mod_rewrite: add a header if it doesn't already exist - apache

I am attempting to add CORS handling using apache and mod_rewrite. The apache instance is front-ending multiple tomcat applications using mod_jk. Some of these applications have their own logic for adding CORS headers Access-Control-Allow-Origin, Access-Control-Max-Age, etc.
For the applications that didn't take care of the CORS logic, I would like to manage it on apache using mod rewrite.
Does anyone know if its possible to add a header to an HTTP response using mod_rewrite only if the header doesn't already exist? The browser reports an error if the CORS origin header is written twice.

mod_rewrite is to rewrite url's, not to set headers. What you want to use is mod_headers (documentation).
I don't know if mod_rewrite runs before mod_headers, but I would suggest to set environment variables using SetEnvIf instead (documentation).
You can do something like this:
SetEnvIf Request_URI "^/my/app/(.*)/?$" ADDHEADERS=1
Header set Access-Control-Max-Age 123456 env=ADDHEADERS

Related

HTTPS - Cookie "HttpOnly" and "secure "

My website is running under HTTPS protocol and I use only 1 cookie (PHPSESSID). My server is Apache 2.2.22. I noticed that my cookie doesn't have the "HttpOnly" and "Secure" headers, then I tried to set it via my .htaccess :
Header set Set-Cookie HttpOnly;Secure
By the way, the .htaccess works perfectly (url rewriting, deflate, expire headers, Etags etc...). But now... my website generates 4 cookies and PHPSESSID seems not to be secure :
Am i missing something ?
.htaccess is the wrong way to go about this.
PHP has session configuration options for this, you can either set them in your PHP configuration in the usual way (php.ini, ini_set, …), or via a dedicated function call.
session.cookie_httponly and session.cookie_secure are the relevant options here.
See http://php.net/manual/en/session.configuration.php and http://php.net/manual/en/function.session-set-cookie-params.php for additional details.

Get mod_proxy to pass a custom header to backend

I have a Python backend that is being reverse proxied by Apache/mod_proxy using fcgi (httpd 2.4 on rhel7).
I have a client that sets a custom header in the request, however mod_proxy does not appear to be sending that header on to the backend.
I know something similar exists for the host as ProxyPreserveHost - I would like to know how to do something similar for a custom header.
Can I do that with mod_proxy, or will I need to fall back on to mod_rewrite in some way?
TIA
It seems this line preserves the Header for reasons I don't quite understand:
SetEnvIf HTTP_MY_HEADER "(.*)" MY_HEADER=$0
The reason I don't understand this is that I am setting an Env var here, not a header -- are Env vars automatically turned into headers?
I though I might have to do this also, but was unnecessary:
RequestHeader set HTTP_MY_HEADER "${MY_HEADER}e"
I suppose this is an answer as "it works", although I would love to know why...

problems using mod_headers with php-fpm/mod_fastcgi

I'm trying to add HSTS headers to every response, across my app.
My first thought was to use mod_headers — I placed this directive in an .htaccess file at the documentroot:
Header set Strict-Transport-Security "max-age=7776000"
This works fine on my local setup using Apache 2.2 and mod_php. All resources respond with the appropriate HSTS header.
My deployment environment uses Apache 2.2 and mod_fastcgi and the above technique works for any resource except php files.
Another SO question had a similar problem, where incoming requests (?) had headers stripped — but I'm concerned about modifying headers of response leaving the server.
How can I add response headers to php resources in the context of an .htaccess file?
According to the docs for mod_headers you probably need to set the optional conditional flag for the header directive.
So in this case, it would become
Header always set Strict-Transport-Security "max-age=7776000"

Can you use mod_rewrite to remove user-agent

Our application has a filter that uses the user-agent of incoming requests to redirect to our mobile site if appropriate. We have recently added a page to our web app that should be referenced by all types. We will be adding whitelist functionality to the filter in the longer term but in the short term we would like a simple way to stop the filter from triggering.
If we can remove or overwrite the user-agent from the request we will achieve our short-term aim, but this needs to be done in such a way so to avoid redeploying. Something like a mod_rewrite rule would be ideal.
Can mod_rewrite, or something similar, do the job? It would need to be a standard apache module so we don't have to do more than add a line or two of config.
Adendum:
Looks like we can use the following combination (or something similar)
SetEnvIf REQUEST_URI "special/uri/path" delete_user_agent
RequestHeader unset User-Agent env=delete_user_agent
No, you cannot do it with mod_rewrite: it can use User-Agent header in conditions, but cannot change it. What you need perhaps is mod_headers.
This module provides directives to control and modify HTTP request and
response headers. Headers can be merged, replaced or removed.
The directive would probably look like this:
RequestHeader unset User-Agent
(You may need to use early here to process this header before mod_rewrite will).

How to append cookie value to end of response Location header with Apache?

I have a page that issues an HTTP redirect. I need to append the current session id (jsessionid) to the end of the HTTP redirect to pass this id as a GET parameter in the redirect.
Can mod_header's Header append directive pick up a cookie value via SetEnvIf?
Should a rewrite rather be involved? But mod_rewrite just rewrites the request not the response, yes?
How would you solve this from an Apache perspective without touching back-end code?
Update: the Apache-JVM is handled by either mod_jk OR via IBM HTTP Server connection to WebSphere.
As to my knowledge, with Apache HTTPd you do it like this:
SetEnvIf Cookie "mycookie=([^;]+)" MYCOOKIE=$1
SetEnvIf Cookie "mycookie=([^;]+)" HAVE_MYCOOKIE=1
Header add Set-Cookie "mycookie=%{MYCOOKIE}e; expires=0" env=HAVE_MYCOOKIE
You can also add additional cookie attributes like path and domain if you want.