Menu
I want Apache to pass by default authorization headers to PHP. So I am using Apache/2.4.29 (Ubuntu) with mod_php that allows "Apache authentication headers to be passed through by default".
Here are the apache modules install.
core mod_so mod_watchdog http_core mod_log_config mod_logio mod_version mod_unixd mod_access_compat mod_alias mod_auth_basic mod_authn_core mod_authn_file mod_authz_core mod_authz_host mod_authz_user mod_autoindex mod_deflate mod_dir mod_env mod_filter mod_headers mod_mime prefork mod_negotiation mod_php7 mod_proxy mod_proxy_ajp mod_proxy_balancer mod_proxy_connect mod_proxy_html mod_proxy_http mod_proxy_wstunnel mod_reqtimeout mod_rewrite mod_setenvif mod_slotmem_shm mod_socache_shmcb mod_ssl mod_status mod_xml2enc
Here is my virtualHost configuration.
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
ServerName piwal-elgg.com
DocumentRoot /xxxx/xxxx/xxxx/WEB/piwal
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /xxx/xxx/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /xxx/xxx/private/ssl-cert-snakeoil.key
<Directory /xxx/xxx/xxx/WEB/piwal>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
</VirtualHost>
</IfModule>
I have read a lot of documents on this topic and some of them ask me to add additional rules in the .htaccess file.
Some of those roles are the following.
1- .htaccess
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
2- .htaccess
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
3- .htaccess or apache virtual host
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
4- .htaccess or apache virtual host
SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0
5- .htaccess
RewriteEngine on
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
None of the above settings are working. "Apache authentication headers are not passed through by default".
But when I add RequestHeader set Authorization "Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==" to my virtualHost configuration. In this case, the header is processed correctly by the server.
Could someone help me with this issue ?
Here is the output of my $_SERVER supergloble array
Array
(
[REDIRECT_SCRIPT_URL] => /webdav/virtual/
[REDIRECT_SCRIPT_URI] => https://xxxx-xxxx.com/webdav/virtual/
[REDIRECT_HTTP_AUTHORIZATION] =>
[REDIRECT_HTTPS] => on
[REDIRECT_SSL_TLS_SNI] => xxxx-xxxx.com
[REDIRECT_STATUS] => 200
[SCRIPT_URL] => /webdav/virtual/
[SCRIPT_URI] => https://xxxx-xxxx.com/webdav/virtual/
[HTTP_AUTHORIZATION] =>
[HTTPS] => on
[SSL_TLS_SNI] => xxxx-xxxx.com
[HTTP_HOST] => xxxx-xxxx.com
[HTTP_USER_AGENT] => Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:86.0) Gecko/20100101 Firefox/86.0
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
[HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.5
[HTTP_ACCEPT_ENCODING] => gzip, deflate, br
[HTTP_CONNECTION] => keep-alive
[HTTP_COOKIE] => Elgg=or2a18jbqubrnkqk38mhhvguc5
[HTTP_UPGRADE_INSECURE_REQUESTS] => 1
[PATH] => /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
[SERVER_SIGNATURE] => Apache/2.4.29 (Ubuntu) Server at xxxx-xxxx.com Port 443
[SERVER_SOFTWARE] => Apache/2.4.29 (Ubuntu)
[SERVER_NAME] => xxxx-xxxx.com
[SERVER_ADDR] => 127.0.1.1
[SERVER_PORT] => 443
[REMOTE_ADDR] => 127.0.0.1
[DOCUMENT_ROOT] => /xxxx/xxxx/xxxx/WEB/xxx-3-3-1
[REQUEST_SCHEME] => https
[CONTEXT_PREFIX] =>
[CONTEXT_DOCUMENT_ROOT] => /xxxx/xxxx/xxxx/WEB/xxx-3-3-1
[SERVER_ADMIN] => webmaster@localhost
[SCRIPT_FILENAME] => /xxxx/xxxx/xxxx/WEB/xxx-3-3-1/index.php
[REMOTE_PORT] => 41500
[REDIRECT_URL] => /webdav/virtual/
[GATEWAY_INTERFACE] => CGI/1.1
[SERVER_PROTOCOL] => HTTP/1.1
[REQUEST_METHOD] => GET
[QUERY_STRING] =>
[REQUEST_URI] => /webdav/virtual/
[SCRIPT_NAME] => /index.php
[PHP_SELF] => /index.php
[REQUEST_TIME_FLOAT] => 1616958400.0139
[REQUEST_TIME] => 1616958400
[PHP_AUTH_USER] =>
[PHP_AUTH_PW] =>
)
409
asked Dec 20 '25 08:12
Try setting CGIPassAuth On (Apache 2.4.13+) in either the <Directory> container (inside your vHost) or in .htaccess.
CGIPassAuthallows scripts access to HTTP authorization headers such as Authorization, which is required for scripts that implement HTTP Basic authentication. Normally these HTTP headers are hidden from scripts. This is to disallow scripts from seeing user ids and passwords used to access the server when HTTP Basic authentication is enabled in the web server. This directive should be used when scripts are allowed to implement HTTP Basic authentication.
Source: https://httpd.apache.org/docs/2.4/mod/core.html#cgipassauth
Note that if you are setting an environment variable HTTP_AUTHORIZATION in .htaccess then you may need to check for REDIRECT_HTTP_AUTHORIZATION (note the REDIRECT_ prefix) in your PHP script if mod_rewrite is being used to rewrite the request, since any env vars that are set on the first pass are renamed in subsequent passes: REDIRECT_REDIRECT_HTTP_AUTHORIZATION etc. etc.
Aside: All 5 methods you've used to explicitly set the HTTP_AUTHORIZATION env var are really "the same" - you would not expect one method to work and another not. The only slight exception to that is #4. With the SetEnvIf, it is more reliable to explicitly capture the group and use the $1 backreference (as you are doing in #3) instead of using the $0 backreference that "should" contain the full match. In some cases, the $0 backreference is not set when the regex argument does not "look like"1 a regex (although I would not expect that to be an issue here).
1 By "look like", I mean where the regex contains no special meta characters and contains only latin characters, eg. helloworld - which "looks like" an ordinary string. In cases like this Apache/SetEnvIf appears to do a simple substring comparison and no regex backreferences are captured.
83
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
