2

I have my Rest Framework API's up and running on an AWS EC2 instance. I have set up Apache and added SSL certificate. I'm using my own custom token authentication.

  1. Passing Authorization as header - On doing post request from both Postman and React, the header is not received in request.headers("Authorization") and request.META["HTTP_AUTHORIZATION"].

  2. Passing Authorization2 or x-api-key as header -

  • Works fine from Postman
  • On React, browser throws error Access to fetch at 'https://www.myapi.live/api/project/add/8/' from origin 'http://localhost:3000' has been blocked by CORS policy: Request header field authorization2 is not allowed by Access-Control-Allow-Headers in preflight response.

I have already tried including Access-control-origin Header in React and setting django-cors-headers at backend. But it doesn't help.

  1. Passing Authorization as header but exposing runserver at 0.0.0.0:8000 instead of apache https url-
  • Works in Postman
  • Works in React too

Here's my 000-default.conf in both sites-enabled and sites-available

<VirtualHost *:80>
ServerName www.myapi.live
ServerAdmin webmaster@localhost
DocumentRoot /home/ubuntu/django/project
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Alias /static /home/ubuntu/django/project/static
<Directory /home/ubuntu/django/project/static>
Require all granted
</Directory>
<Directory /home/ubuntu/django/project/project>
<Files wsgi.py>
Require all granted
</Files>
</Directory>
WSGIDaemonProcess project python-path=/home/ubuntu/django/project python-home=/home/ubuntu/django/myenv
WSGIProcessGroup project
WSGIScriptAlias / /home/ubuntu/django/project/project/wsgi.py
WSGIPassAuthorization On
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.myapi.live
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization},L]
</VirtualHost>
  • This question could use more structure and some trimming (e.g. the value of the token is not relevant). It is very hard to follow right now. Are you trying to say that when you expose the app directly on 8000 things work right from react, but when you go through apache you don't get the authorization header? – Andrew Nov 20 '20 at 19:47
  • [Apparently](https://stackoverflow.com/q/17018586/2395796) you need to configure Apache to not strip the `Authorization` header. – Kevin Christopher Henry Nov 21 '20 at 03:38
  • Thanks for correcting @AndrewBacker. I trimmed the question now. Yes, exposing on 8000 makes it work from react, but from apache it doesn't work from react. ( neither from postman too ). Apache is somehow stripping the Authorization header. – Aman Bhatnagar Nov 21 '20 at 06:14
  • @AndrewBacker That's why I shifted to custom header and tried Authorization2..that works in apache. But from postman only. From react it still doesn't and throws the cors preflight request error in browser console.. – Aman Bhatnagar Nov 21 '20 at 06:16
  • @KevinChristopherHenry I agree.. If somehow I stop apache from stripping the Authorization header, it's sorted.. I shared my `000-default.conf` file can you suggest any changes? – Aman Bhatnagar Nov 21 '20 at 06:19

1 Answers1

1

So I added WSGIPassAuthorization On to my apache.conf file which resides in the parent directory just outside of sites-enabled. Doing these changes made it work like a charm and apache no longer strips the Authorization header.

Just in case this can be of help to someone else in future! Thanks!

  • Can you edit the question and precisely tell what should be the content of the apache.conf file? I am having the same issue – Animesh Kumar Apr 08 '21 at 08:15
  • I meant can you show the apache.conf file in your answer. – Animesh Kumar Apr 08 '21 at 08:31
  • Check out this answer https://stackoverflow.com/a/9781171/12661847 and this https://www.digitalocean.com/community/questions/how-to-configure-apache-server-with-django-for-deployment-on-virtual-machine – Animesh Kumar Apr 08 '21 at 08:47