djangoapachereverse-proxycustom-headers

Apache2 reverse proxy strips my custom header


For my REST API, I am trying to pass a custom header X-APP-ID through an apache2 reverse proxy to the application hosting the API, however, it seems like apache2 is stripping away the header. It doesn't arrive at the application. Why is that?

Here is my apache2 config

<VirtualHost *:443>
    ServerName $SERVER_NAME
    ServerAlias $SERVER_ALIASES

    # Make sure requests are rewritten to use https://
    RewriteEngine on
    RewriteCond %{HTTP_HOST}   !^$SERVER_ALIASES [NC]
    RewriteCond %{HTTP_HOST}   !^$SERVER_NAME
    RewriteRule ^/?(.*)         https://$SERVER_NAME/$1 [L,R,NE]

    SSLEngine on
    SSLOptions +StrictRequire
    <Directory />
        Require all granted
        SSLRequireSSL
    </Directory>

    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

    # Enable SSL (disabling weak/vulnerable protocols)
    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder On
    SSLCertificateFile /etc/letsencrypt/live/$SERVER_NAME/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/$SERVER_NAME/privkey.pem

   # Logging
   LogLevel warn
   CustomLog /var/log/apache2/access.log combined

   # Static files
   Alias /static/ [redacted]
   Alias favicon.ico [redacted]

   # If the URL mentions favicon, but is not acutally pointing to a file
   # location, rewrite the url to point to the favicon file
   RewriteCond  %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
   RewriteRule  .*favicon\.ico$        [redacted] [L]

   ProxyPass /static/ !
   ProxyPass /media/ !
   ProxyPass / http://localhost:8000/
   ProxyPassReverse / http://localhost:8000/
</VirtualHost>

<VirtualHost *:80>
    # Rewrite request to use SSL
    RewriteEngine on
    ReWriteCond %{SERVER_PORT} !^443$
    RewriteCond %{REQUEST_URI} !/.well-known
    RewriteRule ^/(.*) https://$SERVER_NAME/$1 [NC,R,L]

    ServerName $SERVER_NAME
    ServerAlias $SERVER_ALIASES

    # Logging
    ErrorLog /var/log/apache2/error.log
    LogLevel warn
    CustomLog /var/log/apache2/access.log combined

    # Location for Let's Encrypt to read and write files
    Alias /.well-known /var/www/html/.well-known

</VirtualHost>

Solution

  • When Django converts HTTP header to keys in request.META, it converts all characters to uppercase, replaces hyphens with underscores, and adds an HTTP_ prefix.

    Therefore you should access the X-APP-ID HTTP header by using request.META['HTTP_X_APP_ID'].