I am using a service that sends headers in All Caps and with underscores. Following the answers in this question I have added the following lines of code to my .htacces file.
SetEnvIfNoCase ^HTTP.X.KOPOKOPO.SIGNATURE$ ^(.*)$ fix_http_x_kopokopo_signature=$1
RequestHeader set HTTP-X-KOPOKOPO-SIGNATURE %{fix_http_x_kopokopo_signature}e env=fix_http_x_kopokopo_signature
Here is the problem, when I check my $_SERVER superglobal variable for the header HTTP_X_KOPOKOPO_SIGNATURE it is not present and instead I find fix_http_x_kopokopo_signature without any value.
I am on apache 2.4.51 and laravel 8.
Related
I'm currently working on Shopify app, one of their main requirement is to add an iframe-protection. here is more info
Currently, to resolve this I need the CSP to set should be in this format :
Content-Security-Policy: frame-ancestors https://shopify-dev.myshopify.com https://admin.shopify.com;
The https://shopify-dev.myshopify.com in above code should be the merchant/ requester domain.
What I tried?
I created .htaccess file with following, it's not adding the dynamic url.
<IfModule mod_rewrite.c>
RewriteEngine On
Header set Content-Security-Policy "frame-ancestors '%{HTTP_HOST}' 'https://admin.shopify.com';"
</IfModule>
This is what I'm getting in console:
Apache
On Apache, you would need to do it like this instead:
### Apache ###
Header set Content-Security-Policy "frame-ancestors https://%{HTTP_HOST}e https://admin.shopify.com;"
Note the e after %{HTTP_HOST}e (specific syntax for mod_headers). I've also removed the single quotes (not present in the Spotify example) and included the https:// protocol.
The <IfModule> and RewriteEngine On directives are irrelevant here.
Reference:
https://httpd.apache.org/docs/current/mod/mod_headers.html#header
UPDATE:
LiteSpeed
However, if you are using LiteSpeed (as opposed to Apache) you will instead need to first explicitly assign the Host header to an environment variable and use this in the Header directive instead. (Apache is able to access server variables directly using this syntax, but not LiteSpeed.)
For example:
### LiteSpeed ###
# Assign the "Host" header to an env var "HOSTNAME"
SetEnvIf Host "(.*)" HOSTNAME=$1
# Use "HOSTNAME" (env var) instead in the Header directive
Header set X-Content-Security-Policy "frame-ancestors https://%{HOSTNAME}e https://admin.shopify.com;"
Attempting to use the syntax %{HTTP_HOST} (as you originally had) on Apache would have resulted in a 500 Internal Server Error (with the error "Unrecognized header format %" being reported in the error logs). However, on LiteSpeed this just outputs the literal string {HTTP_HOST} and no error.
I am using apache 2.2. I have to set header for home page url only. e.g If url is https://www.example.com then I need to set header for this URL only. Could you please help me on this?
I have tried below things but no luck.
If condition used but not working for this version.
RewriteCond %{REQUEST_URI} /
Header set ABC "abc"
Here, Header is setting for all URLs in the application
In a project a had to run CA Webagent Siteminder which sends me legacy headers with underscores. Since Apache 2.4 underscores are deprecated and dropped silently.
I need a workaround via mod_headers which converts all underscores _ to dashes - in the request-header.
Before
legacy_header_one
legacy_header_two
legacy_header_three
After
legacy-header-one
legacy-header-two
legacy-header-three
You have two options here:
Apache Bypass
#
# The following works around a client sending a broken Accept_Encoding
# header.
#
SetEnvIfNoCase ^Accept.Encoding$ ^(.*)$ fix_accept_encoding=$1
RequestHeader set Accept-Encoding %{fix_accept_encoding}e env=fix_accept_encoding
Siteminder Bypass
#its not explicitly stated but im assuming this should be in your WebAgent.conf file
LegacyVariables="NO"
EDIT:
I know this doesn't directly answer your question of converting from _ to - but it is an answer to help mitigate the Apache 2.4 vs. CA Siteminder header issue.
In your virtualhost config:
SetEnvIfNoCase ^OAM.REMOTE.USER$ ^(.*)$ fix_accept_encoding=$1
RequestHeader set OAM-REMOTE-USER %{fix_accept_encoding}e env=fix_accept_encoding
If you are using mod_wsgi for Django or Flask, you will need to add:
WSGIPassAuthorization On
I am attempting to add CORS handling using apache and mod_rewrite. The apache instance is front-ending multiple tomcat applications using mod_jk. Some of these applications have their own logic for adding CORS headers Access-Control-Allow-Origin, Access-Control-Max-Age, etc.
For the applications that didn't take care of the CORS logic, I would like to manage it on apache using mod rewrite.
Does anyone know if its possible to add a header to an HTTP response using mod_rewrite only if the header doesn't already exist? The browser reports an error if the CORS origin header is written twice.
mod_rewrite is to rewrite url's, not to set headers. What you want to use is mod_headers (documentation).
I don't know if mod_rewrite runs before mod_headers, but I would suggest to set environment variables using SetEnvIf instead (documentation).
You can do something like this:
SetEnvIf Request_URI "^/my/app/(.*)/?$" ADDHEADERS=1
Header set Access-Control-Max-Age 123456 env=ADDHEADERS
I want to process a request header using a custom rewrite map.
Therefore I want to have the content of the header in an environment variable.
I have not found a way to do that with mod_headers and/or mod_rewrite.
Any help is appriciated.
Mod_rewrite example for the request header "X-Forwarded-For":
RewriteRule .* - [E=X-Forwarded-For:%{HTTP:X-Forwarded-For}]