Issue How Enable Underscore in Request Headers

[Reid]

Server operating system version

Windows 10 64 bit

Plesk version and microupdate number

Version 18.0.52 Update #3

Hi all,
jJust got a new VPS that runs on NGinx and will need help to enable underscore in Request Headers that hit my server.
I am creating some endpoints for a client who is insistent on underscores for a particular header SIGNATURE_METH.
I have researched how to do this and been told to edit the httpd.conf file but the Plesk console doesnt allow access to the file.
My Plesk version is Version 18.0.52 Update #3
and Windows version is: Windows 10 64 bit
Can someone help out please?
Thanks

 

[Peter Debik]

I am having difficulties understanding this correctly. This is what I understood so far: You say that you have an incoming web server request request that has a line in the header that has an underscore.
- Where is that underscore located, could you please provide an example of such a header?
- What do you need to "enable"?
- What shall happen after you enabled it?

 

[scsa20]

What I'm more confused is that you're able to install plesk on windows 10? That shouldn't be possible as the supported OSes is Server 2012, 2012 R2, 2016, 2019, and 2022. On top of that, Plesk for Windows will only work with IIS, not NGINX. Which tells me that you're probably running this in WSL? If so, that's not really a proper nor supported method. Or are you running it through a docker container?

 

[Reid]

What I'm more confused is that you're able to install plesk on windows 10? That shouldn't be possible as the supported OSes is Server 2012, 2012 R2, 2016, 2019, and 2022. On top of that, Plesk for Windows will only work with IIS, not NGINX. Which tells me that you're probably running this in WSL? If so, that's not really a proper nor supported method. Or are you running it through a docker container?

Hi, Thanks for responding..

- Where is that underscore located, could you please provide an example of such a header?
- ANSWER:
My Endpoint: https://www.webhubgh.com/gbf_apis/v1/vldnpt.php
Headers Attached: AUTHORIZATION, HASH, SIGNATURE and SIGNATURE_METH
Notes: When my endpoint is called, my apache server is NOT able to accept and process the header SIGNATURE_METH because of the underscore in it.
From my research there is a backdoor setting in apache and nginx that can make the server accept headers with underscores.
This is what I am looking for.

- What do you need to "enable"?
- ANSWER:
Since apache server by default disables underscores in headers, an example like SIGNATURE_METH is not accepted thus firing an error.
So in my PHP code a command like $_SERVER['SIGNATURE_METH'] returns a blank. If it should be SIGNATURE-METH, it works but the caller of
my endpoint is a big multi-payment platform that is unwilling to change the header to SIGNATURE-METH. This means I have to find a way to
make my apache server accept the SIGNATURE_METH header they attach to the call of my endpoint. I hope this is clear now.

- What shall happen after you enabled it?
- ANSWER:
After I enable underscores in headers on my apache server, all calls to my endpoint with headers having underscores will come through successfully without firing an error.

 

[Reid]

What I'm more confused is that you're able to install plesk on windows 10? That shouldn't be possible as the supported OSes is Server 2012, 2012 R2, 2016, 2019, and 2022. On top of that, Plesk for Windows will only work with IIS, not NGINX. Which tells me that you're probably running this in WSL? If so, that's not really a proper nor supported method. Or are you running it through a docker container?

ANSWER:
I have subcribed to a Virtual Private Server from another company that runs the apache and NGinx on a Linux Server. I use a Windows 10 PC for my works and connection to the VPS. I hope its clear please?

 

[Peter Debik]

You are right, Apache from version 2.4 does not accept such headers. This has been that way since 2017 at least. I'd never workaround this and ask what big payment provider has not adapted to the new scheme.

Anyway, if you absolutely need it, the solution is provided on Environment Variables in Apache - Apache HTTP Server Version 2.4 in the section "Passing broken headers to CGI scripts". The directives presented can be included in httpd.conf, so please create a .conf file in /etc/httpd/conf.d with the directives that your specific case needs, then reload Apache to apply the setting. I think you need a .conf file with this content:

SetEnvIfNoCase ^Accept.Encoding$ ^(.*)$ fix_accept_encoding=$1
RequestHeader set Accept-Encoding %{fix_accept_encoding}e env=fix_accept_encoding

 

[Reid]

You are right, Apache from version 2.4 does not accept such headers. This has been that way since 2017 at least. I'd never workaround this and ask what big payment provider has not adapted to the new scheme.

Anyway, if you absolutely need it, the solution is provided on Environment Variables in Apache - Apache HTTP Server Version 2.4 in the section "Passing broken headers to CGI scripts". The directives presented can be included in httpd.conf, so please create a .conf file in /etc/httpd/conf.d with the directives that your specific case needs, then reload Apache to apply the setting. I think you need a .conf file with this content:

SetEnvIfNoCase ^Accept.Encoding$ ^(.*)$ fix_accept_encoding=$1
RequestHeader set Accept-Encoding %{fix_accept_encoding}e env=fix_accept_encoding

Thanks Peter,
So..
1. Create a httpd.conf file
2. Write the ff code into the file:

    SetEnvIfNoCase ^Accept.Encoding$ ^(.*)$ fix_accept_encoding=$1
    RequestHeader set Accept-Encoding %{fix_accept_encoding}e env=fix_accept_encoding

3. Place the file inside the path /etc/httpd/conf.d
4. Restart Apache Server.
Correct?

 

[Reid]

Thanks Peter,
So..
1. Create a httpd.conf file
2. Write the ff code into the file:

    SetEnvIfNoCase ^Accept.Encoding$ ^(.*)$ fix_accept_encoding=$1
    RequestHeader set Accept-Encoding %{fix_accept_encoding}e env=fix_accept_encoding

3. Place the file inside the path /etc/httpd/conf.d
4. Restart Apache Server.
Correct?

My next issue is
1. How to create this httpd.conf file on the apache server
2. How to implement the code on the Plesk panel. I have seen a place where you can enter extra commands without having to open the conf file. See attached panel image

 

[Reid]

My next issue is
1. How to create this httpd.conf file on the apache server
2. How to implement the code on the Plesk panel. I have seen a place where you can enter extra commands without having to open the conf file. See attached panel image

 

[Peter Debik]

My next issue is
1. How to create this httpd.conf file on the apache server

Please consult Google for such basic administration tasks. Editing files on a Linux server is something you need to learn if you operate a server, it will frequently be needed.

2. How to implement the code on the Plesk panel. I have seen a place where you can enter extra commands without having to open the conf file. See attached panel image

You can try to add it to the additional Apache configuration, maybe it works there, too.

 

[Reid]

Hi guys,
Thanks you all for your support.
I think I finally got what I am looking for.

I OPENED AND EDITED THE apache2.conf file FOR THE Apache VERSION 2.4 AS FOLLOWS
1.. Open Plesk and click on the TOOLS AND SETTINGS link
2. Click on the SSH Tools to open the Terminal
3. Type the following command to edit the file Note: My server is hosted on Linux (Ubuntu OS)
vi /etc/apache2/apache2.conf
5. Edit and save

 

[Peter Debik]

This is actually not the recommended way, because now on the next Apache update that file might be overwritten. For that reason in Issue - How Enable Underscore in Request Headers I suggested to add a new .conf file to the custom .conf directory /etc/httpd/conf.d. Such files are persistent.

 

[Reid]

Wow that's a super tip.
Trying that asap. Thanks Peter.

 

[Reid]

Hi Peter,
is this "/etc/httpd/conf.d." a typo or you really meant to type "/etc/httpd/conf" ?

 

[Maarten]

If you're using AlmaLinux/CentOS, it is "/etc/httpd/conf.d"

If you're using Ubuntu, it is "/etc/apache2/conf.d"