[solved] htaccess environment variable assignment fails in LSWS but works in Apache

Discussion in 'Apache Migration/Compatibility' started by ven42, May 25, 2018.

  1. ven42

    ven42 New Member

    I've been trying to configure CORS headers on my hosting company's LiteSpeed Web Server via .htaccess, but I've run into what seems like a bug with LiteSpeed's handling of environment variables. The hosting company upgraded my instance to the latest LSWS 5.2.7 to see if that would help, but the problem still exists.

    The troublesome stanza from the .htaccess file is the following:
    Code:
    # CORS allowances for domain1 & domain2 subdomains to access my server's custom web fonts
    <FilesMatch "\.(otf|ttf|eot|woff)$">
        SetEnvIf Origin "^http(s)?://(.+\.)?(domain1.com|domain2.com)$" THE_ORIGIN=$0
        Header set Access-Control-Allow-Origin %{THE_ORIGIN}e env=THE_ORIGIN
    </FilesMatch>
    
    What this code is supposed to do is add appropriate CORS headers to the server's response when the request is for any file with a font file extension and the client has set an "Origin" header representing any subdomain of either domain1.com or domain2.com. There is more content in the .htaccess file than this, but everything else is working normally. This is the only section that does not seem to work properly.

    For troubleshooting purposes, I have deleted everything else from the .htaccess file to eliminate the possibility of conflicting directives. I also set up a quick and dirty Apache 2.2 installation on a test box in our company's lab environment to compare the behavior of the LiteSpeed server against this web server.

    I tested the server's response using curl on a separate Ubuntu 16.04 utility box, and found that the exact same .htaccess config works on Apache 2.2, but fails on LSWS 5.2.7.

    In trying to debug this, I've noticed that the issue seems to have something to do with the "THE_ORIGIN" environment variable not getting assigned a value properly on the LiteSpeed server when the "SetEnvIf" statement is inside of the "FilesMatch" block.

    I also tried simplifying my configuration directives to help with further troubleshooting. Here's a rather pedantic .htaccess config I threw into my LiteSpeed instance as well as my lab Apache server:
    Code:
    # Test environment variable handling
    SetEnvIf Host ".*" MY_OUTSIDE_ENV_VAR=Outside
    <FilesMatch "\.otf$">
        SetEnvIf Host ".*" MY_INSIDE_ENV_VAR=Inside
        Header set X-My-Outside-Env-Var %{MY_OUTSIDE_ENV_VAR}e
        Header set X-My-Inside-Env-Var %{MY_INSIDE_ENV_VAR}e
    </FilesMatch>
    
    Here's the result from the lab Apache server:
    Code:
    ven42@git-build-test:~$ curl -I 'http://real-apache-test.mylabdomain.com/assets/fonts/ProximaNova-Regular.otf'
    HTTP/1.1 200 OK
    Date: Thu, 24 May 2018 01:50:00 GMT
    Server: Apache/2.2.15 (CentOS)
    Last-Modified: Tue, 22 May 2018 00:41:15 GMT
    ETag: "40a4f-171cc-56cc0ad014724"
    Accept-Ranges: bytes
    Content-Length: 94668
    X-My-Outside-Env-Var: Outside
    X-My-Inside-Env-Var: Inside
    Connection: close
    Content-Type: application/vnd.oasis.opendocument.formula-template
    
    And here's the result from my web host's LiteSpeed server:
    Code:
    ven42@git-build-test:~$ curl -I 'http://litespeed-test.mywebhost.com/assets/fonts/ProximaNova-Regular.otf'
    HTTP/1.1 200 OK
    Last-Modified: Tue, 22 May 2018 00:00:15 GMT
    Content-Type: application/x-font-otf
    Content-Length: 94668
    Date: Thu, 24 May 2018 01:49:54 GMT
    Accept-Ranges: bytes
    X-My-Outside-Env-Var: Outside
    X-My-Inside-Env-Var:
    Connection: Keep-Alive
    

    Notice that LiteSpeed failed to assign a value to the environment variable inside of the "FilesMatch" block, but the same assignment worked outside of the block. That seems kind of buggy to me. Apache assigned both variables properly.

    Can anyone shed some light onto what might be happening here? Thanks.
     
  2. NiteWave

    NiteWave Administrator

    I can reproduce the issue in lsws 5.2.6 and 5.2.7, and Apache/2.4.33
    in summary:
    SetEnvIf directive is ignored if it's in FilesMatch block, as if it doesn't exist, in litespeed 5.2.6/5.2.7
    if it's out of FilesMatch block, it will work like apache 2.2/2.4
    for the workaround, you can use rewrite rule E flag. for your original objective,
    Code:
    # CORS allowances for domain1 & domain2 subdomains to access my server's custom web fonts
    <FilesMatch "\.(otf|ttf|eot|woff)$">
    SetEnvIf Origin "^http(s)?://(.+\.)?(domain1.com|domain2.com)$" THE_ORIGIN=$0
    Header set Access-Control-Allow-Origin %{THE_ORIGIN}e env=THE_ORIGIN
    </FilesMatch>
    
    try following
    Code:
    RewriteCond %{HTTP:Origin} ^http(s)?://(.+\.)?(domain1.com|domain2.com)$
    RewriteRule \.(otf|ttf|eot|woff)$ - [E=THE_ORIGIN:%0]
    Header set Access-Control-Allow-Origin %{THE_ORIGIN}e env=THE_ORIGIN
    
    tested above rules, working with both lsws 5.2.7 and apache 2.4.33
    please confirm if it works on your server with complicated rules as well.
     
  3. ven42

    ven42 New Member

    @NiteWave Thank you very much for verifying that you can reproduce the problem in LiteSpeed, and for the workaround! Your method using mod_rewrite directives instead of mod_setenvif directives successfully gets around the problem on my LSWS 5.2.7 box, and it works on my lab Apache 2.2 box as well.

    I'm going to go ahead and put the mod_rewrite workaround into production, but is there somewhere I should be officially reporting a bug to LiteSpeed? I'd like to do what I can to save anyone else the headache of wondering why their SetEnvIf directives are getting ignored when placed inside FilesMatch blocks.
     
    NiteWave likes this.
  4. Michael A

    Michael A Administrator Staff Member

    Hi ven42,
    Having reported the issue here should be enough, I'll let our developers know as well just in case :)

    Regards,
    -Michael

    Edit: Looks like it was already passed along. Thanks again for discovering this issue.
     
  5. ven42

    ven42 New Member

    Thanks to everyone for your help with this. It's much appreciated!
     
  6. Bobby

    Bobby Member

    Sorry to piggy back on this, but I'm having CORS issues also. I've got CSS and fonts not loading at https://sub.domain.com because sub is trying to pull from root domain. I put the following:
    Code:
    RewriteCond %{HTTP:Origin} ^http(s)?://(.+\.)?(domain1.com|domain2.com)$
    RewriteRule \.(otf|ttf|eot|woff)$ - [E=THE_ORIGIN:%0]
    Header set Access-Control-Allow-Origin %{THE_ORIGIN}e env=THE_ORIGIN
    In the .htaccess file on public_html for the main site, but it doesn't seem to help. I'm not sure what code to put and where to make it happy.
     
    Last edited by a moderator: Jun 5, 2018
  7. NiteWave

    NiteWave Administrator

    please go https://www.litespeedtech.com/support/forum/threads/cors-issue.16412/#post-102562 to follow up
     

Share This Page