Apache 剥离“授权”标头
[英]Apache strips down "Authorization" header
问题描述
I'm having a little issue with my Apache 2.2.15 Server.
我的 Apache 2.2.15 服务器有一个小问题。 I'm running a Django app on top of it with mod_wsgi.我正在使用 mod_wsgi 在它上面运行一个 Django 应用程序。 I activated WSGIPassAuthorization On , which made the Basic auth working well.我激活了WSGIPassAuthorization On ,这使得基本身份验证运行良好。 But I recently implemented OAuth2.0 to secure my API (Implicit Grant), and I think Apache won't let it pass since it is of the form "Authorization: Bearer token".但是我最近实现了 OAuth2.0 来保护我的 API(隐式授权),我认为 Apache 不会让它通过,因为它是“授权:不记名令牌”的形式。 The "Bearer" is the issue I guess, though I don't know how to avoid that. “承载”是我猜的问题,尽管我不知道如何避免。
I tried :我试过 :
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
In the httpd.conf, .htaccess (after setting AllowOverride All ), and in my vhost.在 httpd.conf、.htaccess(设置AllowOverride All )和我的虚拟主机中。 Nothing to do, doesn't work.无事可做,行不通。 I've crawled the Internet all day long, and didn't find anything but those two solutions.我已经在互联网上爬了一天,除了这两个解决方案之外没有找到任何东西。
Thank you in advance !先感谢您 !
EDIT:编辑:
OS : RedHatEL6.4
Apache : 2.2.15
Django: 1.6.6 w/ django-oauth-toolkit
Python: 2.7.8
3 个解决方案
解决方案1
27 已采纳 2014-10-28 10:43:15
I solved my problem, which finally was totally unrelated to my Apache configuration. 我解决了我的问题,最终与我的Apache配置完全无关。 So if you found this topic looking for an answer to the same problem, one of the solutions below should fix it : 因此,如果您发现此主题寻找同一问题的答案,则下面的解决方案之一应该解决它:
Config WSGI : 配置WSGI:
WSGIPAssAuthorization On
Config .htaccess : 配置.htaccess:
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]
You can put both of those into your httpd/conf.d/project.conf file ! 您可以将这两个文件放入httpd / conf.d / project.conf文件中!
解决方案2
7 2015-11-19 16:36:57
Several modules will strip the Authorization header to try to enhance security by preventing scripts from seeing usernames, passwords, etc... unless the developer explicitly enables this. 几个模块将剥离Authorization标头,试图通过阻止脚本查看用户名,密码等来增强安全性......除非开发人员明确启用此功能。 Many of these modules will allow this header if you simply add the following line to .htaccess: CGIPassAuth on (source: Apache docs and StackOverflow ) 如果您只是CGIPassAuth on添加到.htaccess中,其中许多模块将允许此标头: CGIPassAuth on (source: Apache docs and StackOverflow )
解决方案3
0 2021-11-17 10:57:20
To solve this problem, I just add WSGIPassAuthorization On to /etc/apache2/sites-available/mySite.conf file, as follows:为了解决这个问题,我只是WSGIPassAuthorization On /etc/apache2/sites-available/mySite.conf文件中添加了WSGIPassAuthorization On ,如下:
...
</Files>
</Directory>
WSGIPassAuthorization On
WSGIScriptAlias / /home/X/wsgi.py
WSGIDaemonProcess sepanta_dev python-path=/home/X python-home=/home/X/venv
...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.