from http://httpd.apache.org/docs/current/mod/mod_headers.html
"Conditionally send MyHeader on the response if and only if header MyRequestHeader is present on the request. This is useful for constructing headers in response to some client stimulus. Note that this example requires the services of the mod_setenvif module."
SetEnvIf MyRequestHeader myvalue ENV_SET
Header set MyHeader "%D %t mytext" env=ENV_SET
but then from Apache SetEnvIf trouble and from my testing trying to set an environment var by checking the Authorization header, the ENV_SET won't be set at all
SetEnvIf only sets the env variable ENV_SET for the following
* Remote_Host
* Remote_Addr
* Server_Addr
* Request_Method
* Request_Protocol
* Request_URI
Is the documentation wrong or am I misunderstanding something ?
Using: Apache/2.2.15 (Win32) mod_fastcgi/2.4.6 mod_jk/1.2.30
Format is:
SetEnvIf <headername> <regex> <environment variable name and optionally a value>
This worked for me:
SetEnvIf ACTUAL_CLIENT_IP "^172\.111\.0\.27" dontlog
where ACTUAL_CLIENT_IP is the name of the HTTP header which stores the actual client IP (as opposed to the Remote_Addr field which gets overwritten with our proxy server's IP).
Related
my react app on production mode (https://www.cli-domain.com) -> main domain, it's using laravel API server (https://admin.cli-domain.com) -> subdomain created by apache virtual host, both domain are running on same server,
whenever i'm trying to send request from react app to API, it showing CORS error.
i'm using axios for api request, i set headers fields Access-Control-Allow-Origin * on my client side,
on my laravel API i used fruitcake/cors package to handle middleware via allow cross origin requests, as well i tried with htaccess Header allow cross origin snippets, and i use laravel Cors.php file to allow cross origin method,
everything ended up with failure result,
still i can't able to send a successful request to my laravel API,
please assist me achieve this is possible
Here i attach .htaccess method for reference
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Credentials "true"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
and then another try with fruitcake / cors package reference code
protected $middleware = [
...
\Fruitcake\Cors\HandleCors::class, # this line
];
Cors.php
<?php
return [
/*
|--------------------------------------------------------------------------
| Laravel CORS Options
|--------------------------------------------------------------------------
|
| The allowed_methods and allowed_headers options are case-insensitive.
|
| You don't need to provide both allowed_origins and allowed_origins_patterns.
| If one of the strings passed matches, it is considered a valid origin.
|
| If ['*'] is provided to allowed_methods, allowed_origins or allowed_headers
| all methods / origins / headers are allowed.
|
*/
/*
* You can enable CORS for 1 or multiple paths.
* Example: ['api/*']
*/
'paths' => ['api/v1/tasker/profileupload', '*'],
/*
* Matches the request method. `['*']` allows all methods.
*/
'allowed_methods' => ['POST', 'GET', 'DELETE', 'PUT', '*'],
/*
* Matches the request origin. `['*']` allows all origins. Wildcards can be used, eg `*.mydomain.com`
*/
'allowed_origins' => ['https://www.doain-cus.com'],
/*
* Patterns that can be used with `preg_match` to match the origin.
*/
'allowed_origins_patterns' => ['Google/'],
/*
* Sets the Access-Control-Allow-Headers response header. `['*']` allows all headers.
*/
'allowed_headers' => ['X-Custom-Header', 'Upgrade-Insecure-Requests', '*'],
/*
* Sets the Access-Control-Expose-Headers response header with these headers.
*/
'exposed_headers' => [],
/*
* Sets the Access-Control-Max-Age response header when > 0.
*/
'max_age' => 0,
/*
* Sets the Access-Control-Allow-Credentials header.
*/
'supports_credentials' => false,
];
If you use the HandleCors middleware you shouldn't set the headers in your .htaccess (it will end up with CORS error because headers can't be setted twice), your cors.php config file is enough.
So you can remove these lines from your .htaccess:
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
You also don't have to set it from the client side, it is a server side configuration.
The netty4-http component is setting an invalid "host" HTTP header when no port is defined in the uri for requests.
netty4-http sets the header in DefaultNettyHttpBinding.toNettyRequest where URI is used to parse the uri string but URI give -1 if no port is defined.
For example the host header could be set to "hostname:-1" which is not accepted of some proxy servers that check the validity of the host header.
For example Apache proxy will return a http error 400(Bad request).
Also see ch. "14.23 Host" https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html for definition.
See https://www.rfc-editor.org/rfc/rfc7230#section-5.4
// This is how it's done in DefaultNettyHttpBinding.toNettyRequest
URI u = new URI(uri);
String hostHeader = u.getHost() + (u.getPort() == 80 ? "" : ":" + u.getPort());
request.headers().set(HttpHeaderNames.HOST.toString(), hostHeader);
LOG.trace("Host: {}", hostHeader);
As a workaround I'm using a custom NettyHttpBinding class but it had been nice to get a fix for it.
I am not getting the SoapHeader tags in the Soap message in the cxf service invoked. My current code is as below:
I have defined a cxf:cxfEndpoint for the service:
<cxf:cxfEndpoint id="testService" address="${testserviceurl}"
serviceClass="com.test.service.class" wsdlURL="test.wsdl"
endpointName="ns:test" serviceName="ns:TestService"
xmlns:ns="target.name.space.of.the.service">
<cxf:properties>
<entry key="dataFormat" value="PAYLOAD" />
</cxf:properties>
</cxf:cxfEndpoint>
And then before invoking my cxf endpoint, I have set the SoapHeader as:
CxfPayload<SoapHeader> payload = exchange.getIn().getBody(
CxfPayload.class);
List<SoapHeader> headers = payload.getHeaders();
SoapHeader header = new SoapHeader(new QName("HeaderName"), "Test");
headers.add(header);
I have also tried the approach:
List<SoapHeader> soapHeaders = CastUtils.cast((List<?>) exchange
.getIn().getHeader(Header.HEADER_LIST));
if (soapHeaders == null) {
// we just create a new soap headers in case the header is null
soapHeaders = new ArrayList<SoapHeader>();
}
SoapHeader header = new SoapHeader(new QName("HeaderName"),
"Test");
header.setDirection(Direction.DIRECTION_OUT);
soapHeaders.add(header);
Can anyone please help on what is wrong with this?
When you make any synchronous request through cxf client. It uses jdk's Http connection client to communicate over http.
As per this jira defect jdk does't allow to set header.
If you want to set headers you can do it by setting VM parameter
sun.net.http.allowRestrictedHeaders=true
If you use cxf in async mode it uses apache's HttpAsyncClient. This allows you to set the request headers.
Hope this helps.
I am developing a webapp with static files on one server and api on another. The front end is developed using angular and backend using laravel.
For CSRF-TOKEN fetching during the first load, within angular run block I have this code
if(!$cookies.get('XSRF-TOKEN')){
$http.get(API+'/csrf_token').success(function(d){
$cookies.put('XSRF-TOKEN',d.XSRF_TOKEN);
//$cookies.put('laravel-session',d.LARAVEL_ID);
//$http.defaults.headers.common.X-CSRF-TOKEN = 'Basic YmVlcDpib29w';
//$http.defaults.headers.post['X-CSRF-TOKEN']=$cookies.get('XSRF-TOKEN');
$http.defaults.headers.post['X-CSRF-TOKEN']=d.XSRF_TOKEN;
});
The other way I have tried to get the same was using this way.
Also set $httpProvider.defaults.withCredentials = true; so that cookies be sent along with requests.
The route /csrf_token setup as
Route::get("/csrf_token", function(){
//return \Response::json("asd",200)->withCookie(cookie("XSRF-TOKEN",csrf_token()));
return csrf_token(); //\Crypt::encrypt(csrf_token())
});
All the ajax POST requests throw TokenMismatchException in VerifyCsrfToken.php line 67:.
Next I have sent the csrf_token parameter as _token attached with the post parameters, still the same problem.
Tried all the above, returning encrypted token from /csrf_token, but still same problem.
Repeated all the steps clearing the config:cache and composer dumpautoload in api server, but still same problem.
Reviewed config file ,some values -
'driver' => env('SESSION_DRIVER', 'file'),
'encrypt' => false,
'files' => storage_path('framework/sessions'),
'secure' => false,
(These values seem to be okay)
Next reviewed Virtual config file for CORS configuration (inside directory tag)
Header set Access-Control-Allow-Origin "www.mydomain.com" #real domain not posted
Header set Access-Control-Allow-Credentials 'true'
Header always set Access-Control-Max-Age "2000"
Header set Access-Control-Allow-Headers 'X-CSRF-TOKEN'
Header always set Access-Control-Allow-Headers "X-Requested-With, Content-Type, Origin, Authorization, Accept, Client-Security-Token, Accept-Encoding"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Options Indexes FollowSymLinks Includes ExecCGI
AllowOverride All
Require local
Wasted hours googling.(frustrated). Need help.
NB: I couldn't find any more tutorial/answers similar to token mismatch problem netiher on stackoverflow nor on any other website that I havn't tried. Thanks.
I have two AppEngine modules, a default module running Python and "java" module running Java. I'm accessing the Java module from the default module using urlfetch. According to the AppEngine docs (cloud.google.com/appengine/docs/java/appidentity), I can verify in the Java module that the request originates from a module in the same app by checking the X-Appengine-Inbound-Appid header.
However, this header is not being set (in a production deployment). I use urlfetch in the Python module as follows:
hostname = modules.get_hostname(module="java")
hostname = hostname.replace('.', '-dot-', 2)
url = "http://%s/%s" % (hostname, "_ah/api/...")
result = urlfetch.fetch(url=url, follow_redirects=False, method=urlfetch.GET)
Note that I'm using the notation:
<version>-dot-<module>-dot-<app>.appspot.com
rather than the notation:
<version>.<module>.<app>.appspot.com
which for some reason results in a 404 response.
In the Java module I'm running a servlet filter which looks at all the request headers as follows:
Enumeration<String> headerNames = httpRequest.getHeaderNames();
while (headerNames.hasMoreElements()) {
String headerName = headerNames.nextElement();
String headerValue = httpRequest.getHeader(headerName);
mLog.info("Header: " + headerName + " = " + headerValue);
}
AppEngine does set some headers, e.g. X-AppEngine-Country. But the X-Appengine-Inbound-Appid header is not set.
Why am I'm not seeing the documented behaviour? Any suggestions would be much appreciated.
Have a look at what I've been answered on Google groups, which led to an issue opened on the public issue tracker.
As suggested in the answer I received you can follow, for any update, the issue over there.