How to make the Apache 2.4 to accept Web Agent Header Variables with Underscore Characters

Document ID : KB000019094
Last Modified Date : 14/02/2018
Show Technical Document Details

Question :

Apache 2.4 does not accept by default the default any header name which contents an underscore, the Web Agent headers are not transmitted by the Web Server. How can I solve this problem ?

Answer :

Apache 2.4 has a work around to accept headers having underscores :

See section "Passing broken headers to CGI scripts" from the following page :

http://httpd.apache.org/docs/current/env.html

Additional information :

SSO ACO Parameter "LegacyVariables" - For Apache 2.4.x web servers, set the LegacyVariables parameter to No to see the default headers such as SMUSER, SMUSERDN.

https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/web-agent-configuration/web-application-protection/default-http-headers-used-by-the-product

 

http://httpd.apache.org/docs/current/env.html  (extract)

Passing broken headers to CGI scripts

Starting with version 2.4, Apache is more strict about how HTTP headers are converted to environment variables in mod_cgi and other modules: Previously any invalid characters in header names were simply translated to underscores. This allowed for some potential cross-site-scripting attacks via header injection (see Unusual Web Bugs, slide 19/20).

If you have to support a client which sends broken headers and which can't be fixed, a simple workaround involving mod_setenvif and mod_headers allows you to still accept these headers:

# # The following works around a client sending a broken Accept_Encoding# header.#SetEnvIfNoCase^Accept.Encoding$^(.*)$ fix_accept_encoding=$1
RequestHeader set Accept-Encoding%{fix_accept_encoding}e env=fix_accept_encoding

Changing protocol behavior with misbehaving clients

Earlier versions recommended that the following lines be included in httpd.conf to deal with known client problems. Since the affected clients are no longer seen in the wild, this configuration is likely no-longer necessary.

## The following directives modify normal HTTP response behavior.# The first directive disables keepalive for Netscape 2.x and browsers that# spoof it. There are known problems with these browser implementations.# The second directive is for Microsoft Internet Explorer 4.0b2# which has a broken HTTP/1.1 implementation and does not properly# support keepalive when it is used on 301 or 302 (redirect) responses.#BrowserMatch"Mozilla/2" nokeepalive
BrowserMatch"MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0## The following directive disables HTTP/1.1 responses to browsers which# are in violation of the HTTP/1.0 spec by not being able to understand a# basic 1.1 response.#BrowserMatch"RealPlayer 4\.0" force-response-1.0BrowserMatch"Java/1\.0" force-response-1.0BrowserMatch"JDK/1\.0" force-response-1.0