Set authorization header as env variable

[bryce]

Hi all!

I have an application (LibreNMS) that I am unable to change. It is currently running under apache. It runs under fast CGI which I have managed to set up. Unfortunately, I still get a 403 error when trying to access the application. The only part of the apache config that I have not yet managed to add to OpenLiteSpeed is:

SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1

It appears to me that this basically sets an environment variable with the contents of the authorization header. Maybe it's not required but I can't seem to find any other reason that I would get a 403 but I am happy to explore other possibilities. For completeness, here is the full apache virtual host. Our working site is here and the OpenLiteSpeed test is here.

<IfModule mod_ssl.c>
<VirtualHost *:443>
  DocumentRoot /opt/librenms/html/
  ServerName  librenms.example.com

  AllowEncodedSlashes NoDecode
  <Directory "/opt/librenms/html/">
    Require all granted
    AllowOverride All
    Options FollowSymLinks MultiViews
  </Directory>

  <IfModule setenvif_module>
    SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
  </IfModule>

  <FilesMatch ".+\.php$">
    SetHandler "proxy:unix:/run/php-fpm-librenms.sock|fcgi://localhost"
  </FilesMatch>

  SSLCertificateFile /etc/letsencrypt/live/librenms.evix.org/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/librenms.evix.org/privkey.pem
  Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

I am really enjoying OpenLiteSpeed so far so I hope that I can get this working so that I can switch off apache. Let me know if there is any more information that I can provide. I have searched quite a bit for this but not quite found the answer. I know that setting ENV variables is supported but it doesn't seem to allow setting it from a header like in this case. Some other posts have also suggested that it might be possible to use the rewrite engine but I don't think it can set ENV variables.

 

[bryce]

I'll add as a note that I have tried running the PHP directly without the unix socket and it just complains about curl not being available even though PHP is compiled with curl support. I'm not sure what that is all about. I am not a PHP person in the slightest so I don't know what fpm or fcgi is. If I can't figure this out (or the admins never approve my post haha) then I guess I can set Apache to a different firewalled port and use openlitespeed as a reverse proxy. I don't really want to do that but librenms wasn't the thing that I was trying to improve the speed on anyway, I was looking at my main site.

 

[bryce]

I'm actually less sure that the problem is the authorization variable now. I think that the issue is just doing the forwarding properly. Because I saw this in the log recently "MIME type [application/x-httpd-php] for suffix '.php' does not allow serving as static file, access denied!"

But why would that happen for a fastcgi application handler? Isn't an application not supposed to be static?

 

[bryce]

So I think that I finally figured it out but I can't delete this post.

I still never got the unix socket thing to work but I managed to get a version of PHP working with openlitespeed such that it will actually load the application. I also found out that there was a .htaccess file in the application that I had missed so I made a context for / and copied in the rewrite rules there which seems to have made this work.

 

[bryce]

Hmm, there appear to still be some issues. Like it will work fine for a while then suddenly it will take 5 minutes to load. No idea what's going on there but it should be good enough for now.