PHP / FastCGI Installation Problem

[rnc]

I installed the application through cpanel which gave me version 1.14.2.

I have been following https://freshrss.github.io/FreshRSS/en/users/06_Mobile_access.html to setup the system. However on running the API test I got:

Google Reader API configuration test:
    ❌ FAIL get HTTP Authorization header! Wrong Web server configuration.

From reading https://docs.holodyn.com/KnowledgeBase/Hosting/Apache/PHP_FastCGI_Authentication_Headers and https://www.drupal.org/project/restws/issues/2101361 I tried experimenting with adding to a .htaccess file.
Upon adding

RewriteCond %{HTTP:Authorization} ^(.+)
RewriteRule ^(.*)$ $1 [E=HTTP_AUTHORIZATION:%1,PT]

(from the above links) I got a pass. Unfortunately I don't know which directory needed the headers so have added it in the top level.

• Where is best to add it?
• Could this be supported internally if this is detected?

[Alkarex]

Hello,
There is already a .htaccess included, which is supposed to address your case:
https://github.com/FreshRSS/FreshRSS/blob/master/p/api/.htaccess
Please check that it is there

[rnc]

It is indeed there! I removed the above code from the top level and appended it to that file - and I still get a pass. So I guess the tests aren't working in my case.

@Alkarex I am not that familiar with htaccess conditionals but would be happy to help debug.

[rnc]

@Alkarex Having looked into this a bit more I've found the following references:

• https://httpd.apache.org/docs/2.4/en/mod/core.html#cgipassauth
• https://stackoverflow.com/questions/17018586/apache-2-4-php-fpm-and-authorization-headers
• https://stackoverflow.com/questions/26549250/apache-strips-down-authorization-header

Experimenting more with the .htaccess I found that

	SetEnvIfNoCase "Authorization" "(.*)" HTTP_AUTHORIZATION=$1

works while

	SetEnvIfNoCase "^Authorization$" "(.*)" HTTP_AUTHORIZATION=$1

does not for me. Further simply adding

CGIPassAuth on

also works fine. If either of those two solutions are acceptable I'd be happy to send a PR

[Frenzie]

According to the link above you need at least 2.4.13 for the CGIPassAuth setting. Ubuntu 16.04 ships with Apache 2.4.18. However, Debian Jessie is still LTS supported for another year and it comes with 2.4.10. So presumably reducing the restrictions on the regex would be preferable for compatibility.

[Alkarex]

Thanks for the debugging @rnc
It would be interesting to find out why the current SetEnvIfNoCase rule does not work. Could you try to print the exact HTTP headers received?
For CGIPassAuth on (which would seem more proper), in addition of the increased minimum Apache version (which we could test), we must also be careful about about the different AllowOverride rights needed (AuthConfig, which is less commonly granted than FileInfo).

[rnc]

Would anyone be actually be using 2.4.10 in reality as its vulnerable to multiple CVEs? Looking at my own hosting provider they have updated to 2.4.39. Alternatively is it feasible to use mod_version for now - and perhaps remove it in the long term ?

@Alkarex Can you give me any advice on how to do that - this is on my shared hosting account where I have limited access.

[Alkarex]

Linux distributions with long term maintenance provide security patches in older Apache / PHP / ... packages, so yes, people will most likely have old versions in production. See e.g. https://distrowatch.com/table.php?distribution=CentOS

For the HTTP headers at Apache level, would you happen to have / be able to install https://httpd.apache.org/docs/current/mod/mod_log_forensic.html ?

[Frenzie]

@rnc Debian backports security fixes.

https://www.debian.org/security/faq#oldversion

Specifics for Apache2 can be found here:
https://security-tracker.debian.org/tracker/source-package/apache2

[rnc]

@Alkarex Unfortunately because I reproduced the issue on a shared hosting account where I do not have root access I am not able to install things like that. As far as I can tell there is no way to do the equivalent of using wireshark to extract the headers.

[Alkarex]

#2449