logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in  RSS Apache Lounge  


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.



Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Environment variables and base64-function
Author
timo



Joined: 03 Jun 2012
Posts: 35
Location: FI, EU

PostPosted: Thu 07 May '20 17:02    Post subject: Environment variables and base64-function Reply with quote

I'm using Content Security Policy with nonce.

In conf, I have this line
Code:
Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-%{UNIQUE_ID}e' 'report-sample'; style-src 'self' 'nonce-%{UNIQUE_ID}e' 'report-sample'; img-src https: data:; media-src https: data:; font-src 'self'; form-action 'self'; child-src https:; report-uri https://ht23.dy.fi/report-uri.php?vhost=default;"


It works, except that requirement for nonce is a base64-string, and as mod_unique_id produces a string in range [A-Za-z0-9@-], that is with extra characters @ and -, CSP occasionally prevents a script or style.

I have tried to apply Apache function "base64" to produce a properly encoded string from UNIQUE_ID,
'nonce-%{base64:%{reqenv:UNIQUE_ID}}' or
'nonce-%{base64:%{UNIQUE_ID}e}' or something like those
but they all fail, either conf syntax check reports
Code:
Unrecognized header format %
, or if it passes after some editing of %-characters, it results something like
Code:
'nonce-(null)'
or a string like
Code:
'nonce-{base64:XrQf8mkxOEdmE553MAbdIgAAAf8}'


What is the correct syntax to apply base64 to the UNIQUE-ID -variable in conf?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 6745
Location: Germany, Next to Hamburg

PostPosted: Thu 14 May '20 19:34    Post subject: Reply with quote

You can use Define[1]

If you still have a question please ask again.



[1] https://httpd.apache.org/docs/2.4/mod/core.html#define
Back to top
timo



Joined: 03 Jun 2012
Posts: 35
Location: FI, EU

PostPosted: Thu 14 May '20 19:53    Post subject: Reply with quote

Thanks for the reply.

Meanwhile, I came up with another solution.

In conf, I have this:
Code:
RequestHeader set CSP-NONCE "expr=%{base64:%{reqenv:UNIQUE_ID}}"


and I set header in php, with this
Code:
$s_Csp_Nonce = $_SERVER["HTTP_CSP_NONCE"];
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{$s_Csp_Nonce}' 'report-sample'; style-src 'self' 'nonce-{$s_Csp_Nonce}' 'report-sample'; img-src https: data:; media-src https: data:; font-src 'self'; form-action 'self'; child-src https:; report-uri https://my_url;");
Back to top


Reply to topic   Topic: Environment variables and base64-function View previous topic :: View next topic
Post new topic   Forum Index -> Apache