Concatenate environment variable in Apache RequestHeader - apache

Background: I am trying to set an Authorization header from my Apache VirtualHost config when a JWT is sent as a query parameter.
I am really close to getting this to work, but I have run into one final issue. The header must be in the form of:
Authorization: Bearer token
Here is the relevant config I have so far:
RewriteCond %{QUERY_STRING} jwt=(.*)
RewriteRule ^(.*)$ - [env=JWT:%1]
RequestHeader setifempty Authorization "Bearer %{JWT}e"
It ALMOST works, however, the header is set like so:
Authorization: ('Bearer ' 'token')
How can I make it so that the value of the header is concatenated into a single string without the parentheses and separate strings?

Related

Apache httpd mod_headers disobedience

I have a client sending basic authentication credentials in a header named "Basic authentication", instead of the correct "Authorization". I can't fix the client, so I'm trying to work around the problem on the server.
This works and sets the "X-Authorization" header to whatever value was sent by the client in the "Basic authentication" header:
SetEnvIf ^Basic.authentication$ ^(.*)$ fixauth=$1
RequestHeader set X-Authorization %{fixauth}e env=fixauth
This sets the environment variable fixauth, but then RequestHeader does nothing:
SetEnvIf ^Basic.authentication$ ^(.*)$ fixauth=$1
RequestHeader set Authorization %{fixauth}e env=fixauth
Using "RequestHeader add" makes no difference. It looks as if mod_header would be refusing to touch the Authorization header, but there is nothing about it in the documentation and nothing that I could find in the source code.
What exactly is the problem? Why does setting X-Authorization work, but setting Authorization does not?

Using mod_rewrite to extract request headers before authentication

I need to rewrite a URL to copy an authentication token from the URL into a header (because a new client can't use headers), and remove the (large) token from the URL.
<Location /foo/>
RewriteEngine On
RewriteRule ^(.*)/(authtoken)/([^/]*)(.*)$ $1$4 [E=HAS_auth:$3,L]
RequestHeader set AUTHTOKEN %{HAS_auth}e env=HAS_auth
SetHandler perl-script
PerlAccessHandler AuthHandler
So a request of the form "/foo/boo/moo/authtoken/baaaaaa/bar" is rewritten as "/foo/boo/moo/bar" and a request header "AUTHTOKEN: baaaaaa" added to the request.
The URI is being rewritten, and the test env var is being set, but the access handler (mod_perl) does not see the AUTHTOKEN header, or even ENV{HAS_auth} although the rewrite is working (I logged it).
Is it possible to actually to rewrite and set headers before the authentication(access) handler, and if so, how?

Using Mod_Rewrite to edit a cookie conditionally

My cookie value JSESSIONID is of the form id.bunchofstuff
My cookie value name_of_msfcookie is of the form bunchofstuff2
If the MSF cookie exists, i want to change my JSESSIONID to id.bunchofstuff2.
But how? Here is my attempt:
RewriteEngine On
RewriteCond %{HTTP_COOKIE} name_of_msfcookie=(.*) #checks for existence of value (value can be any character or series of characters) in cookie
RewriteRule ^(.*) - [CO=JSESSIONID:JSESSIONID[7].name_of_msfcookie:.place.com]
It doesn't work - I think JSESSIONID[7].name_of_msfcookie is invalid syntax )-=. I can't think of any valid syntax to do it.
That syntax works fine for me and the cookie that gets set looks correct. This is what I see when I send a request to apache with those rules with a name_of_msfcookie=something cookie:
Set-Cookie: JSESSIONID=JSESSIONID[7].name_of_msfcookie; path=/; domain=.place.com
Vary: Cookie
Not sure if that's what you are trying to do though. Note that the [CO] flag sends the cookie to the browser.

Apache mod_cache: Vary cache based on cookie values

Currently, I am using mod_cache to cache the page details of a web application.
I have the cache Vary based on User-Agent and Accept-Language, since there are different payloads for those situations.
Vary: User-Agent, Accept-Language
We have plans to have region-specific information on each page, but this is where we are trying to determine our caching strategy.
We have a cookie that persists to indicate the region we geolocated for, but obviously the cache does not vary based on this cookie.
It is possible to vary based on the value for certain cookies or headers in general? (Note I say certain cookies, as we wouldn't want the session identifier to collide with this) - something like a regex match to this:
location=(.+?);
That is possible using Apache. It can parse cookie value and pass it to custom header, then you need to Vary by this header:
# Set languageC cookie value to environment variable "siteLanguage"
RewriteCond %{HTTP_COOKIE} ^.*lunetics_locale.*$ [NC]
RewriteCond %{HTTP_COOKIE} (?:^|;\s*)lunetics_locale=([^;]*) [NC]
RewriteRule ^(.*)$ - [env=siteLanguage:%1]
# If no languageC cookie present. Set "siteLanguage" environment variable to "en"
RewriteCond %{HTTP_COOKIE} !^.*lunetics_locale.*$ [NC]
RewriteRule ^(.*)$ - [env=siteLanguage:en]
# Set enviroment variable "siteLanguage" value to custom header "SiteLanguage"
RequestHeader set X-Language "%{siteLanguage}e" env=siteLanguage
and add Vary X-Language to your response headers.
I'm not sure this is a best way, I have related question and problems with this: Is it possible to vary page caches (to have cache versions) with the same url and different cookie value (language)?

mod_rewrite help to change Content-disposition based on URI

I have a directory of mp3 files want to have be able to serve them inline or giving the user an option to download based on the request URI.
/media/file1.mp3 -- in this case, I just want to serve the file and let the browser play it.
/media/download/file1.mp3 -- in this case, I want to make it easy for a user to download the file instead.
I have been able to accomplish this with mod_rewrite and php (using the header() and readfile() function) but I would rather do it all with mod_rewrite, mod_header etc if possible.
IfDefine will check variables set on start-up of Apache so that won't work. A valid config would be:
SetEnvIf Request_URI ^/media/download/ force-download
Header set Content-Disposition attachment env=force-download
Also changing the Content-Type is not necessary to force a download.
With mod_rewrite you can only change some specific header fields but to which the Content-Disposition header field doesn’t belong. You could only change the Content-Type header field:
RewriteRule ^media/[^/]+\.mp3$ - [L,T=audio/mpeg]
RewriteRule ^media/download/[^/]+$ - [L,T=application/octet-stream]
And if you want to use a mod_headers+mod_setenvif solution:
SetEnvIf Request_URI ^/media/download/ force-download
<IfDefine force-download>
Header set Content-Disposition attachment
Header set Content-Type application/octet-stream
</IfDefine>
If you want to base rule on parameters in URI, here is the logic / syntaxe (adapt RewriteCond) :
RewriteCond %{QUERY_STRING} ^dl=1$
RewriteRule ^ - [L,E=FORCEDOWNLOAD:1]
Header set Content-Disposition attachment env=FORCEDOWNLOAD
Here, we force download if the only parameter is "dl=1"