RewriteRule Directive is forbidden

I have been trying without success to configure Foswiki on my Ubuntu webserver. It has been installed as a subdomain virtual server and is working except that skins are not being applied at all. I have checked permissions, path/URL settings and they all seem fine. I used the ApacheConfigurator with Rewrite URLs selected.

This was addressed in the ApacheConfigGenerator. FollowSymLinks can now be requested. Do we still need a task for this?
-- GeorgeClark - 27 Jun 2009

My apache error log reports, for eg:

FollowSymLinks or SymLinksIfOwnerMatch is off which implies that RewriteRule directive is forbidden: 
/var/www/foswiki/pub/System/DocumentGraphics/searchtopic.gif, referer: http://admin.mywebsite/bin/view/System/WebHome

Here is the virtual server.conf

# Autogenerated httpd.conf file for Foswiki.
# Generated at http://foswiki.org/Support/ApacheConfigGenerator?dir=/var/www/foswiki;allowconf=;requireconf=admin;loginmanager=None;phpinstalled=PHP4;errordocument=UserRegistration;foswikiversion=1.0.0;shorterurls=enabled;vhost=admin.mysite.com;pathurl=admin.mysite.com;engine=CGI;apver=2;fastcgimodule=fastcgi
# For Foswiki version 1.0.0

<VirtualHost >
ServerAdmin webmaster@admin.mysite.com
DocumentRoot /var/www/foswiki
ServerName admin.mysite.com
ServerAlias www.mysite.com
# The Alias defines a url that points to the root of the Foswiki installation.
# The first parameter will be part of the URL to your installation e.g.
# http://my.co.uk/foswiki/bin/view/...
# The second parameter must point to the physical path on your disc.
ScriptAlias admin.mysite.com/bin "/var/www/foswiki/bin"
# The following Alias is used to access files in the pub directory (attachments etc)
# It must come after the ScriptAlias.
Alias admin.mysite.com/pub "/var/www/foswiki/pub"
# short urls
Alias admin.mysite.com "/var/www/foswiki/bin/view"
RewriteEngine on
RewriteRule ^admin.mysite.com/+bin/+view/+(.) admin.mysite.com/$1 [L,NE,R]
RewriteRule ^admin.mysite.com/+bin/+view$ admin.mysite.com/ [L,NE,R]
# Block access to typical spam related attachments
# Except the Foswiki directory which is read only and does have attached html files.
SetEnvIf Request_URI "admin.mysite.com/pub/.*\.[hH][tT][mM][lL]?$" blockAccess
SetEnvIf Request_URI "admin.mysite.com/pub/System/.*\.[hH][tT][mM][lL]?$" !blockAccess
# This enables access to the documents in the Foswiki root directory
<Directory "/var/www/foswiki">
Order Allow,Deny
Allow from all
Deny from env=blockAccess
</Directory>

# This specifies the options on the Foswiki scripts directory. The ExecCGI
# and SetHandler tell apache that it contains scripts. "Allow from all"
# lets any IP address access this URL.
<Directory "/var/www/foswiki/bin">
AllowOverride None
Order Allow,Deny
Allow from all
Deny from env=blockAccess
Options ExecCGI FollowSymLinks
SetHandler cgi-script
# Password file for Foswiki users
AuthUserFile /var/www/foswiki/data/.htpasswd
AuthName 'Enter your WikiName: (First name and last name, no space, no dots, capitalized, e.g. JohnSmith). Cancel to register if you do not have one.'
AuthType Basic
# File to return on access control error (e.g. wrong password)
ErrorDocument 401 admin.mysite.com/bin/view/System/UserRegistration
# Limit access to configure to specific IP addresses and or users.
# Make sure configure is not open to the general public.
# It exposes system details that can help attackers.
<FilesMatch "^(configure)$">
SetHandler cgi-script
Require user admin
</FilesMatch>
</Directory>
# This sets the options on the pub directory, which contains attachments and
# other files like CSS stylesheets and icons. AllowOverride None stops a
# user installing a .htaccess file that overrides these options.
# Note that files in pub are not protected by Foswiki Access Controls,
# so if you want to control access to files attached to topics you need to
# block access to the specific directories same way as the ApacheConfigGenerator
# blocks access to the pub directory of the Trash web
<Directory "/var/www/foswiki/pub">
Options None
AllowOverride None
Order Allow,Deny
Allow from all
Deny from env=blockAccess
ErrorDocument 404 admin.mysite.com/bin/viewfile
# Disable execusion of PHP scripts
php_admin_flag engine off
# This line will redefine the mime type for the most common types of scripts
AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi
#
#add an Expires header that is sufficiently in the future that the browser does not even ask if its uptodate
# reducing the load on the server significantly
#IF you can, you should enable this - it will improve your Foswiki experience, even if you set it to under one day.
# you may need to enable expires_module in your main apache config
#LoadModule expires_module libexec/httpd/mod_expires.so
#AddModule mod_expires.c
#<ifmodule mod_expires.c>
# <filesmatch "\.(jpg|gif|png|css|js)$">
# ExpiresActive on
# ExpiresDefault "access plus 11 days"
# </filesmatch>
#</ifmodule>
#
</Directory>

# Spammers are known to attach their stuff and then move it to trash where it remains unnoticed.
# We prevent viewing any attachments directly from pub
<Directory "/var/www/foswiki/pub/Trash">
deny from all
</Directory>

# Security note: All other directories should be set so
# that they are not visible as URLs, so we set them as deny from all.

<Directory "/var/www/foswiki/data">
deny from all
</Directory>

<Directory "/var/www/foswiki/templates">
deny from all
</Directory>

<Directory "/var/www/foswiki/lib">
deny from all
</Directory>

<Directory "/var/www/foswiki/locale">
deny from all
</Directory>

<Directory "/var/www/foswiki/tools">
deny from all
</Directory>
<Directory "/var/www/foswiki/working">
deny from all
</Directory>

# We set an environment variable called blockAccess.
# Setting a BrowserMatchNoCase to ^$ is important. It prevents Foswiki from
# including its own topics as URLs and also prevents other Foswikis from
# doing the same. This is important to prevent the most obvious
# Denial of Service attacks.
#
# You can expand this by adding more BrowserMatchNoCase statements to
# block evil browser agents trying the impossible task of mirroring a Foswiki
#
# Example:
# BrowserMatchNoCase ^SiteSucker blockAccess
# BrowserMatchNoCase ^$ blockAccess

BrowserMatchNoCase ^Accoona blockAccess
BrowserMatchNoCase ^ActiveAgent blockAccess
BrowserMatchNoCase ^Attache blockAccess
BrowserMatchNoCase BecomeBot blockAccess
BrowserMatchNoCase ^bot blockAccess
BrowserMatchNoCase Charlotte/ blockAccess
BrowserMatchNoCase ^ConveraCrawler blockAccess
BrowserMatchNoCase ^CrownPeak-HttpAgent blockAccess
BrowserMatchNoCase ^EmailCollector blockAccess
BrowserMatchNoCase ^EmailSiphon blockAccess
BrowserMatchNoCase ^e-SocietyRobot blockAccess
BrowserMatchNoCase ^Exabot blockAccess
BrowserMatchNoCase ^FAST blockAccess
BrowserMatchNoCase ^FDM blockAccess
BrowserMatchNoCase ^GetRight/6.0a blockAccess
BrowserMatchNoCase ^GetWebPics blockAccess
BrowserMatchNoCase ^Gigabot blockAccess
BrowserMatchNoCase ^gonzo1 blockAccess
BrowserMatchNoCase ^Google\sSpider blockAccess
BrowserMatchNoCase ^ichiro blockAccess
BrowserMatchNoCase ^ie_crawler blockAccess
BrowserMatchNoCase ^iGetter blockAccess
BrowserMatchNoCase ^IRLbot blockAccess
BrowserMatchNoCase Jakarta blockAccess
BrowserMatchNoCase ^Java blockAccess
BrowserMatchNoCase ^KrakSpider blockAccess
BrowserMatchNoCase ^larbin blockAccess
BrowserMatchNoCase ^LeechGet blockAccess
BrowserMatchNoCase ^LinkWalker blockAccess
BrowserMatchNoCase ^Lsearch blockAccess
BrowserMatchNoCase ^Microsoft blockAccess
BrowserMatchNoCase ^MJ12bot blockAccess
BrowserMatchNoCase MSIECrawler blockAccess
BrowserMatchNoCase ^MSRBOT blockAccess
BrowserMatchNoCase ^noxtrumbot blockAccess
BrowserMatchNoCase ^NutchCVS blockAccess
BrowserMatchNoCase ^RealDownload blockAccess
BrowserMatchNoCase ^Rome blockAccess
BrowserMatchNoCase ^Roverbot blockAccess
BrowserMatchNoCase ^schibstedsokbot blockAccess
BrowserMatchNoCase ^Seekbot blockAccess
BrowserMatchNoCase ^SiteSnagger blockAccess
BrowserMatchNoCase ^SiteSucker blockAccess
BrowserMatchNoCase ^Snapbot blockAccess
BrowserMatchNoCase ^sogou blockAccess
BrowserMatchNoCase ^SpiderKU blockAccess
BrowserMatchNoCase ^SpiderMan blockAccess
BrowserMatchNoCase ^Squid blockAccess
BrowserMatchNoCase ^Teleport blockAccess
BrowserMatchNoCase ^User-Agent\: blockAccess
BrowserMatchNoCase VoilaBot blockAccess
BrowserMatchNoCase ^voyager blockAccess
BrowserMatchNoCase ^w3search blockAccess
BrowserMatchNoCase ^Web\sDownloader blockAccess
BrowserMatchNoCase ^WebCopier blockAccess
BrowserMatchNoCase ^WebDevil blockAccess
BrowserMatchNoCase ^WebSec blockAccess
BrowserMatchNoCase ^WebVac blockAccess
BrowserMatchNoCase ^Webwhacker blockAccess
BrowserMatchNoCase ^Webzip blockAccess
BrowserMatchNoCase ^Wells blockAccess
BrowserMatchNoCase ^WhoWhere blockAccess
BrowserMatchNoCase www\.netforex\.org blockAccess
BrowserMatchNoCase ^WX_mail blockAccess
BrowserMatchNoCase ^yacybot blockAccess
BrowserMatchNoCase ^ZIBB blockAccess
BrowserMatchNoCase ^$ blockAccess

-- ChrisEllis - 03 Mar 2009

Heya Chris - you could crib off the foswiki debian package sources (including the Apache cfg) - http://svn.foswiki.org/trunk/core/tools/pkg/debian/

or of course, just use them - http://fosiki.com/Foswiki_debian/

-- SvenDowideit - 21 Mar 2009

OK - I finally found the solution to the problem. I am suprised that no-one else has come up against this problem.

Unless I am mistaken the ApacheConfigGenerator has generated a configuration for the /var/www/foswiki/pub (where the Skins reside) with Options None.

Obviously, it needs to be:

<Directory "/var/www/foswiki/pub">
    Options FollowSymLinks SymLinksIfOwnerMatch
    AllowOverride All
order allow,deny
allow from all
deny from env=blockAccess
    ErrorDocument 404 /bin/viewfile

    # Disable execusion of PHP scripts
    php_admin_flag engine off

    # This line will redefine the mime type for the most common types of scripts
    AddType text/plain .shtml .php .php3 .phtml .phtm .pl .py .cgi
#
#add an Expires header that is sufficiently in the future that the browser does not even ask if its uptodate
# reducing the load on the server significantly
#IF you can, you should enable this - it _will_ improve your Foswiki experience, even if you set it to under one day.
# you may need to enable expires_module in your main apache config
#LoadModule expires_module libexec/httpd/mod_expires.so
#AddModule mod_expires.c
#<ifmodule mod_expires.c>
#  <filesmatch "\.(jpg|gif|png|css|js)$">
#       ExpiresActive on
#       ExpiresDefault "access plus 11 days"
#   </filesmatch>
#</ifmodule>
#
</Directory>

# Spammers are known to attach