Page MenuHomePhabricator

Apache docker image strips Authorization header
Closed, ResolvedPublic

Description

When sending a request with an Authorization header (e.g. making a request with an OAuth bearer token), the header gets stripped by apache and does not reach the PHP process. This can be checked by inspecting the $_SERVER, which does not contain said header.

I verified that adding the the following two lines to the existing apache site conf solves the problem (related stackoverflow answer):

RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule .* - [e=HTTP_AUTHORIZATION:%1]

I tried this in both mwcli (dev/stretch-apache2:2.0.0) and MediaWiki-Docker (dev/buster-apache2:1.0.0-s1).

Event Timeline

Mentioned in SAL (#wikimedia-releng) [2022-04-12T21:37:09Z] <brennen> Updating dev-images docker-pkg files on primary contint for apache & elasticsearch changes (T304290, T305143)

This comment was removed by Addshore.

Change 821786 had a related patch set uploaded (by Krinkle; author: Jforrester):

[mediawiki/core@master] MediaWiki-Docker: Upgrade buster-apache2 image to latest

https://gerrit.wikimedia.org/r/821786

Change 821786 merged by jenkins-bot:

[mediawiki/core@master] MediaWiki-Docker: Upgrade buster-apache2 image to latest

https://gerrit.wikimedia.org/r/821786