Apache and HTTP Headers with Underscores

less than 1 minute read

Starting with Apache 2.4, headers were dropped that contained items to include underscores and expects dashes instead. Red Hat backported this change into the Apache 2.2 that ships with 6.7. You can read more here:https://httpd.apache.org/docs/2.4/env.html

If you run into the issue where your REMOTE_USER or similar is not being passed to your WSGI application or similar, it is most likely due to the above. Good news, easy fix. I came across this issue with the wonderful Oracle Access Manager (OAM) 10g. Side note: what a crappy piece of code and a disgrace to authentication mechanisms everywhere.

In this example I am looking for OAM_REMOTE_USER.

In your virtualhost config:

SetEnvIfNoCase ^OAM.REMOTE.USER$ ^(.*)$ fix_accept_encoding=$1
RequestHeader set OAM-REMOTE-USER %{fix_accept_encoding}e env=fix_accept_encoding

If you are using mod_wsgi for Django or Flask, you will need to add:

WSGIPassAuthorization On