I am working on a system that needs to send Bearer token keys (JWT) for all URLs from an app our company is developing, the problem occurs when there is an attachment that needs to be downloaded, when clicking the link it fires the browser on the mobile device.
As you know this will not allow the headers to be set, so am working on a solution to add the header if it is emtpy.
Now I can get the env variable populated from the query string.
But I need a way to set the requestheader early along with the env= value, is this possible?
This is what I have:
RewriteCond %{QUERY_STRING} (?:^|&)token=([^&]+)
RewriteRule (.*) - [E=JW_TOKEN:%1]
RequestHeader setIfEmpty Authorization "Bearer %{JW_TOKEN}e" "env=JW_TOKEN"
What I need to do is something like:
RewriteCond %{QUERY_STRING} (?:^|&)token=([^&]+)
RewriteRule (.*) - [E=JW_TOKEN:%1]
RequestHeader setIfEmpty Authorization "Bearer %{JW_TOKEN}e" "env=JW_TOKEN early"
But this does not work.
I had a similar issue with HSTS. The most elegant way to conditionally set the header is (as described here: https://stackoverflow.com/a/24145033/3433306):
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
But this cannot be combined with the early flag. However, we can set the header early and remove it later, if the environment variable is not set as required.
Header set Strict-Transport-Security "max-age=31536000" early
Header unset Strict-Transport-Security env=!HTTPS
In your case, this would make something like the following (not tested):
RewriteCond %{QUERY_STRING} (?:^|&)token=([^&]+)
RewriteRule (.*) - [E=JW_TOKEN:%1]
RequestHeader setIfEmpty Authorization "Bearer %{JW_TOKEN}e" "early"
RequestHeader unset Authorization "env=!JW_TOKEN"
Related
I've an apache 2.4 on a redhat server and I create an http-header in the httpd.conf with this directive:
RewriteEngine on
RewriteCond %{REMOTE_USER} (.*)
RewriteRule .* - [E=X_REMOTE_USER:%1]
RequestHeader set SM_USER %{X_REMOTE_USER}e
the SM_USER header is correctly created but is with domain (utente#domain.com).
I would like to remove the #domain.com using a sort of substring (even creating another header). which syntax I should to use?
thanks
I've found the solution using the regular expression:
RequestHeader set SM_USER %{X_REMOTE_USER}e
RequestHeader edit SM_USER (?=#)(\S+)
I am trying to add an Access-Control-Origin header in .htaccess for all URIs ending with .json. I cannot use <FilesMatch> as my paths are rewritten by mod_rewrite. (Or if I can it doesn't work.)
I found on Stack that it should be possible to do it with an env variable:
<IfModule mod_headers.c>
SetEnvIf Request_URI "\.json$" IS_JSON=TRUE
# ".json$" yields the same result
Header set Access-Control-Allow-Origin "*" env=IS_JSON
# "Header add" yields the same result
</IfModule>
But it does never add the header.
I tried using a snipper from another stack answer to check if the env variable is there using:
RewriteCond %{REQUEST_URI} !echo.php
RewriteRule .* echo.php?uri=%{REQUEST_URI}&json=%{ENV:IS_JSON} [L]
And it really was true.
When I remove the condition and leave it as:
Header set Access-Control-Allow-Origin "*"
the header is added, so the mod is loaded, but I would like to limit it for ".json$" only.
What am I doing wrong?
Instead of Header you probably meant to use RequestHeader to send custom headers to your code
SetEnvIf Request_URI \.json$ IS_JSON
RequestHeader set Access-Control-Allow-Origin "*" env=IS_JSON
The following RewriteRule in my htaccess file isn't getting the request header set.
Header set Access-Control-Allow-Origin "*"
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} ^(.*)&someUser=(.*)$
RewriteRule ^(.*)SDM$ http://some.domain.com/SDM/Publish.aspx [E=SOME:%2,R,L]
RequestHeader set Some-User: "%{SOME}e"
I don't think the SOME environment variable has anything to do with it because I tried a generic header value as well and it wasn't set either. I did make sure that mod-headers is installed. I am looking for the header in my chrome developer tools. Is it possible that it won't show up there?
Env variables won't be set while doing external redirect, you must do internal rewrite for setting env variables like this:
Header set Access-Control-Allow-Origin "*"
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (^|&)someUser=([^&]+) [NC]
RewriteRule ^(.*)SDM$ /SDM/Publish.aspx [E=SOME:%2,L]
RequestHeader set Some-User "%{SOME}e"
How do you access the query string from SetEnvIf? Somethig like:
SetEnvIf Query_String "p=path/to/file$" got_path
UPDATE:
In htaccess, I have:
SetEnvIf Request_URI !/folder/page1\.html$ NO_COOKIE
Header unset Cookie env=NO_COOKIE
RewriteRule (.*) /h.php?ref=$1 [L]
Basically, I ask h.php to take control of all user requests. And I use SetEnvIf to allow cookies only for /folder/page1.html.
However, it seems like Request_URI is always set to "h.php" and never to " /folder/page1.html" (maybe because of the redirection). For that reason I added ref=$1 to try to recognize which url it is being redirected from. Therefore I need to read the query string from SetEnvIf.
I hope I am making some sense.
You don't need to add a query string for this.
You can use:
# always start with NO_COOKIE=1
RewriteRule ^ - [E=NO_COOKIE:1]
# unset NO_COOKIE when URI is /folder/page1.html
RewriteCond %{THE_REQUEST} /folder/page1\.html
RewriteRule ^ - [E=!NO_COOKIE]
Header set NoCookie %{NO_COOKIE}e
RequestHeader set NoCookie %{NO_COOKIE}e
I'm redoing an entire website and the browser is using the cached index.html of pages that are at the same URL.
This is the entire content of the .htaccess file in one of the problem directories:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /products/
# Remove 'index.html' from the URL for old links that include it.
RewriteCond %{THE_REQUEST} ^.*\index\.html?\ HTTP/
RewriteRule ^(.*)index\.html?$ "/products/$1" [R=301,L]
# Use index.php for all requests.
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^ /products/index.php [L]
</IfModule>
# An atempt to tell the browser not to use a cached .html file.
ExpiresActive on
ExpiresByType text/html "access plus 0 seconds"
<FilesMatch "\.(html)$">
Header set Cache-Control "private, must-revalidate"
</FilesMatch>
I've tried multiple things here, but nothing is working. This is all I see in the headers:
Request URL:http://www.example.com/products/
Request Method:GET
Status Code:200 OK (from cache)
There are no Request Headers or Response Headers.
I'm thinking I can maybe try a RewriteRule to add something like ?28032012 to the end of something, but I don't know how to even attempt that.
I've read that appending ?version=<%=version%> to problematic file names is a good method of cache busting. You may also try as an easier solution the http header "cache-control: max-age = 600" so that anything on the page that is 10 minutes or older is pulled from the server.
You can just append /? to the end of your URL.
Example:
www.google.com/?
The solution I ended up using for this was to redirect all www requests to non www requests. So basically, this approach prevented any browsers from using any cached resources because the www version of the site no longer exists.
This is worked for me.
<IfModule mod_headers.c>
Header set Cache-Control "no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires 0
</IfModule>
Reference: https://wp-mix.com/disable-caching-htaccess/