All geek questions in one place

Custom HTTP Header Fields Separated

My company sells a LAMP-based application (where P = Perl, not PHP), deployed as a device. The client is trying to integrate their SiteMinder SSO with our application, so that our device is behind a proxy server using the SiteMinder Apache plugin, which acts as a gatekeeper. For our application to authenticate a user through SSO, we expect to see HTTP requests that include an SSO cookie (in this case SMSESSION) and a custom HTTP header variable containing the username.

However, when our Apache server receives HTTP requests from the SSO proxy, all user HTTPs seem to have been deleted, although a cookie is present. I used Perl code to write headers to a log file with the following code:

my $q = new CGI; ... my %headers = map { $_ => $q->http($_) } $q->http(); my $headerDump = "Got the following headers:\n"; for my $header ( keys %headers ) { $headerDump = $headerDump . "$header: $headers{$header}\n"; } kLogApacheError("info", $headerDump);

... and this is the result I get (slightly edited for privacy):

 [Wed Mar 16 23:47:31 UTC 2011] [info] Got the following headers: HTTP_COOKIE: s_vi=[CS]v1|26AE2FFD851D091F-4000012E400035C5[CE]; s_nr=1297899843493; [snip] HTTP_ACCEPT_LANGUAGE: en-US,en;q=0.8 HTTP_ACCEPT_ENCODING: gzip,deflate,sdch HTTP_CONNECTION: keep-alive HTTP_ACCEPT: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 HTTP_ACCEPT_CHARSET: ISO-8859-1,utf-8;q=0.7,*;q=0.3 HTTP_USER_AGENT: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13 HTTP_HOST: [redacted].com

IOW, the HTTP client headers I expect are missing. When we redirect traffic from a proxy server to another Apache server (i.e. not our device), all 20+ user headers are displayed as expected. This suggests that our Apache server strips the headers.

We have never encountered such a problem in other deployments, even with this particular SSO solution. I understand that this seems like another question on this site ( Server removes custom HTTP header fields ), but the suggestions there (for example, the problem caused by mod_security running) do not apply.

Is there any other reason our server can remove HTTP headers? Or maybe something else is happening?

Thanks for any help!

Matt

+4
source share
3 answers

Did you smell the raw HTTP traffic between the proxy server and your Apache instance? If the required headers are missing here, the problem is on the proxy side.

+4
source

I finally figured it out, and it was pretty obscure ...

Using HttpFox, it really looked like a redirect redirected to a device rather than a redirect . In the case of redirects, cookies were saved, but there were no HTTP request headers. However, SSO Proxy rules were “forwards,” so we were completely at a dead end as to why redirects appear.

We knew that our application logic redirects / signin / if the user has not yet been authenticated, but we expected that it would still be passed through a proxy. However, we did not understand that there was an SSO option for SiteMinder, enableredirectrewrite , which by default would handle "any redirects initiated by target servers [by passing them] back to the requesting user." Once we set this flag to yes and redirectrewritablehostnames to everything, everything works like magic.

(For reference, see the version of the SiteMinder manual here: http://www.scribd.com/doc/48749285/h002921e ).

+2
source

I recently had a problem where I couldn’t get any custom HTTP headers passed to my PHP script. It appears that Apache 2, running PHP 7 with FCGID, will not allow or remove or disable all custom HTTP headers.

Here is my fix: http://kiteplans.info/2017/06/13/solved-apache-2-php-7-fcgid-not-allowing-removing-stripping-custom-http-headers/

+1
source

Source: https://habr.com/ru/post/1344155/

More articles:


All Articles