Apache 2.4 + PHP-FPM and Authorization headers

Question

Summary: Apache 2.4\'s mod_proxy does not seem to be passing the Authorization headers to PHP-FPM. Is there any way to fix this?

Long vers

Answer 1

Various Apache modules will strip the Authorization header, usually for "security reasons". They all have different obscure settings you can tweak to overrule this behaviour, but you'll need to determine exactly which module is to blame.

You can work around this issue by passing the header directly to PHP via the env:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

See also Zend Server Windows - Authorization header is not passed to PHP script

Answer 2

I didn't find any similar settings with mod_proxy_fcgi BUT it just works for me by default. It asks for user authorization (.htaccess as usual) and the php gets it, and works like with mod_php or fastcgi and pass-header. I don't know if I was helpful...

EDIT: it only works on teszt.com/ when using the DirectoryIndex... If i pass the php file name (even if the index.php!) it just doesn't work, don't pass the auth to the php. This is a blocker for me, but I don't want to downgrade to apache 2.2 (and mod_fastgi) so I migrate to nginx (on this machine too).

Answer 3

This took me a long time to crack, since it's not documented under mod_proxy or mod_proxy_fcgi.

Add the following directive to your apache conf or .htaccess:

CGIPassAuth on

See here for details.