Mailing List Archive

Question about RequestHeader and Apache's use of Environment Variables
Good day, all. I'm a brand new member of this list and I joined
primarily so I could post this message. I've looked all over the web
(via Goggle), all through the Apache 2.0 docs, as well as the archives
of this mailing list and the O'Reilly Apache books, and I've come to
the unfortunate conclusion that what I want to do simply can't be done
with Apache 2.0 (I'm currently running 2.0.48, but I don't see any
chances in the the release notes for 2.0.50).

So, with that background, here's my set-up and my problem:

I'm running Apache 2.0.48, under Mac OS X. I've got multiple domains,
mapped to a single IP address, and I'm using NamedVirtualHost to handle
it all. The primary reason for this set-up is because I wish to use
Apache as the gateway/proxy for an embedded web server running on a
different port. I was able to find, at the Zope.org site, a great
write-up on using ProxyPass and ProxyPassReverse with <VirtualHost>
settings, so getting that part working was pretty easy.

No, on to my problem: My embedded web server (UserLand Frontier, for
those that might care), has a need to know the IP address of the client
and the name of the host, both of which are very easy to obtain from
the HTTP request headers. However, I also need to be able to access the
REMOTE_PORT of the client, in order to make an authentication call back
to the client machine. I found mod_headers and the RequestHeader
directive, and found the syntax for including an environment variable.
But, much to my surprise, I find that not only will RequestHeader not
include the value of any environment variables, including things like
HTTP_USER_AGENT, but that Apache doesn't even makethe environment
variables available for modules to use. Access appears to be module
specific (i.e. mod_cgi and mod_rewrite (as of 2.0.49) can both access
REMOTE_PORT), rather than system wide.

I guess my question, now that I've spent all this time explaining what
I've learned, is what are the chances that mod_headers will be modified
to allow access to, and thus inclusion of, environment variable values
for things like passing those values along to proxy requests? It would
appear to me that RemoteHeader is tailor made to provide this
functionality if it could simply gain access to the values. Is there
some design reason, or perhaps a security reason that I'm not
understanding, that would prevent this?

Thanks for any insight/assistance, and for reading this far. ;->

-Brian
----
Brian V. Hughes
Associate Director for Web Operations
Computing Technical Services
Dartmouth College
http://www.dartmouth.edu/~tech/


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Question about RequestHeader and Apache's use of Environment Variables [ In reply to ]
On Thu, 1 Jul 2004 12:51:58 -0400, Brian V Hughes <brianvh@dartmouth.edu> wrote:
> No, on to my problem: My embedded web server (UserLand Frontier, for
> those that might care), has a need to know the IP address of the client
> and the name of the host, both of which are very easy to obtain from
> the HTTP request headers. However, I also need to be able to access the
> REMOTE_PORT of the client, in order to make an authentication call back
> to the client machine. I found mod_headers and the RequestHeader
> directive, and found the syntax for including an environment variable.
> But, much to my surprise, I find that not only will RequestHeader not
> include the value of any environment variables, including things like
> HTTP_USER_AGENT, but that Apache doesn't even makethe environment
> variables available for modules to use. Access appears to be module
> specific (i.e. mod_cgi and mod_rewrite (as of 2.0.49) can both access
> REMOTE_PORT), rather than system wide.

First, the ability to use %e in RequestHeader is a very recent feature
addition. It is not documented in 2.0, and I haven't checked the
code, so it may only be available in the dev version (2.1).

Second, most of the things we think of as CGI env variables only
really become env variables when a CGI script or SSI page is called.
Modules like mod_rewrite access this information directly from
internal apache structures not from env variables. But if mod_rewrite
can access it, you can convert it to an env variable, using something
like

RewriteCond %{REMOTE_PORT} (.*)
RewriteRule .* - [E=R_P:%1]

RequestHeader add R-P %{R_P}e

But, as I said, I don't think this will work in any 2.0 version.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Question about RequestHeader and Apache's use of Environment Variables [ In reply to ]
On Thursday, July 1, 2004, at 02:28 PM, Joshua Slive wrote:
> RewriteCond %{REMOTE_PORT} (.*)
> RewriteRule .* - [E=R_P:%1]

Ahh! I hadn't seen that. Guess I needed to read mod_rewrite a little
deeper. :)

> RequestHeader add R-P %{R_P}e
>
> But, as I said, I don't think this will work in any 2.0 version.

I understand. I had a feeling what I wanted to do wasn't currently
possible. Any chance of seeing this feature move from the dev side to
the production side in the not-too-distant future? I've got a whole
host of applications that really, really, need to have access to the
client's incoming REMOTE_PORT post proxy hand-off.

Another thing I'm looking to do is make use of PKI-style certs for
user-level authentication into my Frontier-based web applications.
There are some specific mod_SSL directives that we use to request the
client cert, which upon verification stores the cert's values as bunch
of server-based environment variables (most start with "SSL_CLIENT_"
and "SSL_SERVER_").

If ReqestHeader will soon work with environment variables, and
mod_rewrite can set conditions based on SSL environment values (?), it
would seem like I'd be able to perform the same kind of proxy
pass-through I'm trying to do with REMOTE_PORT...

-Brian


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Question about RequestHeader and Apache's use of Environment Variables [ In reply to ]
* Joshua Slive <jslive@gmail.com> wrote:

> First, the ability to use %e in RequestHeader is a very recent feature
> addition. It is not documented in 2.0, and I haven't checked the
> code, so it may only be available in the dev version (2.1).

It's available in 2.0 as well. Same code, just another header table.
(note to self: docs update ;-)

> Second, most of the things we think of as CGI env variables only
> really become env variables when a CGI script or SSI page is called.
> Modules like mod_rewrite access this information directly from
> internal apache structures not from env variables. But if mod_rewrite
> can access it, you can convert it to an env variable, using something
> like
>
> RewriteCond %{REMOTE_PORT} (.*)
> RewriteRule .* - [E=R_P:%1]
>
> RequestHeader add R-P %{R_P}e
>
> But, as I said, I don't think this will work in any 2.0 version.

Fortunately the access to REMOTE_PORT was added to mod_rewrite recently, so
it should just work that way since 2.0.49.

nd
--
"Solides und umfangreiches Buch"
-- aus einer Rezension

<http://pub.perlig.de/books.html#apache2>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Question about RequestHeader and Apache's use of Environment Variables [ In reply to ]
On Jul 1, 2004, at 04:21 PM, André Malo wrote:
> * Joshua Slive <jslive@gmail.com> wrote:
>
>> First, the ability to use %e in RequestHeader is a very recent feature
>> addition. It is not documented in 2.0, and I haven't checked the
>> code, so it may only be available in the dev version (2.1).
>
> It's available in 2.0 as well. Same code, just another header table.
> (note to self: docs update ;-)

Hi, Andre. Thanks for your response on this thread. One question: Are
you sure that RequestHeader can actually make use of %e to set the
value of a header? I think Joshua might be right... see below.

>> RewriteCond %{REMOTE_PORT} (.*)
>> RewriteRule .* - [E=R_P:%1]
>>
>> RequestHeader add R-P %{R_P}e
>>
>> But, as I said, I don't think this will work in any 2.0 version.
>
> Fortunately the access to REMOTE_PORT was added to mod_rewrite
> recently, so
> it should just work that way since 2.0.49.

I'm now running 2.0.50. When I add the Rewrite statements in my
<VirtualHost> settings, I do see a new environment variable being set
with the value that I back-referenced from the Cond statement. That
part works really well.

However, when I try to access that variable's value with the
RequestHeader statement, using % {}e, all I get is "(null)" for the
value of the new header. This is exactly what I was getting under
2.0.48. It's like RequestHeader knows about environment variables, but
refuses to actually look up their values.

Is there some way to verify whether or not RequestHeader can see and
use Environment Variables?

-Brian


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Question about RequestHeader and Apache's use of Environment Variables [ In reply to ]
* Brian V Hughes <brianvh@Dartmouth.EDU> wrote:

> However, when I try to access that variable's value with the
> RequestHeader statement, using % {}e, all I get is "(null)" for the
> value of the new header. This is exactly what I was getting under
> 2.0.48. It's like RequestHeader knows about environment variables, but
> refuses to actually look up their values.

Hmm. I'm using it myself here with 2.0.50 - successfully.

> Is there some way to verify whether or not RequestHeader can see and
> use Environment Variables?

Not easy...
But the accompanying code is quite simple.

Can you post the relevant part of the configuration? (or send me the whole
config privately).

nd
--
"Umfassendes Werk (auch fuer Umsteiger vom Apache 1.3)"
-- aus einer Rezension

<http://pub.perlig.de/books.html#apache2>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: Question about RequestHeader and Apache's use of Environment Variables [ In reply to ]
On Jul 10, 2004, at 12:57 PM, André Malo wrote:
> * Brian V Hughes <brianvh@Dartmouth.EDU> wrote:
>
>> Is there some way to verify whether or not RequestHeader can see and
>> use Environment Variables?
>
> Not easy...
> But the accompanying code is quite simple.

It turns out that André was right. The code to make what I needed work
was quite simple. The hitch I ran into was setting up my <VirtualHost>
settings to use ProxyPass as the means to to the fronting (i.e. the
reverse proxy). Trying to combine ProxyPass and ProxyPassReverese with
several Rewrite calls and the RequestHeader call just wouldn't work.
Apache seems to prefer to call the ProxyPass before it calls the
Rewrite's.

So, here's what I had, that didn't work:

<VirtualHost *:80>
ServerName blah.dartmouth.edu
ServerAdmin webmaster@dartmouth.edu

RewriteEngine on
RewriteCond %{ENV:REMOTE_ADDR} (.*)
RewriteRule .* - [E=R_P:%1]

RequestHeader add R-P %{R_P}e

ProxyPreserveHost On
ProxyPass / http://127.0.0.1:8080/
ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>

Turns out that even though the Rewrite calls happen "above" the
ProxyPass call, that doesn't mean Apache will execute it that way. The
mod_proxy calls just seem to take precedence over the mod_rewrite
calls. Fortunately, there's more than one way to code a reverse proxy
in Apache...

Here is the working <VirtualHost> set-up:

<VirtualHost *:80>
ServerName blah.dartmouth.edu
ServerAdmin webmaster@dartmouth.edu

RewriteEngine on
RewriteCond %{REMOTE_PORT} (.*)
RewriteRule .* - [E=R_P:%1]
RequestHeader add X-Remote-Port %{R_P}e
RewriteRule ^/(.*)?(.*)$ http://127.0.0.1:8080/$1?$2 [P,L]
RewriteRule ^/(.*)$ http://127.0.0.1:8080/$1 [P]

</VirtualHost>

Going with a pure Rewrite set-up, both for getting the Environment
Variable and handling the proxy calls, was the thing that did it. In
this set-up, Apache does execute the statements in their top-to-bottom
order.

The next stage will be to see what happens when the incoming request is
to port 443, and I need to both process the HTTPS call and proxy the
actual request to an HTTP call into my server running on port 8080.
That's a little way's away for me, as I don't currently need to work
with SSL, but I'm sure I'll be back looking for additional assistance.
;->

Thanks to André and Joshua for their help, and thanks to the list for
everyone's overall patience. I've definitely learned a lot more than I
was expecting.

-Brian


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org