Alex Alex - 1 year ago 240
Apache Configuration Question

Apache "destroying" Authorization header

After a lot of researching, and try and error, I've become desperate.

I'm working with JwtAuthentication. My client is sending the header Authorization just fine. A couple of weeks ago I wasn't having any problems, but all of a sudden, my PHP scripts (hence the JwtAuthentication middleware) cannot "see" the Authorization header and neither the "SetEnv/SetEnvIf" variables I declare in the .htaccess file.

I asked for the active modules in the server (I'm paying for a hosting), to see if the correct ones are enable, and they sent me this:

  • core_module (static)

  • so_module (static)

  • http_module (static)

  • mpm_worker_module (shared)

  • cgid_module (shared)

  • access_compat_module (shared)

  • actions_module (shared)

  • alias_module (shared)

  • auth_basic_module (shared)

  • authn_core_module (shared)

  • authn_file_module (shared)

  • authz_core_module (shared)

  • authz_groupfile_module (shared)

  • authz_host_module (shared)

  • authz_user_module (shared)

  • autoindex_module (shared)

  • deflate_module (shared)

  • dir_module (shared)

  • expires_module (shared)

  • filter_module (shared)

  • headers_module (shared)

  • include_module (shared)

  • log_config_module (shared)

  • logio_module (shared)

  • mime_module (shared)

  • negotiation_module (shared)

  • proxy_module (shared)

  • proxy_fcgi_module (shared)

  • proxy_http_module (shared)

  • rewrite_module (shared)

  • setenvif_module (shared)

  • slotmem_shm_module (shared)

  • socache_dbm_module (shared)

  • socache_shmcb_module (shared)

  • status_module (shared)

  • suexec_module (shared)

  • unique_id_module (shared)

  • unixd_module (shared)

  • userdir_module (shared)

  • ssl_module (shared)

  • bwlimited_module (shared)

  • security2_module (shared)

  • suphp_module (shared)

  • hostinglimits_module (shared)

From what I've been reading, all the necessary modules to rewrite the .htaccess file and to use Authorization header are active, even those to be able to declare environment variables with SetEnvIf (like I said, I don't know why I can't use them neither).

And the server configuration is as follow:
cPanel Version 58.0 (build 34)
Apache Version 2.4.23
PHP Version 5.4.45
MySQL Version 5.6.33
Architecture x86_64
Operating System linux

I've already try:

  • Adding
    CGIPassAuth on
    to .htaccess

  • Modify the RewriteCond like this:

    RewriteCond %{HTTP:Authorization} ^(.*)

    RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

  • SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

  • WSGIPAssAuthorization On
    on .htaccess files causes a 500 error (I don't know why)

  • CGIPassAuth on
    on .htaccess makes no change.

And... nothing has worked. I ask the hosting guys about changes on Apache, but they told me nothing has changed.

And the environment variables... Why are they not working?

I know there's other questions about it, but unfortunately the solutions they give don't fix my problem.

Is it Apache?
Is it PHP?

Here they say it could be a firewall problem, but if it was that, the environment should work, doesn't it? And is not only if I want to set the Authorization header to a variable; any environment variable I set through
can't be seen in my PHP scripts.

What could be the problem?

Answer Source

I started experiencing the same symptom after accidentally switching my MAMP PHP settings from Module to CGI.

From what I've read, Module is preferable for a number of reasons.

Check the equivalent setting on your server and change it if necessary.