19

I'm having a little issue with my Apache 2.2.15 Server. I'm running a Django app on top of it with mod_wsgi. I activated WSGIPassAuthorization On, which made the Basic auth working well. But I recently implemented OAuth2.0 to secure my API (Implicit Grant), and I think Apache won't let it pass since it is of the form "Authorization: Bearer token". The "Bearer" is the issue I guess, though I don't know how to avoid that.

I tried :

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

In the httpd.conf, .htaccess (after setting AllowOverride All), and in my vhost. Nothing to do, doesn't work. I've crawled the Internet all day long, and didn't find anything but those two solutions.

Thank you in advance !

EDIT:

OS : RedHatEL6.4
Apache : 2.2.15
Django: 1.6.6 w/ django-oauth-toolkit
Python: 2.7.8
Martin Latrille
  • 749
  • 1
  • 5
  • 12
  • I believe [THIS](http://stackoverflow.com/a/13387616/2634075) is what you are looking for? I know this is the same code as you have used - but how sure are you that apache is reading either **a) Your .htaccess file** *or* **b) The httpd.conf file** also please try **restarting apache completely** . One thing I noticed with some Python programs is the requirement for having mod_proxy enabled which will give you another layer of complexity. – JustSteveKing Oct 24 '14 at 13:56
  • I'm not sure about the .htaccess, though almost sure it is reading the httpd.conf (modifications in this file influence the server's behaviour). Is there any particular place in the file I should put those lines though ? Thank you for your answer btw, and I just checked, mod_proxy is activated. I restarted with `apachectl restart` and `apachectl stop; apachectl start`, didn't solve the issue :/. – Martin Latrille Oct 24 '14 at 14:04
  • Ok to start with what you need to run is `service httpd restart` to restart apache properly on a RH/CentOS server. This could be causing you issues. **ALSO** I would not make these changes at all to http.conf as this is the main configuration file for apache - **NOT** the configuration file for your website. You want to edit things in `/etc/httpd/conf.d/yourSite.conf` so I would suggest looking there and undoing any changes you did to the default apache configuration. – JustSteveKing Oct 24 '14 at 14:10
  • If you want to read a simple tutorial on configuring Apache on a RH server see [HERE](thedevshed.co.uk/posts/basic-security-for-apache-and-php-on-centos) – JustSteveKing Oct 24 '14 at 14:11
  • 1
    My Vhost is in conf.d/mysite.conf ;) ! Just tried the `service httpd restart`, didn't solve the issue, but it's good to know for the future. I will take care modifying only mysite.conf from now on, and thank you for the help and the link to the tutorial ! – Martin Latrille Oct 24 '14 at 14:12
  • Then *why* are you editing things in `httpd.conf` !? This is apache configuration! Make changes to your site config and leave apache as default as possible apart from any security edits you may choose – JustSteveKing Oct 24 '14 at 14:14
  • Because I was getting desperate, and tried everything I could, just in case haha. Won't do it anymore Sir, I promise. – Martin Latrille Oct 24 '14 at 14:19
  • haha please read the tutorial link I showed you - it will give a good insight into what you should do with your config files and what **not** to do with them :P add these edits into your site config file and restart apache with `service httpd restart` – JustSteveKing Oct 24 '14 at 14:21

3 Answers3

43

I solved my problem, which finally was totally unrelated to my Apache configuration. So if you found this topic looking for an answer to the same problem, one of the solutions below should fix it :

Config WSGI : 

WSGIPAssAuthorization On

Config .htaccess :

RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

You can put both of those into your httpd/conf.d/project.conf file !

Martin Latrille
  • 749
  • 1
  • 5
  • 12
  • 6
    needed to add this also `SetEnvIf Authorization .+ HTTP_AUTHORIZATION=$0` to `.htaccess` – simo Aug 03 '16 at 07:21
  • @Simo This helped me a lot. – Volt Aug 11 '17 at 04:17
  • @simo @Volt - the `RewriteRule` and the `SetEnvIf` directives actually do the same thing (set the environment variable `HTTP_AUTHORIZATION` to the contents of the `Authorization` header), so only one of the two should be necessary. – piit79 Aug 31 '17 at 07:27
  • I've tried "WSGIPAssAuthorization On" and "RewriteEngine" lines above. "Authorization" header started to appear, but was empty. So I've dropped all these lines and added just one line recommended by @simo - it started to work as expected! Thanks. – ARA1307 Dec 05 '17 at 06:46
  • Added just the "WSGIPAssAuthorization On" to apache config and it's working now. Thanks! – Dave Dec 06 '17 at 22:51
  • I came across this and have tried all three items. `WSGIPassAuthorization On` doesn't work as we don't have the module/version required. The `Rewrite Engine` and `SetEnvIf` lines did the same thing - but in our case Android shows correctly but IOS shows an empty Authorization value. – kendavidson Jun 26 '19 at 19:03
  • Thanks !! Works like a charm. Was stuck on this for a day. – RiderHood Nov 24 '20 at 13:20
  • https://www.digitalocean.com/community/questions/how-to-configure-apache-server-with-django-for-deployment-on-virtual-machine if someone needs more detailed view of this – Animesh Kumar Apr 08 '21 at 09:43
  • I would recommend using `RewriteCond %{HTTP:Authorization} ^(.+)` instead of `... ^(.*)` to avoid matching if the header is not present. – mh8020 Jun 30 '21 at 20:03
12

Several modules will strip the Authorization header to try to enhance security by preventing scripts from seeing usernames, passwords, etc... unless the developer explicitly enables this. Many of these modules will allow this header if you simply add the following line to .htaccess: CGIPassAuth on (source: Apache docs and StackOverflow)

Community
  • 1
  • 1
BeetleJuice
  • 39,516
  • 19
  • 105
  • 165
1

To solve this problem, I just add WSGIPassAuthorization On to /etc/apache2/sites-available/mySite.conf file, as follows:

        ...
                </Files>
        </Directory>

        WSGIPassAuthorization On

        WSGIScriptAlias / /home/X/wsgi.py
        WSGIDaemonProcess sepanta_dev python-path=/home/X python-home=/home/X/venv
        ...
Mohammad Nazari
  • 2,535
  • 1
  • 18
  • 29