1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
|
<?xml version="1.0"?>
<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
<!-- $LastChangedRevision$ -->
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<modulesynopsis metafile="mod_headers.xml.meta">
<name>mod_headers</name>
<description>Customization of HTTP request and response
headers</description>
<status>Extension</status>
<sourcefile>mod_headers.c</sourcefile>
<identifier>headers_module</identifier>
<summary>
<p>This module provides directives to control and modify HTTP
request and response headers. Headers can be merged, replaced
or removed.</p>
</summary>
<section id="order"><title>Order of Processing</title>
<p>The directives provided by <module>mod_headers</module> can
occur almost anywhere within the server configuration, and can be
limited in scope by enclosing them in <a
href="../sections.html">configuration sections</a>.</p>
<p>Order of processing is important and is affected both by the
order in the configuration file and by placement in <a
href="../sections.html#mergin">configuration sections</a>. These
two directives have a different effect if reversed:</p>
<highlight language="config">
RequestHeader append MirrorID "mirror 12"
RequestHeader unset MirrorID
</highlight>
<p>This way round, the <code>MirrorID</code> header is not set. If
reversed, the MirrorID header is set to "mirror 12".</p>
</section>
<section id="early"><title>Early and Late Processing</title>
<p><module>mod_headers</module> can be applied either early or late
in the request. The normal mode is late, when <em>Request</em> Headers are
set immediately before running the content generator and <em>Response</em>
Headers just as the response is sent down the wire. Always use
Late mode in an operational server.</p>
<p>Early mode is designed as a test/debugging aid for developers.
Directives defined using the <code>early</code> keyword are set
right at the beginning of processing the request. This means
they can be used to simulate different requests and set up test
cases, but it also means that headers may be changed at any time
by other modules before generating a Response.</p>
<p>Because early directives are processed before the request path's
configuration is traversed, early headers can only be set in a
main server or virtual host context. Early directives cannot depend
on a request path, so they will fail in contexts such as
<directive type="section" module="core">Directory</directive> or
<directive type="section" module="core">Location</directive>.</p>
</section>
<section id="examples"><title>Examples</title>
<ol>
<li>
Copy all request headers that begin with "TS" to the
response headers:
<highlight language="config">
Header echo ^TS
</highlight>
</li>
<li>
Add a header, <code>MyHeader</code>, to the response including a
timestamp for when the request was received and how long it
took to begin serving the request. This header can be used by
the client to intuit load on the server or in isolating
bottlenecks between the client and the server.
<highlight language="config">
Header set MyHeader "%D %t"
</highlight>
<p>results in this header being added to the response:</p>
<example>
MyHeader: D=3775428 t=991424704447256
</example>
</li>
<li>
Say hello to Joe
<highlight language="config">
Header set MyHeader "Hello Joe. It took %D microseconds for Apache to serve this request."
</highlight>
<p>results in this header being added to the response:</p>
<example>
MyHeader: Hello Joe. It took D=3775428 microseconds for Apache
to serve this request.
</example>
</li>
<li>
Conditionally send <code>MyHeader</code> on the response if and
only if header <code>MyRequestHeader</code> is present on the request.
This is useful for constructing headers in response to some client
stimulus. Note that this example requires the services of the
<module>mod_setenvif</module> module.
<highlight language="config">
SetEnvIf MyRequestHeader myvalue HAVE_MyRequestHeader
Header set MyHeader "%D %t mytext" env=HAVE_MyRequestHeader
</highlight>
<p>If the header <code>MyRequestHeader: myvalue</code> is present on
the HTTP request, the response will contain the following header:</p>
<example>
MyHeader: D=3775428 t=991424704447256 mytext
</example>
</li>
<li>
Enable DAV to work with Apache running HTTP through SSL hardware
(<a href="http://svn.haxx.se/users/archive-2006-03/0549.shtml">problem
description</a>) by replacing <var>https:</var> with
<var>http:</var> in the <var>Destination</var> header:
<highlight language="config">
RequestHeader edit Destination ^https: http: early
</highlight>
</li>
<li>
Set the same header value under multiple nonexclusive conditions,
but do not duplicate the value in the final header.
If all of the following conditions applied to a request (i.e.,
if the <code>CGI</code>, <code>NO_CACHE</code> and
<code>NO_STORE</code> environment variables all existed for the
request):
<highlight language="config">
Header merge Cache-Control no-cache env=CGI
Header merge Cache-Control no-cache env=NO_CACHE
Header merge Cache-Control no-store env=NO_STORE
</highlight>
<p>then the response would contain the following header:</p>
<example>
Cache-Control: no-cache, no-store
</example>
<p>If <code>append</code> was used instead of <code>merge</code>,
then the response would contain the following header:</p>
<example>
Cache-Control: no-cache, no-cache, no-store
</example>
</li>
<li>
Set a test cookie if and only if the client didn't send us a cookie
<highlight language="config">
Header set Set-Cookie testcookie "expr=-z %{req:Cookie}"
</highlight>
</li>
<li>
Append a Caching header for responses with a HTTP status code of 200
<highlight language="config">
Header append Cache-Control s-maxage=600 "expr=%{REQUEST_STATUS} == 200"
</highlight>
</li>
</ol>
</section>
<directivesynopsis>
<name>RequestHeader</name>
<description>Configure HTTP request headers</description>
<syntax>RequestHeader add|append|edit|edit*|merge|set|setifempty|unset
<var>header</var> [[expr=]<var>value</var> [<var>replacement</var>]
[early|env=[!]<var>varname</var>|expr=<var>expression</var>]]
</syntax>
<contextlist><context>server config</context><context>virtual host</context>
<context>directory</context><context>.htaccess</context></contextlist>
<override>FileInfo</override>
<compatibility>SetIfEmpty available in 2.4.7 and later, expr=value
available in 2.4.10 and later</compatibility>
<usage>
<p>This directive can replace, merge, change or remove HTTP request
headers. The header is modified just before the content handler
is run, allowing incoming headers to be modified. The action it
performs is determined by the first argument. This can be one
of the following values:</p>
<dl>
<dt><code>add</code></dt>
<dd>The request header is added to the existing set of headers,
even if this header already exists. This can result in two
(or more) headers having the same name. This can lead to
unforeseen consequences, and in general <code>set</code>,
<code>append</code> or <code>merge</code> should be used instead.</dd>
<dt><code>append</code></dt>
<dd>The request header is appended to any existing header of the
same name. When a new value is merged onto an existing header
it is separated from the existing header with a comma. This
is the HTTP standard way of giving a header multiple
values.</dd>
<dt><code>edit</code></dt>
<dt><code>edit*</code></dt>
<dd>If this request header exists, its value is transformed according
to a <glossary ref="regex">regular expression</glossary>
search-and-replace. The <var>value</var> argument is a <glossary
ref="regex">regular expression</glossary>, and the <var>replacement</var>
is a replacement string, which may contain backreferences or format specifiers.
The <code>edit</code> form will match and replace exactly once
in a header value, whereas the <code>edit*</code> form will replace
<em>every</em> instance of the search pattern if it appears more
than once.</dd>
<dt><code>merge</code></dt>
<dd>The request header is appended to any existing header of
the same name, unless the value to be appended already appears in the
existing header's comma-delimited list of values. When a new value is
merged onto an existing header it is separated from the existing header
with a comma. This is the HTTP standard way of giving a header multiple
values. Values are compared in a case sensitive manner, and after
all format specifiers have been processed. Values in double quotes
are considered different from otherwise identical unquoted values.</dd>
<dt><code>set</code></dt>
<dd>The request header is set, replacing any previous header
with this name</dd>
<dt><code>setifempty</code></dt>
<dd>The request header is set, but only if there is no previous header
with this name.<br />
Available in 2.4.7 and later.</dd>
<dt><code>unset</code></dt>
<dd>The request header of this name is removed, if it exists. If
there are multiple headers of the same name, all will be removed.
<var>value</var> must be omitted.</dd>
</dl>
<p>This argument is followed by a header name, which can
include the final colon, but it is not required. Case is
ignored. For <code>set</code>, <code>append</code>, <code>merge</code> and
<code>add</code> a <var>value</var> is given as the third argument. If a
<var>value</var> contains spaces, it should be surrounded by double
quotes. For <code>unset</code>, no <var>value</var> should be given.
<var>value</var> may be a character string, a string containing format
specifiers or a combination of both. The supported format specifiers
are the same as for the <directive module="mod_headers">Header</directive>,
please have a look there for details. For <code>edit</code> both
a <var>value</var> and a <var>replacement</var> are required, and are
a <glossary ref="regex">regular expression</glossary> and a
replacement string respectively.</p>
<p>The <directive>RequestHeader</directive> directive may be followed by
an additional argument, which may be any of:</p>
<dl>
<dt><code>early</code></dt>
<dd>Specifies <a href="#early">early processing</a>.</dd>
<dt><code>env=[!]<var>varname</var></code></dt>
<dd>The directive is applied if and only if the <a href="../env.html"
>environment variable</a> <code>varname</code> exists.
A <code>!</code> in front of <code>varname</code> reverses the test,
so the directive applies only if <code>varname</code> is unset.</dd>
<dt><code>expr=<var>expression</var></code></dt>
<dd>The directive is applied if and only if <var>expression</var>
evaluates to true. Details of expression syntax and evaluation are
documented in the <a href="../expr.html">ap_expr</a> documentation.</dd>
</dl>
<p>Except in <a href="#early">early</a> mode, the
<directive>RequestHeader</directive> directive is processed
just before the request is run by its handler in the fixup phase.
This should allow headers generated by the browser, or by Apache
input filters to be overridden or modified.</p>
</usage>
</directivesynopsis>
<directivesynopsis>
<name>Header</name>
<description>Configure HTTP response headers</description>
<syntax>Header [<var>condition</var>] add|append|echo|edit|edit*|merge|set|setifempty|unset|note
<var>header</var> [[expr=]<var>value</var> [<var>replacement</var>]
[early|env=[!]<var>varname</var>|expr=<var>expression</var>]]
</syntax>
<contextlist><context>server config</context><context>virtual host</context>
<context>directory</context><context>.htaccess</context></contextlist>
<override>FileInfo</override>
<compatibility>SetIfEmpty available in 2.4.7 and later, expr=value
available in 2.4.10 and later</compatibility>
<usage>
<p>This directive can replace, merge or remove HTTP response
headers. The header is modified just after the content handler
and output filters are run, allowing outgoing headers to be
modified.</p>
<p> The optional <var>condition</var> argument determines which internal
table of responses headers this directive will operate against:
<code>onsuccess</code> (default, can be omitted) or <code>always</code>.
The difference between the two lists is that the headers contained in the
latter are added to the response even on error, and persisted across
internal redirects (for example, ErrorDocument handlers).
Note also that repeating this directive with both conditions makes sense in
some scenarios because <code>always</code> is not a superset of
<code>onsuccess</code> with respect to existing headers:</p>
<ul>
<li> You're adding a header to a locally generated non-success (non-2xx) response, such
as a redirect, in which case only the table corresponding to
<code>always</code> is used in the ultimate response.</li>
<li> You're modifying or removing a header generated by a CGI script
or by <module>mod_proxy_fcgi</module>,
in which case the CGI scripts' headers are in the table corresponding to
<code>always</code> and not in the default table.</li>
<li> You're modifying or removing a header generated by some piece of
the server but that header is not being found by the default
<code>onsuccess</code> condition.</li>
</ul>
<p>This difference between <code>onsuccess</code> and <code>always</code> is
a feature that resulted as a consequence of how httpd internally stores
headers for a HTTP response, since it does not offer any "normalized" single
list of headers. The main problem that can arise if the following concept
is not kept in mind while writing the configuration is that some HTTP responses
might end up with the same header duplicated (confusing users or sometimes even
HTTP clients). For example, suppose that you have a simple PHP proxy setup with
<module>mod_proxy_fcgi</module> and your backend PHP scripts adds the
<code>X-Foo: bar</code> header to each HTTP response. As described above,
<module>mod_proxy_fcgi</module> uses the <code>always</code> table to store
headers, so a configuration like the following ends up in the wrong result, namely
having the header duplicated with both values:</p>
<highlight language="config">
# X-Foo's value is set in the 'onsuccess' headers table
Header set X-Foo: baz
</highlight>
<p>To circumvent this limitation, there are some known configuration
patterns that can help, like the following:</p>
<highlight language="config">
# 'onsuccess' can be omitted since it is the default
Header onsuccess unset X-Foo
Header always set X-Foo "baz"
</highlight>
<p>Separately from the <var>condition</var> parameter described above, you
can limit an action based on HTTP status codes for e.g. proxied or CGI
requests. See the example that uses %{REQUEST_STATUS} in the section above.</p>
<p>The action it performs is determined by the first
argument (second argument if a <var>condition</var> is specified).
This can be one of the following values:</p>
<note type="warning"><title>Warning</title>
<p>Please read the difference between <code>always</code>
and <code>onsuccess</code> headers list described above
before start reading the actions list, since that important
concept still applies. Each action, in fact, works as described
but only on the target headers list.</p>
</note>
<dl>
<dt><code>add</code></dt>
<dd>The response header is added to the existing set of headers,
even if this header already exists. This can result in two
(or more) headers having the same name. This can lead to
unforeseen consequences, and in general <code>set</code>,
<code>append</code> or <code>merge</code> should be used instead.</dd>
<dt><code>append</code></dt>
<dd>The response header is appended to any existing header of
the same name. When a new value is merged onto an existing
header it is separated from the existing header with a comma.
This is the HTTP standard way of giving a header multiple values.</dd>
<dt><code>echo</code></dt>
<dd>Request headers with this name are echoed back in the
response headers. <var>header</var> may be a
<glossary ref="regex">regular expression</glossary>.
<var>value</var> must be omitted.</dd>
<dt><code>edit</code></dt>
<dt><code>edit*</code></dt>
<dd>If this response header exists, its value is transformed according
to a <glossary ref="regex">regular expression</glossary>
search-and-replace. The <var>value</var> argument is a <glossary
ref="regex">regular expression</glossary>, and the <var>replacement</var>
is a replacement string, which may contain backreferences or format specifiers.
The <code>edit</code> form will match and replace exactly once
in a header value, whereas the <code>edit*</code> form will replace
<em>every</em> instance of the search pattern if it appears more
than once.</dd>
<dt><code>merge</code></dt>
<dd>The response header is appended to any existing header of
the same name, unless the value to be appended already appears in the
header's comma-delimited list of values. When a new value is merged onto
an existing header it is separated from the existing header with a comma.
This is the HTTP standard way of giving a header multiple values.
Values are compared in a case sensitive manner, and after
all format specifiers have been processed. Values in double quotes
are considered different from otherwise identical unquoted values.</dd>
<dt><code>set</code></dt>
<dd>The response header is set, replacing any previous header
with this name. The <var>value</var> may be a format string.</dd>
<dt><code>setifempty</code></dt>
<dd>The request header is set, but only if there is no previous header
with this name.
<note>
The Content-Type header is a special use case since there might be
the chance that its value have been determined but the header is not part
of the response when <code>setifempty</code> is evaluated.
It is safer to use <code>set</code> for this use case like in the
following example:
<highlight language="config">
Header set Content-Type "text/plain" "expr=-z %{CONTENT_TYPE}"
</highlight>
</note></dd>
<dt><code>unset</code></dt>
<dd>The response header of this name is removed, if it exists.
If there are multiple headers of the same name, all will be
removed. <var>value</var> must be omitted.</dd>
<dt><code>note</code></dt>
<dd>The value of the named response <var>header</var> is copied into an
internal note whose name is given by <var>value</var>. This is useful
if a header sent by a CGI or proxied resource is configured to be unset
but should also be logged.<br />
Available in 2.4.7 and later.</dd>
</dl>
<p>This argument is followed by a <var>header</var> name, which
can include the final colon, but it is not required. Case is
ignored for <code>set</code>, <code>append</code>, <code>merge</code>,
<code>add</code>, <code>unset</code> and <code>edit</code>.
The <var>header</var> name for <code>echo</code>
is case sensitive and may be a <glossary ref="regex">regular
expression</glossary>.</p>
<p>For <code>set</code>, <code>append</code>, <code>merge</code> and
<code>add</code> a <var>value</var> is specified as the next argument.
If <var>value</var>
contains spaces, it should be surrounded by double quotes.
<var>value</var> may be a character string, a string containing
<module>mod_headers</module> specific format specifiers (and character
literals), or an <a href="../expr.html">ap_expr</a> expression prefixed
with <em>expr=</em></p>
<p> The following format specifiers are supported in <var>value</var>:</p>
<table border="1" style="zebra">
<columnspec><column width=".25"/><column width=".75"/></columnspec>
<tr><th>Format</th><th>Description</th></tr>
<tr><td><code>%%</code></td>
<td>The percent sign</td></tr>
<tr><td><code>%t</code></td>
<td>The time the request was received in Universal Coordinated Time
since the epoch (Jan. 1, 1970) measured in microseconds. The value
is preceded by <code>t=</code>.</td></tr>
<tr><td><code>%D</code></td>
<td>The time from when the request was received to the time the
headers are sent on the wire. This is a measure of the duration
of the request. The value is preceded by <code>D=</code>.
The value is measured in microseconds.</td></tr>
<tr><td><code>%l</code></td>
<td>The current load averages of the actual server itself. It is
designed to expose the values obtained by <code>getloadavg()</code>
and this represents the current load average, the 5 minute average, and
the 15 minute average. The value is preceded by <code>l=</code> with each
average separated by <code>/</code>.<br />
Available in 2.4.4 and later.
</td></tr>
<tr><td><code>%i</code></td>
<td>The current idle percentage of httpd (0 to 100) based on available
processes and threads. The value is preceded by <code>i=</code>.<br />
Available in 2.4.4 and later.
</td></tr>
<tr><td><code>%b</code></td>
<td>The current busy percentage of httpd (0 to 100) based on available
processes and threads. The value is preceded by <code>b=</code>.<br />
Available in 2.4.4 and later.
</td></tr>
<tr><td><code>%{VARNAME}e</code></td>
<td>The contents of the <a href="../env.html">environment
variable</a> <code>VARNAME</code>.</td></tr>
<tr><td><code>%{VARNAME}s</code></td>
<td>The contents of the <a href="mod_ssl.html#envvars">SSL environment
variable</a> <code>VARNAME</code>, if <module>mod_ssl</module> is enabled.</td></tr>
</table>
<note><title>Note</title>
<p>The <code>%s</code> format specifier is only available in
Apache 2.1 and later; it can be used instead of <code>%e</code>
to avoid the overhead of enabling <code>SSLOptions
+StdEnvVars</code>. If <code>SSLOptions +StdEnvVars</code> must
be enabled anyway for some other reason, <code>%e</code> will be
more efficient than <code>%s</code>.</p>
</note>
<note><title>Note on expression values</title>
<p> When the value parameter uses the <a href="../expr.html">ap_expr</a>
parser, some expression syntax will differ from examples that evaluate
<em>boolean</em> expressions such as <If>:</p>
<ul>
<li>The starting point of the grammar is 'string' rather than 'expr'.</li>
<li>Function calls use the %{funcname:arg} syntax rather than
funcname(arg).</li>
<li>Multi-argument functions are not currently accessible from this
starting point</li>
<li>Quote the entire parameter, such as
<highlight language="config">
Header set foo-checksum "expr=%{md5:foo}"
</highlight>
</li>
</ul>
</note>
<p>For <code>edit</code> there is both a <var>value</var> argument
which is a <glossary ref="regex">regular expression</glossary>,
and an additional <var>replacement</var> string. As of version 2.4.7
the replacement string may also contain format specifiers.</p>
<p>The <directive>Header</directive> directive may be followed by
an additional argument, which may be any of:</p>
<dl>
<dt><code>early</code></dt>
<dd>Specifies <a href="#early">early processing</a>.</dd>
<dt><code>env=[!]<var>varname</var></code></dt>
<dd>The directive is applied if and only if the <a href="../env.html"
>environment variable</a> <code>varname</code> exists.
A <code>!</code> in front of <code>varname</code> reverses the test,
so the directive applies only if <code>varname</code> is unset.</dd>
<dt><code>expr=<var>expression</var></code></dt>
<dd>The directive is applied if and only if <var>expression</var>
evaluates to true. Details of expression syntax and evaluation are
documented in the <a href="../expr.html">ap_expr</a> documentation.
<highlight language="config">
# This delays the evaluation of the condition clause compared to <If>
Header always set CustomHeader my-value "expr=%{REQUEST_URI} =~ m#^/special_path.php$#"
</highlight>
</dd>
</dl>
<p>Except in <a href="#early">early</a> mode, the
<directive>Header</directive> directives are processed just
before the response is sent to the network. This means that it is
possible to set and/or override most headers, except for some headers
added by the HTTP header filter. Prior to 2.2.12, it was not possible
to change the Content-Type header with this directive.</p>
</usage>
</directivesynopsis>
</modulesynopsis>
|