advaithm Posted May 17, 2023 Posted May 17, 2023 Username: advaithm Server: Johnny Main Domain: amsdc.helioho.st --- The Authorization header is not getting forwarded to my Flask WSGI app. Steps to reproduce: Follow these steps to create a Flask app. Note: username is now domain name. Replace the code in myapp.py with the following: from flask import Flask, request app = Flask(__name__) @app.route("/head/test/", methods=["GET"]) def head_version(): return str(request.headers) if __name__ == "__main__": app.run() Execute the following request in curl: This will test HTTP Basic Auth: $ curl.exe -u test:password -H "Another: header" -i https://<domain>.helioho.st/flask/head/test/ HTTP/1.1 200 OK Server: nginx Date: <THE DATE> Content-Type: text/html; charset=utf-8 Content-Length: 176 Connection: keep-alive X-Powered-By: PleskLin Host: <username>.helioho.st X-Real-Ip: <YOUR IP> X-Accel-Internal: /internal-nginx-static-location Connection: close User-Agent: curl/8.0.1 Accept: */* Another: header Note that the Another header passed through, but there is no Authorization: Basic header. The same example can be repeated with Authorization: Bearer for JWTs: curl.exe -H "Another: header" -H "Authorization: Bearer 1234" -i https://<DOMAIN>.helioho.st/flask/head/test/ HTTP/1.1 200 OK Server: nginx Date: <TIME> Content-Type: text/html; charset=utf-8 Content-Length: 176 Connection: keep-alive X-Powered-By: PleskLin Host: <DOMAIN>.helioho.st X-Real-Ip: <YOUR IP> X-Accel-Internal: /internal-nginx-static-location Connection: close User-Agent: curl/8.0.1 Accept: */* Another: header The same result occurs i.e. Authorization header is filtered. I request the disabling of filtering of the Authorization header as my web application will not work without its passing through.
wolstech Posted May 17, 2023 Posted May 17, 2023 To my knowledge we don't intentionally block this, so it may just be a limitation of Plesk's Python implementation... Krydos would be the one to know if this can be made to work.
Krydos Posted May 17, 2023 Posted May 17, 2023 Try putting this in your .htaccess RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
advaithm Posted May 18, 2023 Author Posted May 18, 2023 6 hours ago, Krydos said: Try putting this in your .htaccess RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] So, I added it to the htaccess, but the output stays the same. Just sharing my whole .htaccess file for your reference: flaskTEST/.htaccess RewriteEngine On RewriteBase / RewriteRule ^(flasktest\.wsgi/.*)$ - [L] RewriteRule ^(.*)$ flaskTEST/flasktest.wsgi/$1 [QSA,PT,L] RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] The directory I use is flaskTEST and the WSGI file is flaskTEST.wsgi An interesting thing I noted is that the .htaccess rule made the header reachable to a PHP script, but not the WSGI. The PHP script is this: <?php $headers = apache_request_headers(); echo '<!DOCTYPE html><html><head><meta charset="utf-8"><title>test headers</title></head><body><ul>'; echo "\n\n"; foreach ($headers as $header => $value) { echo "<li>$header: $value </li>\n"; } echo "</ul>\n"; echo '</body></html>'; That script outputted the Authorization header: <!DOCTYPE html><html><head><meta charset="utf-8"><title>test headers</title></head><body><ul> <li>Another: header </li> <li>Accept: */* </li> <li>User-Agent: curl/8.0.1 </li> <li>Authorization: Basic c2FtcGxlOmhlYWRlcg== </li> <li>Host: amsdc.helioho.st </li> <li>Content-Length: </li> <li>Content-Type: </li> </ul> </body></html>
advaithm Posted May 18, 2023 Author Posted May 18, 2023 Yes it works 🙂 Thank you so much ❤️ P.S. what caused the problem?
advaithm Posted May 19, 2023 Author Posted May 19, 2023 Oh okay 👍 Thanks once again for the prompt response
Recommended Posts