I need to rewrite a URL to copy an authentication token from the URL into a header (because a new client can't use headers), and remove the (large) token from the URL.
<Location /foo/>
RewriteEngine On
RewriteRule ^(.*)/(authtoken)/([^/]*)(.*)$ $1$4 [E=HAS_auth:$3,L]
RequestHeader set AUTHTOKEN %{HAS_auth}e env=HAS_auth
SetHandler perl-script
PerlAccessHandler AuthHandler
So a request of the form "/foo/boo/moo/authtoken/baaaaaa/bar" is rewritten as "/foo/boo/moo/bar" and a request header "AUTHTOKEN: baaaaaa" added to the request.
The URI is being rewritten, and the test env var is being set, but the access handler (mod_perl) does not see the AUTHTOKEN header, or even ENV{HAS_auth} although the rewrite is working (I logged it).
Is it possible to actually to rewrite and set headers before the authentication(access) handler, and if so, how?
Related
Background: I am trying to set an Authorization header from my Apache VirtualHost config when a JWT is sent as a query parameter.
I am really close to getting this to work, but I have run into one final issue. The header must be in the form of:
Authorization: Bearer token
Here is the relevant config I have so far:
RewriteCond %{QUERY_STRING} jwt=(.*)
RewriteRule ^(.*)$ - [env=JWT:%1]
RequestHeader setifempty Authorization "Bearer %{JWT}e"
It ALMOST works, however, the header is set like so:
Authorization: ('Bearer ' 'token')
How can I make it so that the value of the header is concatenated into a single string without the parentheses and separate strings?
I am trying to force browser to use https even when the user enters http URL. The idea is to use http response headers from the server. I am able to implement redirection using redirect (in site.conf) & Rewrite (which is disliked universally) but want to test out this method too.
Now I have tried adding the the following to my /etc/apache/sites-enabled/mysite.conf but despite the browser receiving the header response the user is not redirected to https (default apache page is shown):
Header set Location https://www.example.com/
Header set X-Forwarded-Proto: https
Header set Strict-Transport-Security "max-age=180; includeSubdomains"
Do I have to change anything else in the apache configuration to achieve this? (all modules are correctly loaded)
The Location header is only used for redirect responses (with a HTTP response code of 3XX) or Created responses (with a HTTP response code of 201):
https://www.rfc-editor.org/rfc/rfc7231#section-7.1.2
Just setting the header on a random page will not make the browser redirect.
When you use apache Redirect and Rewrite rules they set the response header AND add the location header. I really don't know why you'd want to do this manually.
And rewrite is not "universally disliked". It just overused when redirect would be simpler and more efficient in a lot of cases. If you need something more complicated then Rewrite is the right tool to use.
Finally you should not sent the Strict-Transport-Security header on a HTTP response (and the browser will rightly ignore it you do) but only on a HTTPS responses.
I have a client sending basic authentication credentials in a header named "Basic authentication", instead of the correct "Authorization". I can't fix the client, so I'm trying to work around the problem on the server.
This works and sets the "X-Authorization" header to whatever value was sent by the client in the "Basic authentication" header:
SetEnvIf ^Basic.authentication$ ^(.*)$ fixauth=$1
RequestHeader set X-Authorization %{fixauth}e env=fixauth
This sets the environment variable fixauth, but then RequestHeader does nothing:
SetEnvIf ^Basic.authentication$ ^(.*)$ fixauth=$1
RequestHeader set Authorization %{fixauth}e env=fixauth
Using "RequestHeader add" makes no difference. It looks as if mod_header would be refusing to touch the Authorization header, but there is nothing about it in the documentation and nothing that I could find in the source code.
What exactly is the problem? Why does setting X-Authorization work, but setting Authorization does not?
I would like to have Apache HTTPD return response code 200 with data of resource request via a GET instead of returning response code 304 with no data. Any one have an idea how to do that?
Thanks in advance
remove the header, add the following into the httpd.conf file
<FilesMatch "\.(filetype1|filetype2)$">
RequestHeader unset If-Modified-Since
RequestHeader unset If-None-Match
</FilesMatch>
Add the following directive to your apache config file
RequestHeader unset If-Modified-Since
This will ignore IF-Modified-Since header sent from client so you will get not 304 Not Modified response.
Don't send it any cache-related headers (If-Modified-Since, If-None-Match and friends) when making the request. This informs the server that the client doesn't cache, and makes it always return data.
I'm not sure I fully understand your question. I assume you want the provide a normal HTTP answer if the client uses a correct URL, and a default page (with status 200) when the client uses a non-existing URL.
If this is the case, it can be achieved like that:
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^.*+ /dummy.html
The first line is a condition that the URL doesn't macht an existing file on the web server. If that condidition holds, the second line is executed which serves a dummy page to the client.
I have a page that issues an HTTP redirect. I need to append the current session id (jsessionid) to the end of the HTTP redirect to pass this id as a GET parameter in the redirect.
Can mod_header's Header append directive pick up a cookie value via SetEnvIf?
Should a rewrite rather be involved? But mod_rewrite just rewrites the request not the response, yes?
How would you solve this from an Apache perspective without touching back-end code?
Update: the Apache-JVM is handled by either mod_jk OR via IBM HTTP Server connection to WebSphere.
As to my knowledge, with Apache HTTPd you do it like this:
SetEnvIf Cookie "mycookie=([^;]+)" MYCOOKIE=$1
SetEnvIf Cookie "mycookie=([^;]+)" HAVE_MYCOOKIE=1
Header add Set-Cookie "mycookie=%{MYCOOKIE}e; expires=0" env=HAVE_MYCOOKIE
You can also add additional cookie attributes like path and domain if you want.