Apache-2.2 Set-Cookie on logic from a response header - apache

I need to set a cookie based on a response header (as opposed to a request header). The response header is set by a SOAP call to a backend - and is out of apaches control.
I've looked into SetEnvIf, but it states that it investigate request headers only. mod_rewrite's {HTTP:parm} construct also seems to apply to request headers only.
Request coming in
Response header is generated by backend
Apache investigates respond header FooBar
Apache add Set-Cookie if the respond header FooBar value matches "string"
Any ideas out there?

It looks like this can be done with mod_headers, but unfortunately only with Apache 2.4, since expressions were only added in 2.4. You would do something like:
Header set Set-Cookie "cookie-contents-here" "expr=%{resp:Content-Type} =~ m|application/pdf|"
If you can't upgrade to 2.4, you might consider putting Varnish Cache in front of your Apache install. It's a powerful HTTP processor and can easily handle modifying the response for you. You could also implement caching with it and increase the performance of your site, but it can just be used as a pass-through HTTP processor if you don't want to do that. Perhaps there's a simpler solution but that would work.
Another option could be to put a layer in between Apache and your back-end, such as a PHP script, that handles passing the call to the back-end and modifying the headers on the way back out. Probably not great for performance though; upgrading Apache or implementing Varnish Cache would be better.
If you're using a separate back-end out of Apache's control, then you might take Apache out of the loop completely and go straight from Varnish Cache to your back-end.
Hope the ideas help.

Related

Confusion on the 'Access-Control-Allow-Origin' header with apache

Lets say I have my website named SiteA.com running on an Apache web server. I have defined the ff. below on my httpd.conf file:
Header set Access-Control-Allow-Origin "CustomBank.com"
Questions:
Does this mean only CustomBank.com can access my site (SiteA.com) directly? or does it mean only my site (SiteA.com) can access the CustomBank.com domain directly? I am confused if this setting is for inbound or outbound.
In reality I don't have any CORS requirement needed for my site, so I didn't implement the setting mentioned above, the one below shows up in my response header.
Access-Control-Allow-Origin: *
Penetration Testing team said this setting is overly permissive. Do I just need to remove it? if not what should I do?
It means javascript loaded from CustomBank.com can make requests to your site (the site whose configuration has changed) via XMLHTPRequest in the background.
Since XMLHTTPRequest will send a users existing session cookie with your site, malicious scripts could do all kinds of nefarious/misleading things on behalf of your user. That's why * is not normally a suitable fix.
The restrictions apply to other script-like invocations that are more esoteric that you can read about in the specs.

Is there any way to get the original Host header value?

This article says:
With these added headers, Cloudflare passes on all HTTP headers as is
from the client to the origin.
However, there doesn't appear to be a standard way to get the Host from the original request.
Is there a way to do this, either via standard options or enterprise option?

Rewrite Apache session cookie to append 'expires' attribute

I'm using Apache as a reverse proxy with forms authentication.
Using SessionMaxAge I can set the cookie to expire after 24 hours.
This renders the 'max-age' attribute into the cookie.
Unfortunately Internet Explorer only accepts the 'expires' attribute.
Is there a way to, for example, rewrite the cookie before sending it the client?
Thanks in advance.
Kind regards,
Kevin
Yes, it is possible to edit both request and response headers using the header directive in mod_headers
The best approach would probably be to use Header edit Set-Cookie ^(.*)$ $1;Expires..... However, mod_headers can't do the actual Expires sting itself (it doesn't know how to produce that date format), so you will have to actually put that inside the original cookie or another header, then grab it from there and put it into the Header directive. It's quite complicated, but it is possible.

Set and check STS Header is present

I have (hopefully) set apache to issue an STS header for all HTTPS traffic as described in How to set HSTS header from .htaccess only on HTTPS
I was hoping to be able to verify that this was working by looking at the response header in chrome dev tools but there doesn't seem to be anything in there related to it:
Is there a way to check that this is functioning correctly? Any help much appreciated.
You can check this is working correctly by looking for the strict-transport-security header in the response headers (in the dev tools where you have taken your screenshot).
If you try the same request you've made with the dev tools with https://accounts.google.com/, for example, you should see an entry like this:
strict-transport-security:max-age=10893354; includeSubDomains
You were already on the right track, but there's probably something wrong with the way you've configured your server.

Restful Webservices Caching Data

Want to know where exactly data will be cached in Restful Webservices? Please avoid saying browsers cache Restful webservices data.
REST is based on HTTP.
In HTTP you do not know if you data is cached somewhere. It may be in the browser or in any node in between the client and the server.
However your REST-Server may add the Cache-Control HTTP header to its response, e.g. Cache-Control: No-Cache to mark the response as not to cache.
It is not assured if this will not be ignored by a proxy or whatever.
Your client can also request to not cache data. In jquery you just add cache: no to the AJAX-request and it will do the trick.
If jquery is not available you will have to use the if-modified-since header (http://www.w3.org/Protocols/HTTP/HTRQ_Headers.html#if-modified-since).
Probably this post cleared my doubt.
http://www.openlogic.com/wazi/bid/283625/Caching-web-service-results-can-enhance-Apache-application-performance.