Jump to content

Recommended Posts

Posted

Username: advaithm

Server: Johnny

Main Domain: amsdc.helioho.st

---

The Authorization header is not getting forwarded to my Flask WSGI app.

Steps to reproduce:

  1. Follow these steps to create a Flask app. Note: username is now domain name.
  2. Replace the code in myapp.py with the following:
    from flask import Flask, request
    app = Flask(__name__)
    
    @app.route("/head/test/", methods=["GET"])
    def head_version():
    	return str(request.headers)
    
    if __name__ == "__main__":
      app.run()

     

  3. Execute the following request in curl:
    1. This will test HTTP Basic Auth:
      $ curl.exe -u test:password -H "Another: header" -i https://<domain>.helioho.st/flask/head/test/
      
      HTTP/1.1 200 OK
      Server: nginx
      Date: <THE DATE>
      Content-Type: text/html; charset=utf-8
      Content-Length: 176
      Connection: keep-alive
      X-Powered-By: PleskLin
      
      Host: <username>.helioho.st
      X-Real-Ip: <YOUR IP>
      X-Accel-Internal: /internal-nginx-static-location
      Connection: close
      User-Agent: curl/8.0.1
      Accept: */*
      Another: header

      Note that the Another header passed through, but there is no Authorization: Basic header.

    2. The same example can be repeated with Authorization: Bearer for JWTs:

      curl.exe -H "Another: header" -H "Authorization: Bearer 1234" -i https://<DOMAIN>.helioho.st/flask/head/test/
      
      HTTP/1.1 200 OK
      Server: nginx
      Date: <TIME>
      Content-Type: text/html; charset=utf-8
      Content-Length: 176
      Connection: keep-alive
      X-Powered-By: PleskLin
      
      Host: <DOMAIN>.helioho.st
      X-Real-Ip: <YOUR IP>
      X-Accel-Internal: /internal-nginx-static-location
      Connection: close
      User-Agent: curl/8.0.1
      Accept: */*
      Another: header

      The same result occurs i.e. Authorization header is filtered.

I request the disabling of filtering of the Authorization header as my web application will not work without its passing through.

Posted

To my knowledge we don't intentionally block this, so it may just be a limitation of Plesk's Python implementation...

Krydos would be the one to know if this can be made to work.

Posted

Try putting this in your .htaccess

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

 

Posted
6 hours ago, Krydos said:

Try putting this in your .htaccess

RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

 

So, I added it to the htaccess, but the output stays the same. Just sharing my whole .htaccess file for your reference:

flaskTEST/.htaccess

RewriteEngine On
RewriteBase /
RewriteRule ^(flasktest\.wsgi/.*)$ - [L]
RewriteRule ^(.*)$ flaskTEST/flasktest.wsgi/$1 [QSA,PT,L]
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

The directory I use is flaskTEST and the WSGI file is flaskTEST.wsgi

An interesting thing I noted is that the .htaccess rule made the header reachable to a PHP script, but not the WSGI.

The PHP script is this:

<?php
$headers = apache_request_headers();

echo '<!DOCTYPE html><html><head><meta charset="utf-8"><title>test headers</title></head><body><ul>';
echo "\n\n";
foreach ($headers as $header => $value) {
    echo "<li>$header: $value </li>\n";
}
echo "</ul>\n";
echo '</body></html>';

That script outputted the Authorization header:

<!DOCTYPE html><html><head><meta charset="utf-8"><title>test headers</title></head><body><ul>

<li>Another: header </li>
<li>Accept: */* </li>
<li>User-Agent: curl/8.0.1 </li>
<li>Authorization: Basic c2FtcGxlOmhlYWRlcg== </li>
<li>Host: amsdc.helioho.st </li>
<li>Content-Length:  </li>
<li>Content-Type:  </li>
</ul>
</body></html>

 

  • Krydos changed the title to [Solved] HTTP Authorization header not forwarding to WSGI app
  • Krydos locked this topic
Guest
This topic is now closed to further replies.
×
×
  • Create New...