It seems that mod_headers directives Header and RequestHeade have the same functionality. It also seems that the only diference is that Header can read header information sent by PHP, while RequestHeader can not. is that right?
The documentation for Header says:
This directive can replace, merge or remove HTTP response headers. The
header is modified just after the content handler and output filters
are run, allowing outgoing headers to be modified.
The documentarion for RequestHeader says:
This directive can replace, merge, change or remove HTTP request
headers. The header is modified just before the content handler is
run, allowing incoming headers to be modified.
It's not right. The difference is request headers vs. response headers.
Related
We are getting a http header secure_user from the client.We want to read it in httpd.conf
and set it as a cookie
Header edit Set-Cookie <<http header secure_user obtained in client>>
I tried following https://serverfault.com/questions/520477/set-header-in-apache-if-it-doesnt-already-exist but it doesn't help me reading specific http header
I'm testing my HTTP/2 parser and currently I'm having trouble testing push promise with continuation. I'm using Apache as the HTTP/2 server. I managed to push a resource using either Location's Header add link or H2PushResource. But when I tried to check push promise with continuation I couldn't modify the headers sent in the pushed request.
I wanted to add a few long headers for the pushed request but the commands I found didn't affect the pushed request:
RequestHeader modifies the request headers before the content is handled - This means that the header is modified inside Apache's HTTP parser, it doesn't affect the sent pushed request
Header modifies the response headers sent from the server - This command adds a header to the response, not the request
Edit:
I noticed that the user-agent header is also sent in the pushed request, so I sent a really long user-agent header in my request but then I got a 431 response (Request header field too large).
Any other idea?
Edit 2:
Here are my HTTP/2 configuration lines:
<Location /push.html>
H2PushResource add "/push.png"
</Location>
Header set MyRespHeader "Testing response"
RequestHeader add MyReqHeader "Testing request"
When I receive a response from Apache I get the header myrespheader but the pushed request doesn't send the header myreqheader or myrespheader
My Scenario
I want to add a cookie to the existing cookies sent by the user in the request header.
What I tried
So I decided to use RequestHeader directive
RequestHeader append Cookie "foo=bar"
The only problem is that RequestHeader appends the new value per definition with a comma (,) not with a semicolon (;). So my new cookies is "merged" with the old one in a strange way (probably because of the missing semicolon).
Or
RequestHeader append Cookie " foo=bar"
The request header is appended to any existing header of the same
name. When a new value is merged onto an existing header it is
separated from the existing header with a comma. This is the HTTP
standard way of giving a header multiple values. Apache Documentation
My question
Am I missing something or is RequestHeader not the right directive?
Environment: Apache/2.4.20, PHP/5.5.35, Ubuntu
It seem that using append for cookies does not work as expected.
After analysing what I actually needed, decided that setting a new RequestHeader was enough.
I think you should use the add method instead of append, also its not called Cookie, its Set-Cookie, Cookie, is just the name you see in the browser.
Header add Set-Cookie "mycookie=value; path=/; expires=Thu, 13 Dec 2018 13:31:00 -0000; HttpOnly"
Using apache mod_proxy 2.5 I'm trying to merge or replace an existing access-control-allow-origin header with mod_headers in a proxypass location.
the answer returned from proxied backend already includes a access-control-allow-origin header which I'd like to merge or replace
Header always merge Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "OPTIONS, GET"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token, x-smp-appcid"
This results in a header duplicate which raises an error in all browser cause this header can only occur once.
same is for Header always set although this should replace the existing header.
I also tried to use if module to first check for the headers occurence and only set if unset. but it's somehow hard to look into response headers.
any help is appreciated
I got through the same problem by setting the Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers only when its a preflight request
The second request ( POST, DELETE, PUT etc ) which is handled by the proxied backend ( which already sends the required headers ) is not a preflight request and hence the headers would not be set again by the Apache rules.
To check for preflight request, you could check whether the request contains:
REQUEST_METHOD == OPTIONS
Access-Control-Request-Method !-= ""
Origin != ""
Hope this helps.
Notwithstanding the wisdom of doing such a thing, is it possible to have Apache override the User-Agent to a static string regardless of what the client sends over in the request?
You can manipulate incoming request headers using the RequestHeader directive:
“This directive can replace, merge, change or remove HTTP request headers. The header is modified just before the content handler is run, allowing incoming headers to be modified.”