apache not allow authorization header ?
-
Dear,
I try to request with authorization header.
ex) Authorization: Bearer YWxhZGRpbjpvcGVuc2VzYW1lmy LAMP run as api server.
I try to put
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
in .htaccess
but not solve.maybe, apache not allow authorization header ?
Would you please any help ?
Regards,
-
I did a quick test by adding
LogLevel trace8
to the apache config. Then, make a curl request -curl -H 'Authorization: Bearer YWxhZGRpbjpvcGVuc2VzYW1l' https://lamp.cloudron.space
.I see that the header is coming through:
[Wed Nov 10 18:06:53.830120 2021] [http:trace4] [pid 28] http_request.c(436): [client 98.45.211.194:38584] Headers received from client: [Wed Nov 10 18:06:53.830131 2021] [http:trace4] [pid 28] http_request.c(439): [client 98.45.211.194:38584] Host: lamp.cloudron.space [Wed Nov 10 18:06:53.830141 2021] [http:trace4] [pid 28] http_request.c(439): [client 98.45.211.194:38584] X-Forwarded-For: 98.45.211.194 [Wed Nov 10 18:06:53.830151 2021] [http:trace4] [pid 28] http_request.c(439): [client 98.45.211.194:38584] X-Forwarded-Host: lamp.cloudron.space [Wed Nov 10 18:06:53.830161 2021] [http:trace4] [pid 28] http_request.c(439): [client 98.45.211.194:38584] X-Forwarded-Port: 443 [Wed Nov 10 18:06:53.830171 2021] [http:trace4] [pid 28] http_request.c(439): [client 98.45.211.194:38584] X-Forwarded-Proto: https [Wed Nov 10 18:06:53.830180 2021] [http:trace4] [pid 28] http_request.c(439): [client 98.45.211.194:38584] X-Forwarded-Ssl: on [Wed Nov 10 18:06:53.830190 2021] [http:trace4] [pid 28] http_request.c(439): [client 98.45.211.194:38584] Connection: close [Wed Nov 10 18:06:53.830219 2021] [http:trace4] [pid 28] http_request.c(439): [client 98.45.211.194:38584] user-agent: curl/7.68.0 [Wed Nov 10 18:06:53.830231 2021] [http:trace4] [pid 28] http_request.c(439): [client 98.45.211.194:38584] accept: */* [Wed Nov 10 18:06:53.830242 2021] [http:trace4] [pid 28] http_request.c(439): [client 98.45.211.194:38584] authorization: Bearer YWxhZGRpbjpvcGVuc2VzYW1l
Maybe some apache/php configuration?
-
As a next step, changing the LogFormat makes it print:
LogFormat "%{X-Forwarded-For}i %{Authorization}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
I see in the logs:
98.45.211.194 Bearer YWxhZGRpbjpvcGVuc2VzYW1l - - [10/Nov/2021:18:11:24 +0000] "GET / HTTP/1.1" 401 52 "-" "curl/7.68.0"
-
... and the header mysteriously disappears when it hits PHP.
<?php print_r($_SERVER); ?>
Output does not have
Authorization
header. -
@freetommy mm, I assumed what you tried didn't work. It works for me.
I put the below in
/app/data/.htaccess
(placing this in/app/data/apache/app.conf
insideVirtualHost
also works:SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
Restart the app. Then, I see the header passed on to PHP:
[HTTP_AUTHORIZATION] => Bearer YWxhZGRpbjpvcGVuc2VzYW1l
For future reference, this also worked (in apache config):
RewriteEngine On RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]