# Apache / HTTP_AUTHORIZATION to CGI Script



## hruodr (Apr 20, 2018)

How to make Apache2 to pass AUTHORIZATION header to CGI Scripts?


----------



## hruodr (Apr 20, 2018)

I just added in the configuration file:

`SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1`

below `ServerAdmin` directive in the configuration file. Now it passes the header.

No idea why this works and what this directive means. Also no idea if this is danger. I got the idea with googling and reading superficially what people write.  I have no desire nor time to study apache web server for doing trivial things.


----------



## hruodr (Mar 2, 2020)

Here is other solution to the same problem:



			Apache patch to defer auth to CGI scripts
		


But I do not get the headers REMOTE_USER and AUTH_TYPE.


----------



## obsigna (Mar 2, 2020)

It is a debatable security flaw to pass authorization credentials by environment variables, and the Apache developers decided not to pass these. That said, this affects not the HTTP headers REMOTE_USER and AUTH_TYPE. In my CGI and FCGI executables, I am able to access these with the C library function getenv(3) without doing anything special. I always use Digest authentication, and the HTTP Authorization header is indeed not passed.

The SetEnvIf directive, which you already found, does exactly this. It reads Apache’s private HTTP Authorization header IF it is present and SETs the ENVironment variable HTTP_AUTHORIZATION to the whole "(.*)" content of it. I consider this the correct way to get hands on the authorization credentials in (F)CGI’s.

Usually, we need the full HTTP Authorization header only for reimplementing the authentication scheme by ourselves in the CGI. I did it for implementing algorithm="SHA512", however, this was a completely useless effort, because even 5 years after the respective RFC was published, no browser that I am aware of does support this - see: https://tools.ietf.org/html/rfc7616.

Example of the Digest HTTP Authorization header - do you really need this?

```
Digest username="test",
realm="Test",
nonce="9a5x+e+gCPD=cb584e44c43ed6bd0bc2d9c7e242837d",
uri="/test/",
response="d1fc8eaf36937be0c3ba8cfe0a2c1bfe",
algorithm="MD5",
cnonce="9dba9637e8635a4d912075cd6ea55530",
nc=00000001,
qop="auth"
```


----------



## hruodr (Mar 2, 2020)

obsigna said:


> That said, this affects not the HTTP headers REMOTE_USER and AUTH_TYPE. In my CGI and FCGI executables, I am able to access these with the C library function getenv(3) without doing anything special.



It seems one gets them only when one use the authentication offered by apache, but not when one does not use it and reimplement it with a CGI script.

BTW, compiling is not necessary for getting HTTP_AUTHORIZATION:



			core - Apache HTTP Server Version 2.4


----------

