Notwithstanding the wisdom of doing such a thing, is it possible to have Apache override the User-Agent to a static string regardless of what the client sends over in the request?
You can manipulate incoming request headers using the RequestHeader directive:
“This directive can replace, merge, change or remove HTTP request headers. The header is modified just before the content handler is run, allowing incoming headers to be modified.”
Related
I'm testing my HTTP/2 parser and currently I'm having trouble testing push promise with continuation. I'm using Apache as the HTTP/2 server. I managed to push a resource using either Location's Header add link or H2PushResource. But when I tried to check push promise with continuation I couldn't modify the headers sent in the pushed request.
I wanted to add a few long headers for the pushed request but the commands I found didn't affect the pushed request:
RequestHeader modifies the request headers before the content is handled - This means that the header is modified inside Apache's HTTP parser, it doesn't affect the sent pushed request
Header modifies the response headers sent from the server - This command adds a header to the response, not the request
Edit:
I noticed that the user-agent header is also sent in the pushed request, so I sent a really long user-agent header in my request but then I got a 431 response (Request header field too large).
Any other idea?
Edit 2:
Here are my HTTP/2 configuration lines:
<Location /push.html>
H2PushResource add "/push.png"
</Location>
Header set MyRespHeader "Testing response"
RequestHeader add MyReqHeader "Testing request"
When I receive a response from Apache I get the header myrespheader but the pushed request doesn't send the header myreqheader or myrespheader
I am trying to force browser to use https even when the user enters http URL. The idea is to use http response headers from the server. I am able to implement redirection using redirect (in site.conf) & Rewrite (which is disliked universally) but want to test out this method too.
Now I have tried adding the the following to my /etc/apache/sites-enabled/mysite.conf but despite the browser receiving the header response the user is not redirected to https (default apache page is shown):
Header set Location https://www.example.com/
Header set X-Forwarded-Proto: https
Header set Strict-Transport-Security "max-age=180; includeSubdomains"
Do I have to change anything else in the apache configuration to achieve this? (all modules are correctly loaded)
The Location header is only used for redirect responses (with a HTTP response code of 3XX) or Created responses (with a HTTP response code of 201):
https://www.rfc-editor.org/rfc/rfc7231#section-7.1.2
Just setting the header on a random page will not make the browser redirect.
When you use apache Redirect and Rewrite rules they set the response header AND add the location header. I really don't know why you'd want to do this manually.
And rewrite is not "universally disliked". It just overused when redirect would be simpler and more efficient in a lot of cases. If you need something more complicated then Rewrite is the right tool to use.
Finally you should not sent the Strict-Transport-Security header on a HTTP response (and the browser will rightly ignore it you do) but only on a HTTPS responses.
It seems that mod_headers directives Header and RequestHeade have the same functionality. It also seems that the only diference is that Header can read header information sent by PHP, while RequestHeader can not. is that right?
The documentation for Header says:
This directive can replace, merge or remove HTTP response headers. The
header is modified just after the content handler and output filters
are run, allowing outgoing headers to be modified.
The documentarion for RequestHeader says:
This directive can replace, merge, change or remove HTTP request
headers. The header is modified just before the content handler is
run, allowing incoming headers to be modified.
It's not right. The difference is request headers vs. response headers.
I have a page that issues an HTTP redirect. I need to append the current session id (jsessionid) to the end of the HTTP redirect to pass this id as a GET parameter in the redirect.
Can mod_header's Header append directive pick up a cookie value via SetEnvIf?
Should a rewrite rather be involved? But mod_rewrite just rewrites the request not the response, yes?
How would you solve this from an Apache perspective without touching back-end code?
Update: the Apache-JVM is handled by either mod_jk OR via IBM HTTP Server connection to WebSphere.
As to my knowledge, with Apache HTTPd you do it like this:
SetEnvIf Cookie "mycookie=([^;]+)" MYCOOKIE=$1
SetEnvIf Cookie "mycookie=([^;]+)" HAVE_MYCOOKIE=1
Header add Set-Cookie "mycookie=%{MYCOOKIE}e; expires=0" env=HAVE_MYCOOKIE
You can also add additional cookie attributes like path and domain if you want.
I need to remove a cookie from the HTTP request that gets to the server. Doing it on the client (that writes this cookie) or on the server (that reads it) is not an option. I have Apache 2.0 that proxies requests between client and the server, so I was hoping to remove the cookie right there in Apache using mod_rewrite.
My question is, is there a way to remove a certain cookie from the HTTP request using mod_rewrite?
If not possible to remove just one cookie then as a last resort to remove all cookies from the request?
I am open to other suggestions of how to accomplish this if mod_rewrite is not the right tool for this task.
Apache mod_rewrite allows manipulation of URLs but not of HTTP headers, however 'mod_headers' will let you do that.
So, you could use:
RequestHeader unset Cookie
This will strip all cookies from the request. I'm not sure if its possible to remove just a particular cookie using this technique.
Alternatively, you can stop cookies being passed back to the client using:
Header unset Set-Cookie
if that's more appropriate.
With Apache > 2.2.4, you could have used :
RequestHeader edit Cookie "^(.*?)ANY_COOKIE=.*?;(.*)$" $1$2
You can manage specific cookies using following statements in apache reverse proxy configurations:
To remove any specific cookie you can use:'Header add Set-Cookie "ANY_COOKIE='';expires='SOME_DATE_IN_PAST'; Max-Age=0; Path=COOKIE_PATH"'
By specifying past date, you tell the browser that the cookie has expired and browser will discard the cookie.
To add any cookie you can use:'Header add Set-Cookie "ANY_COOKIE='ANY_VALUE';expires='SOME_FUTURE_DATE'; Path=COOKIE_PATH"'
Be sure that you specify the some future date. If you do not specify any date, the cookie will be treated as session cookie.
Try using the following to remove specific cookie from request:
'RequestHeader add Cookie "ANY_COOKIE='';expires='SOME_PAST_DATE'; Path=COOKIE_PATH"'
I use this to unset all cookies (good to serve static content)
Header unset Cookie
Header unset Set-Cookie