I try to add a custom header on my request, but I'm not sure if it's possible with Apache2.4.
I would like to add to my headers the remote port used by the client.
If I check my logformat, I can get the remote port with this syntax :
%{remote}p
But if I try something like :
Header add x-remote-port %{remote}p
My configtest give me this error :
Unrecognized header format %p
I would like to know if it's possible to get a dynamic variable like remote port to add it on my headers for each requests ?
Log format syntax are differents, so here we go for the header module syntax :
Header add X-remote-port "%{REMOTE_PORT}e"
REMOTE_PORT varirable works only on 2.4.26 and later
https://httpd.apache.org/docs/2.4/expr.html
Related
I need to forward messages from a log file to another IP - let's say 127.0.0.1 514. How do I achieve this?
I used this example from the docs of rsyslog:
module(load="imfile" PollingInterval="10") #needs to be done just once
# File 2
input(type="imfile"
File="/path/to/file2"
Tag="tag2")
As well as providing it with the following rule:
*.* #127.0.0.1:514
But this ended up sending all of the system's logs including journald.
So how do I correctly use ruleset, input blocks and *.* #127.0.0.1:514 to send logs from file /path/to/file2 to 127.0.0.1:514?
Thanks
When specifying the input, also say which ruleset to apply. Input outside the ruleset will not be processed by the ruleset.
module(load="imfile")
input(type="imfile" File="/path/to/file2" Tag="tag2" ruleset="remote")
ruleset(name="remote"){
action(type="omfwd" target="127.0.0.1" port="514" protocol="udp")
# or use legacy syntax:
# *.* #127.0.0.1:514
}
I want to have a conditional header based on a header I want to get from the upstream.
For some reason it always gets translated to default.
Configuration:
upstream service decides if a header called x-no-iframe-protection should exist.
main nginx:
map $http_x_no_iframe_protection $x_frame_options {
yes "";
default "SAMEORIGIN";
}
server {
...
add_header X-Frame-Options $x_frame_options;
...
}
No matter what I try - I get both headers:
$ curl -v myhost
...
< x-no-iframe-protection: yes
< x-frame-options: SAMEORIGIN
...
Just to clarify - I use the x-no-iframe-protection just as a trick to remove x-frame-options in specific cases. I'm OK with it staying (although it is not needed once parsed by nginx)
Anyways - how can I make it get caught in order to replace the header value?
An HTTP transaction contains request headers and response headers. From the context of your question you are setting the value of a response header based on the value of another response header (which was received from upstream).
Nginx stores request headers in variables with names beginning with $http_ and response headers in variables with names beginning with $sent_.
In addition, response headers received from upstream may also be stored in variables with names beginning with $upstream_http_.
In your configuration you use the variable $http_x_no_iframe_protection, whereas you should be using either $sent_x_no_iframe_protection or perhaps $upstream_http_x_no_iframe_protection.
All of the Nginx variables are documented here.
try using $upstream_x_no_iframe_protection to access upstream response header.
I want to use an iframe in my localhost web server (wamp).
This iframe loads a form from a remote web server.
I have access to the remote web server, it uses apache2 (https://help.ubuntu.com/lts/serverguide/httpd.html), and i modify its security.conf file and i load the module 'headers'.
I modify security.conf by this line (the ip is the ip of my local computer):
Header append X-Frame-Options "ALLOW-FROM http://localhost, http://172.18.48.120, 172.18.48.120"
But when i test the changes, always says the same:
Refused to display 'http://externalURL.net/form.php' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
Any idea? Where's the problem?
Just for completeness:
Here are the lines to add to your apache2/conf-available/security.conf file to make your iframed content available in browsers supporting either or both X-Frame-Options and Content-Security-Policy header options (as stated on this survey site)
Header set X-Frame-Options: "ALLOW_FROM https://www.example.com"
Header set Content-Security-Policy: "frame-ancestors
https://www.example.com"
Make sure that header module is enabled
a2enmod headers
restart apache
service apache2 restart
That's it !
Finally i solved it, the solution is:
Load module headers in apache2.
Modify file security.conf, you have to append this line:
Header set X-Frame-Options 'ALLOW-FROM http://externalURL.net'
(it's a valid option if you use a local web server, e.g. wamp:
Header set X-Frame-Options 'ALLOW-FROM http://localhost')
Reload service apache2.
If you want to test it, don't use Google Chrome, it ignores x-frame-options directive and it always says the same message:
Refused to display 'http://externalURL.net/form.php' in a frame because it set 'X-Frame-Options' to 'sameorigin'.
It's ok with Firefox.
I want to remove Nginx from http response header. I can Hide my Nginx version but I want to hide Nginx too.
Thanks
Use the ngx_headers_more module - see http://wiki.nginx.org/NginxHttpHeadersMoreModule.
It allows you to configure any arbitrary headers you'd like - both request and response headers. Once you've installed it (and thus recompiled your version of Nginx), use the following configuration:
more_set_headers 'Server: my-server';
Alternatively, if you don't want a Server header at all, then clear it using:
more_clear_headers 'Server';
Whenever a URL that has %2F which is the hex code for / is posted to my JBOSS Server, I get an error:
HTTP 400 Bad Request error message.
Here is the URL:
http://localhost:8080/application/**abc%2Fhi**?msg=hello"
If I remove the %2F from the URL the link works fine.
This %2F has to be part of the URL and cannot be a request parameter.
Finally figured out the cause of this (both for JBoss and Apache). Both applications intentionally reject URIs with an encoded slash (%2F for / and %5C for \) to prevent possible security vulnerabilities.
Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0450
http://securitytracker.com/id/1018110 (Look at section 4. Solution)
And here are the instructions they provide for enabling this behavior in JBoss:
Note: In response to CVE-2007-0450, JBoss AS considers encoded slashes and backslashes in URLs invalid and its usage will result in HTTP 400 error. It is possible to allow encoded slashes and backslashes by following the steps outlined below, however doing so will expose you to CVE-2007-0450 related attacks:
a) If you use the /var/lib/jbossas/bin/run.sh setup, please edit /etc/jbossas/run.conf and append
- -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
- -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true to the string assigned to JAVA_OPTS
b) If you use the init script setup to run multiple JBoss AS services and you wish to allow encoding by default on all services, please edit /etc/jbossas/jbossas.conf and add the line JAVA_OPTS="${JAVA_OPTS}
- -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
- -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true"
c) If you use the init script setup to run multiple JBoss AS services and want to allow encoding of slashes and backslashes for a particular service, please edit /etc/sysconfig/${NAME} (where NAME is the name of your service) and add the line JAVA_OPTS="${JAVA_OPTS}
- -Dorg.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
- -Dorg.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH=true"
For Apache, it's as simple as setting "AllowEncodedSlashes NoDecode" somewhere in your apache conf or vhost conf (doesn't work in an .htaccess, however).
Apache link: http://httpd.apache.org/docs/current/mod/core.html#allowencodedslashes