Apache "destroying" Authorization header

Question

After a lot of researching, and try and error, I've become desperate.

I'm working with JwtAuthentication. My client is sending the header Authorization just fine. A couple of weeks ago I wasn't having any problems, but all of a sudden, my PHP scripts (hence the JwtAuthentication middleware) cannot "see" the Authorization header and neither the "SetEnv/SetEnvIf" variables I declare in the .htaccess file.

I asked for the active modules in the server (I'm paying for a hosting), to see if the correct ones are enable, and they sent me this:

• core_module (static)
• so_module (static)
• http_module (static)
• mpm_worker_module (shared)
• cgid_module (shared)
• access_compat_module (shared)
• actions_module (shared)
• alias_module (shared)
• auth_basic_module (shared)
• authn_core_module (shared)
• authn_file_module (shared)
• authz_core_module (shared)
• authz_groupfile_module (shared)
• authz_host_module (shared)
• authz_user_module (shared)
• autoindex_module (shared)
• deflate_module (shared)
• dir_module (shared)
• expires_module (shared)
• filter_module (shared)
• headers_module (shared)
• include_module (shared)
• log_config_module (shared)
• logio_module (shared)
• mime_module (shared)
• negotiation_module (shared)
• proxy_module (shared)
• proxy_fcgi_module (shared)
• proxy_http_module (shared)
• rewrite_module (shared)
• setenvif_module (shared)
• slotmem_shm_module (shared)
• socache_dbm_module (shared)
• socache_shmcb_module (shared)
• status_module (shared)
• suexec_module (shared)
• unique_id_module (shared)
• unixd_module (shared)
• userdir_module (shared)
• ssl_module (shared)
• bwlimited_module (shared)
• security2_module (shared)
• suphp_module (shared)
• hostinglimits_module (shared)

From what I've been reading, all the necessary modules to rewrite the .htaccess file and to use Authorization header are active, even those to be able to declare environment variables with SetEnvIf (like I said, I don't know why I can't use them neither).

And the server configuration is as follow: cPanel Version 58.0 (build 34) Apache Version 2.4.23 PHP Version 5.4.45 MySQL Version 5.6.33 Architecture x86_64 Operating System linux

I've already try:

• Adding CGIPassAuth on to .htaccess

• Modify the RewriteCond like this:

  RewriteCond %{HTTP:Authorization} ^(.*) RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

• SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

• WSGIPAssAuthorization On on .htaccess files causes a 500 error (I don't know why)
• CGIPassAuth on on .htaccess makes no change.

And... nothing has worked. I ask the hosting guys about changes on Apache, but they told me nothing has changed.

And the environment variables... Why are they not working?

I know there's other questions about it, but unfortunately the solutions they give don't fix my problem.

Is it Apache? Is it PHP?

Here they say it could be a firewall problem, but if it was that, the environment should work, doesn't it? And is not only if I want to set the Authorization header to a variable; any environment variable I set through SetEnv or SetEnvIf can't be seen in my PHP scripts.

What could be the problem?

Answer 1

If you using PHP-FPM and vhosts you should add this into your vhosts file

ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://127.0.0.1:9000/var/www/local.mysite/htdocs/$1
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
SetEnvIf Content-Type "(.*)" HTTP_CONTENT_TYPE=$1
SetEnvIf Accept "(.*)" HTTP_ACCEPT=$1

Answer 2

I started experiencing the same symptom after accidentally switching my MAMP PHP settings from Module to CGI.

From what I've read, Module is preferable for a number of reasons.

Check the equivalent setting on your server and change it if necessary.