Following this - https://www.ibm.com/support/pages/configuring-cors-websphere-application-server - I am trying to configure Apache for multiple origin domains and it isn't working. I have the following:
<IfModule setenvif_module>
SetEnvIfNoCase Origin "https?://(dev.mydomain.com|qa.mydomain.com|mydomain.com|myotherdomain.com|www.myotherdomain.com)(:\d+)?$" ACAO=$0
SetEnvIfNoCase REQUEST_METHOD OPTIONS skipwas=1
</IfModule>
<IfModule headers_module>
Header onsuccess unset Access-Control-Allow-origin env=ACAO
Header always set Access-Control-Allow-Origin "%{ACAO}e" env=ACAO
Header always append Vary "Origin"
</IfModule>
This results in a no ACAO header present in the logs when I open up the Chrome console and attempt to fetch from any of the present domains. Just wondering what I'm doing wrong?
Related
This question already has answers here:
Set Apache headers conditionally
(2 answers)
Closed 4 years ago.
I'm new in Apache server configuration, now I try to enable CORS.
With follow setting in httpd.conf, CORS can work properly.
<VirtualHost *:80>
DocumentRoot /var/www/html/
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
Header always set Access-Control-Allow-Origin "http://example.com"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Allow-Headers: "Content-Type"
</VirtualHost>
But current server always set Access-Control-Allow-xxx header to all coming request (Both Pre-flight OPTIONS request and actual request).
I only want to add Access-Control-Allow-xxx header for Pre-light request from setting origin (http://example.com), have any way to config for it?
I've read this question, and setenvif manual, but I can't find any option that I can extract Origin info from the request.
I will be grateful for any help you can provide.
As SetEnvIf document, attribute in SetEnvIf attribute regex [!]env-variable syntax, can be An HTTP request header field (see RFC2616 for more information about these); for example: Host, User-Agent, Referer, and Accept-Language.
So I can resolve with below config.
<VirtualHost *:80>
DocumentRoot /var/www/html/
SetEnvIf Origin "^http://fiddle.jshell.net$" ORIGIN_COND
Header always set Access-Control-Allow-Origin "http://example.com" env=ORIGIN_COND
...
</VirtualHost>
Thanks #CRroe and #arco444 make me clearly.
Having issues setting up a generic Allow Origin for any subdomain in my .htaccess file. The following works for a singular subdomain:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin http://subdomain.website.com
</IfModule>
But what I am looking for is something similar to this:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin {ANY SUBDOMAIN}.website.com
</IfModule>
I have tried using a simple *.website.com wildcard, but that does not seem to work. Do you have to specify exactly what is coming in?
If you're looking to do it for whatever subdomain was being requested, try the following:
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin %{HTTP_HOST}
</IfModule>
If you need something more advanced, use mod_rewrite to set an environment variable and then refer to it using %{variable_name}e
I am trying to add an Access-Control-Origin header in .htaccess for all URIs ending with .json. I cannot use <FilesMatch> as my paths are rewritten by mod_rewrite. (Or if I can it doesn't work.)
I found on Stack that it should be possible to do it with an env variable:
<IfModule mod_headers.c>
SetEnvIf Request_URI "\.json$" IS_JSON=TRUE
# ".json$" yields the same result
Header set Access-Control-Allow-Origin "*" env=IS_JSON
# "Header add" yields the same result
</IfModule>
But it does never add the header.
I tried using a snipper from another stack answer to check if the env variable is there using:
RewriteCond %{REQUEST_URI} !echo.php
RewriteRule .* echo.php?uri=%{REQUEST_URI}&json=%{ENV:IS_JSON} [L]
And it really was true.
When I remove the condition and leave it as:
Header set Access-Control-Allow-Origin "*"
the header is added, so the mod is loaded, but I would like to limit it for ".json$" only.
What am I doing wrong?
Instead of Header you probably meant to use RequestHeader to send custom headers to your code
SetEnvIf Request_URI \.json$ IS_JSON
RequestHeader set Access-Control-Allow-Origin "*" env=IS_JSON
Our assets are in a sub domain and in order to overrun security features of our platform so we can add a Json query we have to add the following htaccess code
<FilesMatch "\.(ttf|otf|eot|woff)$">
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
</FilesMatch>
Header add Access-Control-Allow-Origin "*"
However the last line "Header add Access-Control-Allow-Origin "*"" creates an internal server error on my local machine, which is odd because we do not get the same error on our prod environment. We are using Apache 2.2.22 php 5.4.3.
Any help is appreciated thanks.
Is it possible you do not have mod_headers enabled?
Secondly I think you may want to put the IfModule block outside the FilesMatch block. Like so
# Allow access from all domains for web fonts
<IfModule mod_headers.c>
<FilesMatch "\.(eot|font.css|otf|ttc|ttf|woff)$">
Header set Access-Control-Allow-Origin "*"
</FilesMatch>
</IfModule>
Code taken directly from https://github.com/h5bp/html5-boilerplate/blob/master/.htaccess#L45
I made my own cache-control rule in httpd.conf. ANd need to apply different rules on each different sub directories.
I made no-cache for .do extension for default(httpd.conf).
# use .htaccess files for overriding,
AccessFileName .htaccess
...
<ifModule mod_headers.c>
<LocationMatch "\.(do)$">
Header append Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
</LocationMatch>
</ifModule>
And need to cache for some directories(.htaccess).
example URL : XXX.com/en/product.do
So I made a .htaccess on <webRoot>/en.
<ifModule mod_headers.c>
<LocationMatch "\.(do)$">
Header set Cache-Control "max-age=216000, public, must-revalidate"
</LocationMatch>
</ifModule>
Am I going wrong? Is there other way to rule different on different directories?
Nothing like <locationMatch> can be used in .htaccess; it will generate a runtime error.
Also, usually *.do is proxied, in which case no filesystem directory would ever be read for .htaccess.
I suggest putting the second stanza first, and adding ^/en/ to the front.