]*)/?(topic|[a-z0-9_-]*-t)([0-9]+)(-([0-9]+))?\.html$ /viewtopic.php?forum_uri=$1&t=$3&start=$5 [B,QSA,L,NC]
# PROFILES THROUGH USERNAME
RewriteRule ^member/([^/]+)/?$ /memberlist.php?mode=viewprofile&un=$1 [B,QSA,L,NC]
# USER MESSAGES THROUGH USERNAME
RewriteRule ^member/([^/]+)/(topics|posts)/?(page([0-9]+)\.html)?$ /search.php?author=$1&sr=$2&start=$4 [B,QSA,L,NC]
# GROUPS ALL MODES
RewriteRule ^(group|[a-z0-9_-]*-g)([0-9]+)(-([0-9]+))?\.html$ /memberlist.php?mode=group&g=$2&start=$4 [B,QSA,L,NC]
# POSTS
RewriteRule ^post([0-9]+)\.html$ /viewtopic.php?p=$1 [B,QSA,L,NC]
# ACTIVE TOPICS
RewriteRule ^active-topics(-([0-9]+))?\.html$ /search.php?search_id=active_topics&start=$2&sr=topics [B,QSA,L,NC]
# UNANSWERED TOPICS
RewriteRule ^unanswered(-([0-9]+))?\.html$ /search.php?search_id=unanswered&start=$2&sr=topics [B,QSA,L,NC]
# NEW POSTS
RewriteRule ^newposts(-([0-9]+))?\.html$ /search.php?search_id=newposts&start=$2&sr=topics [B,QSA,L,NC]
# UNREAD POSTS
RewriteRule ^unreadposts(-([0-9]+))?\.html$ /search.php?search_id=unreadposts&start=$2 [B,QSA,L,NC]
# THE TEAM
RewriteRule ^the-team\.html$ /memberlist.php?mode=team [B,QSA,L,NC]
# HERE IS A GOOD PLACE TO ADD OTHER PHPBB RELATED REWRITERULES
# FORUM WITHOUT ID & DELIM ALL MODES
# THESE LINES MUST BE LOCATED AT THE END OF YOUR HTACCESS TO WORK PROPERLY
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([a-z0-9_-]+)/?(page([0-9]+)\.html)?$ /viewforum.php?forum_uri=$1&start=$3 [B,QSA,L,NC]
# FIX RELATIVE PATHS : FILES
RewriteRule ^(style\.php|ucp\.php|mcp\.php|faq\.php|posting\.php|download/file\.php|report\.php|adm/index\.php|cron\.php)$ /$1 [B,QSA,L,NC,R=301]
# FIX RELATIVE PATHS : IMAGES
RewriteRule ^(styles/.*|images/.*|assets/.*|ext/.*)$ /$1 [B,QSA,L,NC,R=301]
#
# The following 3 lines will rewrite URLs passed through the front controller
# to not require app.php in the actual URL. In other words, a controller is
# by default accessed at /app.php/my/controller, but can also be accessed at
# /my/controller
#
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-l
RewriteRule ^(.*)$ /app.php [QSA,L]
</IfModule>
# With Apache 2.4 the "Order, Deny" syntax has been deprecated and moved from
# module mod_authz_host to a new module called mod_access_compat (which may be
# disabled) and a new "Require" syntax has been introduced to mod_authz_host.
# We could just conditionally provide both versions, but unfortunately Apache
# does not explicitly tell us its version if the module mod_version is not
# available. In this case, we check for the availability of module
# mod_authz_core (which should be on 2.4 or higher only) as a best guess.
<IfModule mod_version.c>
<IfVersion < 2.4>
<Files "config.php">
Order Allow,Deny
Deny from All
</Files>
<Files "common.php">
Order Allow,Deny
Deny from All
</Files>
</IfVersion>
<IfVersion >= 2.4>
<Files "config.php">
Require all denied
</Files>
<Files "common.php">
Require all denied
</Files>
</IfVersion>
</IfModule>
<IfModule !mod_version.c>
<IfModule !mod_authz_core.c>
<Files "config.php">
Order Allow,Deny
Deny from All
</Files>
<Files "common.php">
Order Allow,Deny
Deny from All
</Files>
</IfModule>
<IfModule mod_authz_core.c>
<Files "config.php">
Require all denied
</Files>
<Files "common.php">
Require all denied
</Files>
</IfModule>
</IfModule>
I tried updating to latest Apache version
I have tried all PHP versions from 7.1 - 8.0
I have tried all AddType and AddHandlers for PHP
I have checked to make sure all folder and file permissions are correct