We have a java servlet based application (very old code base), which is served with tomcat 8 with Apache httpd 2.4.43 and mod_proxy. Application has some static assets (CSS, CS, IMAGES) bundled with the java web application.
I am trying to modify the Header cookie for these assets by adding apache rule, but it seems, may be this is not working as the files are not within apache level ?
<FilesMatch ".(js|css)$">
Header edit Set-Cookie (.*) "$1;HttpOnly;Secure;SameSite=Strict"
</FilesMatch>
I tried adding the rule, without FilesMatch
condition and it worked, but that's not what I need. Any thoughts on how to get this done on Apache level. Here is excerpt from the httpd conf
<VirtualHost *:443>
DocumentRoot "/apps/httpd/htdocs1"
ServerName www.mydomain.com
ServerAlias mydomain.com
RewriteEngine on
RewriteCond %{REQUEST_URI} ^/version$
RewriteRule ^/.*$ /version.html [R=301,L]
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=302,L]
<Proxy balancer://${HOSTNAME}-http-cluster>
Header add Set-Cookie "MYAPP_SESSION=jacplus.%{BALANCER_WORKER_ROUTE}e;path=/;"
BalancerMember http://myhost-002:31080 min=1 max=1000 loadfactor=1 retry=1 timeout=240 route=myhost-002
BalancerMember http://myhost-003:31080 min=1 max=1000 loadfactor=1 retry=1 timeout=240 route=myhost-003
</Proxy>
ProxyPass / balancer://${HOSTNAME}-http-cluster/ stickysession=MYAPP_SESSION lbmethod=byrequests
ProxyPassReverse / balancer://${HOSTNAME}-http-cluster/ stickysession=MYAPP_SESSION
<Location /balancer-manager>
SetHandler balancer-manager
Order deny,allow
Deny from all
Allow from 10.25.0.0/16
</Location>
...
</VirtualHost>
From the apache documentation of mod_header :
Conditionally send MyHeader on the response if and only if header MyRequestHeader is present on the request. This is useful for constructing headers in response to some client stimulus. Note that this example requires the services of the mod_setenvif module.
SetEnvIf MyRequestHeader myvalue HAVE_MyRequestHeader Header set MyHeader "%D %t mytext" env=HAVE_MyRequestHeader
From the documentation of rewrite flags
With the [E], or [env] flag, you can set the value of an environment variable. Note that some environment variables may be set after the rule is run, thus unsetting what you have set. See the Environment Variables document for more details on how Environment variables work.
Combining both, you may modify header conditionally when path match a js or css file :
RewriteRule ^.*\.(js|css)$ - [E=SET_COOKIE:true]
Header edit Set-Cookie (.*) "$1;HttpOnly;Secure;SameSite=Strict" env=SET_COOKIE
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.