Set multiple headers conditionally with rewrite rules [apache httpd.conf]

Question

I've been trying to set headers conditionally with few RewriteCond. Doesn't quite seem to work.

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteLog "/tmp/rewrite.log"
  RewriteLogLevel 9

  RewriteCond %{HTTP_REFERER} "/id\:no\:"
  RewriteCond %{REQUEST_URI} "/live-stream/"

  RewriteRule ^.*$ - [ENV=stream:true]
  Header unset X-Frame-Options env=stream
  Header set Content-Security-Policy "frame-ancestors ‘self’ *.google.com:443 *.mydomain.com:443 mydomain2.com:443;” env=stream
</IfModule>

Both the conditions match, but the rewrite rule does not seem to show the results, when curled. It is taking the common settings set for other uri's.

Update1: I have got the unset string header to work.

<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteLog "/tmp/rewrite.log"
  RewriteLogLevel 9

  RewriteCond %{HTTP_REFERER} "/id\:no\:"
  RewriteCond %{REQUEST_URI} "/live-stream/"
  RewriteRule ^ - [ENV=stream1:true]

  RewriteCond %{HTTP_REFERER} "/id\:no\:"
  RewriteCond %{REQUEST_URI} "/live-stream/"
  RewriteRule ^ - [ENV=stream2:true]

  Header set Content-Security-Policy "frame-ancestors ‘self’ *.google.com:443 *.mydomain.com:443 mydomain2.com:443;” env=stream2
</IfModule>

I have managed to unset the header by using the Env variable at rewrite rule and negated at the level where it was setting it.

The only thing that doesn't work now is the Content-Security-Policy changes.

This is the output I get: $ curl -H 'Referer: https://www.example.net/buy/id:no:1234567' 'www.example.net/applications/buy/live-stream/list/en-us/ind‌ex.html' -sS -o /dev/null -D -

HTTP/1.1 200 OK
Date: Tue, 19 Dec 2017 00:31:14 GMT
Content-Security-Policy: frame-ancestors 'self' *.google.com:443 *.mydomain.com:443 mydomain2.com:443;” env=stream2

You're not really using _curly_ single and double quotes in the actual code, right? — CBroe, Dec 17 '17 at 19:34
Need more details here. What is purpose of `HTTP_REFERER` condition? What is the URL shown in browser when you click `/live-stream` URI and what it shows in browser URL afterwards? — anubhava, Dec 18 '17 at 08:49
Example for `HTTP_REFERER` would be _www.mydomain.com/buy/id:no:1234567_ and for `REQUEST_URI` would be _www.mydomain.com/applications/buy/live-stream/list/en-us/index.html_ — Kamal Chanda, Dec 18 '17 at 16:23
Where is this .htaccess located? Are there more rules there? — anubhava, Dec 18 '17 at 22:24
This is under the custom directory path. Yes, there are other rules which work in the normal requests. — Kamal Chanda, Dec 19 '17 at 00:12
`RewriteLog` and `RewriteLogLevel` are not even allowed in .htaccess so I suspect your .htaccess is not even read. — anubhava, Dec 19 '17 at 07:27
Well, I can see the logs. Which states both the conditions are matched and set the ENV variable to 1. — Kamal Chanda, Dec 19 '17 at 17:44

anubhava · Answer 1 · 2018-01-04T21:50:06.017

1

Try this code as this works for me:

RewriteCond %{HTTP_REFERER} "/id:no:" [NC]
RewriteCond %{REQUEST_URI} "/live-stream/" [NC]
RewriteRule ^ - [E=stream1:1,E=stream2:1]

Header set Content-Security-Policy "frame-ancestors ‘self’ *.google.com:443 *.mydomain.com:443 mydomain2.com:443;" env=stream2

Make sure you don't get any 404 while running your curl command.

Try with this curl command:

curl -IkL -H 'Referer: http://localhost/buy/id:no:1234567' 'localhost/applications/buy/live-stream/list/en-us/index.html'

edited Jan 04 '18 at 21:50

answered Dec 19 '17 at 22:15

anubhava

761,203
64
569
643

Thanks, I've did it the same way. Since there was already a header with Content-Security-Policy, I had to negate that and set the other one to be used. Please check the solution I have posted. – Kamal Chanda Dec 19 '17 at 23:00
Apache Version is 2.2 – Kamal Chanda Dec 21 '17 at 00:13

score 0 · Answer 2 · answered Dec 19 '17 at 22:58

0

I have managed to put the changes in by

<IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteLog "/tmp/rewrite.log"
 RewriteLogLevel 9

 RewriteCond %{HTTP_REFERER} "/id\:no\:"
 RewriteCond %{REQUEST_URI} "/live-stream/"
 RewriteRule ^ - [ENV=stream1:true]

 RewriteCond %{HTTP_REFERER} "/id\:no\:"
 RewriteCond %{REQUEST_URI} "/live-stream/"
 RewriteRule ^ - [ENV=stream2:true]
</IfModule>

I have added the header conditions with the others which were previously existing for the normal requests.

Header set X-Frame-Options "SAMEORIGIN" env=!stream1
Header set Content-Security-Policy "frame-ancestors *.mydomain.com:443;" env=!stream2
Header set Content-Security-Policy "frame-ancestors ‘self’ *.google.com:443 *.mydomain.com:443 mydomain2.com:443;” env=stream2

answered Dec 19 '17 at 22:58

Kamal Chanda

163
2
12

Why stream1 and stream2 variables being set for same conditions? – anubhava Dec 20 '17 at 03:19
I've added both the conditions since I have two headers. – Kamal Chanda Dec 21 '17 at 00:12
You can set both env variables in same `RewriteRule` – anubhava Dec 21 '17 at 08:54
@anubhava How do I add both the ENV variables to the same `RewriteRule` – Kamal Chanda Jan 04 '18 at 00:27
You can do: `RewriteRule ^ - [E=stream1:1,E=stream2:1]` – anubhava Jan 04 '18 at 09:12

Set multiple headers conditionally with rewrite rules [apache httpd.conf]

2 Answers2