Symantec Access Management

  • Private Community
Back to discussions
Expand all | Collapse all

Tech Tip : CA Single Sign-On : How to make the Apache 2.4 to accept Web Agent Header Variables with Underscore Characters

  • 1.  Tech Tip : CA Single Sign-On : How to make the Apache 2.4 to accept Web Agent Header Variables with Underscore Characters

    Broadcom Employee
    Posted Oct 07, 2016 05:18 AM

    Question :

     

    Apache 2.4 does not accept by default the default any header name which contents an underscore, the Web Agent headers are not transmitted by the Web Server. How can I solve this problem ?

     

    Answer :

     

    Apache 2.4 has a work around to accept headers having underscores :

     

    See section "Passing broken headers to CGI scripts" from the following page :

     

    http://httpd.apache.org/docs/current/env.html

     

    Additional information :

     

    SSO ACO Parameter "LegacyVariables" - For Apache 2.4.x web servers, set the LegacyVariables parameter to No to see the default headers such as SMUSER, SMUSERDN.

     

    https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/web-agent-configuration/web-application-protection/default-http-headers-used-by-the-product

     

    http://httpd.apache.org/docs/current/env.html  (extract)
    Passing broken headers to CGI scripts

     

    Starting with version 2.4, Apache is more strict about how HTTP headers are converted to environment variables in mod_cgi and other modules: Previously any invalid characters in header names were simply translated to underscores. This allowed for some potential cross-site-scripting attacks via header injection (see Unusual Web Bugs, slide 19/20).

     

    If you have to support a client which sends broken headers and which can't be fixed, a simple workaround involving mod_setenvif and mod_headers allows you to still accept these headers:

     

    # # The following works around a client sending a broken Accept_Encoding# header.#SetEnvIfNoCase^Accept.Encoding$^(.*)$ fix_accept_encoding=$1
    RequestHeader set Accept-Encoding%{fix_accept_encoding}e env=fix_accept_encoding

     

    Changing protocol behavior with misbehaving clients

     

    Earlier versions recommended that the following lines be included in httpd.conf to deal with known client problems. Since the affected clients are no longer seen in the wild, this configuration is likely no-longer necessary.

     

    ## The following directives modify normal HTTP response behavior.# The first directive disables keepalive for Netscape 2.x and browsers that# spoof it. There are known problems with these browser implementations.# The second directive is for Microsoft Internet Explorer 4.0b2# which has a broken HTTP/1.1 implementation and does not properly# support keepalive when it is used on 301 or 302 (redirect) responses.#BrowserMatch"Mozilla/2" nokeepalive
    BrowserMatch"MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0## The following directive disables HTTP/1.1 responses to browsers which# are in violation of the HTTP/1.0 spec by not being able to understand a# basic 1.1 response.#BrowserMatch"RealPlayer 4\.0" force-response-1.0BrowserMatch"Java/1\.0" force-response-1.0BrowserMatch"JDK/1\.0" force-response-1.0

     


    KB : TEC606939



  • 2.  RE: Tech Tip : CA Single Sign-On : How to make the Apache 2.4 to accept Web Agent Header Variables with Underscore Characters

    Posted Jan 24, 2020 08:14 AM
    When testing according to Apache documentation "Passing broken headers to CGI scripts" provided variable was still empty. Anyway following single line directive does the trick:

    Webagent trace log:
    [Setting custom HTTP header variable: 'HTTP_SM_TEST=samplevalue']

    httpd.conf:
    RequestHeader set SM-TEST "expr=%{req:SM_TEST}"

    /cgi-bin/headers.cgi:
    SERVER_SOFTWARE: Apache/2.4.38 (Unix)
    HTTP_SM_TEST: samplevalue
    Original Message