i would suggest using a proxy request which you can implement by modifying your RewriteRule and using the [P] flag.
https://httpd.apache.org/docs/current/rewrite/flags.html#flag_p

btw the [QSA] flag is unnecessary unless you are using a query string in the target of the RewriteRule.

Doesn't one of the Moderators help people with rewrite rules here?
[webmasterworld.com...]

As a marketer who often uses appended parameters to track Source / Medium, I'd say always include QSA.

The /public_html/ directory is the web readable root.
Use symlinks if you want another folder, at that level, to serve.
Upstream in the folder hierarchy, for security reasons, the files should not be web readable.

[edited by: phranque at 11:23 pm (utc) on Sep 12, 2019]
[edit reason] see charter [/edit]

A symlink isn't a bad idea at all! I'd forgotten about [P], but wouldn't that be pretty slow? If so then a symlink might be the better option. I haven't done that in awhile... I guess it's a simple matter of:

# Via SSH
cd /home/example/public_html
ln -s /home/example/ww2.example.com ww2

# .htaccess
RewriteEngine on

RewriteCond %{HTTP_HOST} example\.com [NC]
RewriteCond %{REQUEST_URI} !^/(foo/bar|images|cgi-bin)
RewriteRule ^(.*)$ ww2/foo/bar/$1 [QSA,L]

For whatever reason, the server created the subdomain before the /public_html/. I'm not sure why... I don't know if it's an Apache thing, or maybe a WHM/cPanel thing?

As for QSA, I use occasional appended params, too, so have always used it in a "why not?" kind of way. Does it make it any slower or anything? If so then now would be a good time to work on alternatives.

As a marketer who often uses appended parameters to track Source / Medium, I'd say always include QSA.

since you probably haven't accessed the document i referenced above, i'll quote another section as explanation:

When the replacement URI contains a query string, the default behavior of RewriteRule is to discard the existing query string, and replace it with the newly generated one. Using the [QSA] flag causes the query strings to be combined.

Consider the following rule:

RewriteRule "/pages/(.+)" "/page.php?page=$1" [QSA]

With the [QSA] flag, a request for /pages/123?one=two will be mapped to /page.php?page=123&one=two. Without the [QSA] flag, that same request will be mapped to /page.php?page=123 - that is, the existing query string will be discarded.

(source: https://httpd.apache.org/docs/current/rewrite/flags.html#flag_qsa )

therefore it is clearly unnecessary unless the "Target" of the RewriteRule contains a query string.

A symlink isn't a bad idea at all!

i would recommend against that solution!
a secure apache server would prevent apache from following symlinks using this configuration directive:

Options -FollowSymLinks

Is

Options +SymLinksIfOwnerMatch 

any better?

Note from the description of the SymLinksIfOwnerMatch option:

This option should not be considered a security restriction, since symlink testing is subject to race conditions that make it circumventable.

source: https://httpd.apache.org/docs/2.4/mod/core.html#options

a secure apache server would prevent apache from following symlinks using this configuration directive:

Options -FollowSymLinks

ignore this brain f@rt.
SymLinks are required for RewriteEngine On to work.

A symlink isn't a bad idea at all!

i would recommend against that solution!

i still don't think it's a secure practice to create a symlink to a folder outside the public_html directory.

Just have to ask the question: Why have anything outside the public folder? Willing to be convinced if there is a valid reason to do that!

In my particular case, I'm the only one with root or SSH access to the server, so I don't think that there's much of a risk with symlinks. I remember using them several years back when I had multiple accounts (of my own) that I wanted to share directories, but that stopped working a few updates ago and I never could figure out why :-(

I also see that there's a default symlink of /www/ to /public_html/, so turning off symlinks by default might break a lot of programs.

@tangor, when I set up a subdomain in WHM/cPanel it automatically created it outside of public_html. Other than that, the only time I would usually set up something outside of public_html is when I use text files that I want to be accessed by programs but not by the general public.

But now I would like to change it to show them what's at:

ww2.example.com/foo/bar

I don't believe you can do it in htaccess. Rewriting simply doesn’t go above the document root.

:: quick detour to docs [httpd.apache.org] to make sure they haven't changed anything, as I'm still new to 2.4 ::

Note that the PT flag is implied in per-directory contexts such as <Directory> sections or in .htaccess files.

(And I'm pretty sure you can't do anything involving mod_proxy [P] in htaccess, so scratch that.)

But if you're rewriting to a php file, you can put almost any kind of filepath in there, so long as you end up in a space you control.

you got the QSA thing all twisted up

please explain.

(And I'm pretty sure you can't do anything involving mod_proxy [P] in htaccess, so scratch that.)

the [P] flag uses the RewriteRule directive, which is valid in the following contexts:
- server config
- virtual host
- directory
- .htaccess

:: detour for extensive experimentation on test site ::

OK, you can use the [P] flag in htaccess--at least on some servers in some circumstances. If you repeat the experiment I made--simply rewriting requests for http://example.first/somepage to http://example.second/someotherpage--the results are more horrific than you can imagine, since what you get is the content of the page at example.second using the styles from example.first. (Just like a rewrite, except it involves a different site.) If you're proxying only to serve images, this will obviously not be a problem, but it's a useful demonstration of what's happening.

The two caveats I can see:
#1 since this is being done in htaccess, meaning that you can't write any <Proxy> rules, the [P] target can only be a site that is reachable by name via its own DNS, which in turn means you have to make extra sure that images.example.com doesn't get indexed in its own right. (This would also seem to mean that you can proxy into other people's sites, which is scary. My experimenting happened to involve two sites living in the same userspace on the same server; don't know if that makes a difference.)
#2 if the target site is https, you need some extra preparation. When using the [P] flag with my test site (https) as the target, I get this pair of errors:

[Sat Sep 14 09:55:45.816499 2019] [ssl:error] [pid 18133] [remote 2607:f298:5:105b::blahblah] AH01961: SSL Proxy requested for example.com:443 but not enabled [Hint: SSLProxyEngine]
[Sat Sep 14 09:55:45.816580 2019] [proxy:error] [pid 18133] AH00961: HTTPS: failed to enable ssl support for [2607:f298:5:105b::blahblah]:443 (example.com)

In logs the request comes through with a 500 error--what I call a low-grade 500, since it still permits my custom 500 page to be displayed. (A lethal syntax error would give you only a generic server error, since no content from the site can be retrieved.) This in turn leads to SSLProxyEngine [httpd.apache.org] which, again, can only be set up in config.

please explain.

I already did, you ignored me then. The gave me suggested reading via your passive aggressive "since you probably haven't accessed the document i referenced above, i'll quote another section as explanation:"

Please re-read your answer:

With the [QSA] flag, a request for /pages/123?one=two will be mapped to /page.php?page=123&one=two. Without the [QSA] flag, that same request will be mapped to /page.php?page=123 - that is, the existing query string will be discarded.

If the incoming one=two is tracking info, without QSA, it will be discarded.

If the incoming one=two is tracking info, without QSA, it will be discarded.

It will only be discarded if the target URL contains a query of its own, which by default replaces the former query. That includes targets with the null query, a final ? with nothing after it (equivalent to QSD flag, at a savings of three bytes, but really more about personal coding style). In the proposed RewriteRule that started this thread

RewriteRule ^(.*)$ foo/bar/$1 [QSA,L]

the target contains no new query, so it is not necessary to say anything about it. It will not do any harm, it just isn't needed.

For clarification, are you guys saying that [QSA] is only needed if I have hard-coded a query string in to the RewriteRule? Like:

RewriteRule ^(.*)$ foo/bar/$1?one=two [QSA,L]

@lucy24, that's excellent information about the [P] flag, I really appreciate all that you did there! I've only used [P] several years ago when moving to a new server and setting the old server to proxy the new one (for internet providers that hadn't seen the new IP yet). I didn't realize it would grab the styles from the origin, or the issues with SSL. I'm going to move to a new server again in a few weeks, so that's great information to have!

are you guys saying that [QSA] is only needed if I have hard-coded a query string in to the RewriteRule?

this is correct

Please re-read your answer:

With the [QSA] flag, a request for /pages/123?one=two will be mapped to /page.php?page=123&one=two. Without the [QSA] flag, that same request will be mapped to /page.php?page=123 - that is, the existing query string will be discarded.

If the incoming one=two is tracking info, without QSA, it will be discarded.

that does not apply to the OP's problem statement which included these directives (with no query string in the Target of the RewriteRule):

RewriteRule ^(.*)$ foo/bar/$1 [QSA,L]

...

RewriteRule ^(.*)$ ../ww2.example.com/foo/bar/$1 [QSA,L]

To continue the discussion related to the QSA flag, 2 messages were cut out to new thread by not2easy. New thread at: apache/4964289.htm [webmasterworld.com]

[edited by: not2easy at 10:04 pm (utc) on Sep 15, 2019]