Patrick-Dussault

Tech Tip : CA Single Sign-On : How to make the Apache 2.4 to accept Web Agent Header Variables with Underscore Characters

Discussion created by Patrick-Dussault Employee on Oct 7, 2016

Question :

 

Apache 2.4 does not accept by default the default any header name which contents an underscore, the Web Agent headers are not transmitted by the Web Server. How can I solve this problem ?

 

Answer :

 

Apache 2.4 has a work around to accept headers having underscores :

 

See section "Passing broken headers to CGI scripts" from the following page :

 

http://httpd.apache.org/docs/current/env.html

 

Additional information :

 

SSO ACO Parameter "LegacyVariables" - For Apache 2.4.x web servers, set the LegacyVariables parameter to No to see the default headers such as SMUSER, SMUSERDN.

 

https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/web-agent-configuration/web-application-protection/default-http-headers-used-by-the-product

 

http://httpd.apache.org/docs/current/env.html  (extract)
Passing broken headers to CGI scripts

 

Starting with version 2.4, Apache is more strict about how HTTP headers are converted to environment variables in mod_cgi and other modules: Previously any invalid characters in header names were simply translated to underscores. This allowed for some potential cross-site-scripting attacks via header injection (see Unusual Web Bugs, slide 19/20).

 

If you have to support a client which sends broken headers and which can't be fixed, a simple workaround involving mod_setenvif and mod_headers allows you to still accept these headers:

 

# # The following works around a client sending a broken Accept_Encoding# header.#SetEnvIfNoCase^Accept.Encoding$^(.*)$ fix_accept_encoding=$1
RequestHeader set Accept-Encoding%{fix_accept_encoding}e env=fix_accept_encoding

 

Changing protocol behavior with misbehaving clients

 

Earlier versions recommended that the following lines be included in httpd.conf to deal with known client problems. Since the affected clients are no longer seen in the wild, this configuration is likely no-longer necessary.

 

## The following directives modify normal HTTP response behavior.# The first directive disables keepalive for Netscape 2.x and browsers that# spoof it. There are known problems with these browser implementations.# The second directive is for Microsoft Internet Explorer 4.0b2# which has a broken HTTP/1.1 implementation and does not properly# support keepalive when it is used on 301 or 302 (redirect) responses.#BrowserMatch"Mozilla/2" nokeepalive
BrowserMatch"MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0## The following directive disables HTTP/1.1 responses to browsers which# are in violation of the HTTP/1.0 spec by not being able to understand a# basic 1.1 response.#BrowserMatch"RealPlayer 4\.0" force-response-1.0BrowserMatch"Java/1\.0" force-response-1.0BrowserMatch"JDK/1\.0" force-response-1.0

 


KB : TEC606939

Outcomes