[solved] htaccess environment variable assignment fails in LSWS but works in Apache

[ven42]

I've been trying to configure CORS headers on my hosting company's LiteSpeed Web Server via .htaccess, but I've run into what seems like a bug with LiteSpeed's handling of environment variables. The hosting company upgraded my instance to the latest LSWS 5.2.7 to see if that would help, but the problem still exists.

The troublesome stanza from the .htaccess file is the following:

# CORS allowances for domain1 & domain2 subdomains to access my server's custom web fonts
<FilesMatch "\.(otf|ttf|eot|woff)$">
    SetEnvIf Origin "^http(s)?://(.+\.)?(domain1.com|domain2.com)$" THE_ORIGIN=$0
    Header set Access-Control-Allow-Origin %{THE_ORIGIN}e env=THE_ORIGIN
</FilesMatch>

What this code is supposed to do is add appropriate CORS headers to the server's response when the request is for any file with a font file extension and the client has set an "Origin" header representing any subdomain of either domain1.com or domain2.com. There is more content in the .htaccess file than this, but everything else is working normally. This is the only section that does not seem to work properly.

For troubleshooting purposes, I have deleted everything else from the .htaccess file to eliminate the possibility of conflicting directives. I also set up a quick and dirty Apache 2.2 installation on a test box in our company's lab environment to compare the behavior of the LiteSpeed server against this web server.

I tested the server's response using curl on a separate Ubuntu 16.04 utility box, and found that the exact same .htaccess config works on Apache 2.2, but fails on LSWS 5.2.7.

In trying to debug this, I've noticed that the issue seems to have something to do with the "THE_ORIGIN" environment variable not getting assigned a value properly on the LiteSpeed server when the "SetEnvIf" statement is inside of the "FilesMatch" block.

I also tried simplifying my configuration directives to help with further troubleshooting. Here's a rather pedantic .htaccess config I threw into my LiteSpeed instance as well as my lab Apache server:

# Test environment variable handling
SetEnvIf Host ".*" MY_OUTSIDE_ENV_VAR=Outside
<FilesMatch "\.otf$">
    SetEnvIf Host ".*" MY_INSIDE_ENV_VAR=Inside
    Header set X-My-Outside-Env-Var %{MY_OUTSIDE_ENV_VAR}e
    Header set X-My-Inside-Env-Var %{MY_INSIDE_ENV_VAR}e
</FilesMatch>

Here's the result from the lab Apache server:

ven42@git-build-test:~$ curl -I 'http://real-apache-test.mylabdomain.com/assets/fonts/ProximaNova-Regular.otf'
HTTP/1.1 200 OK
Date: Thu, 24 May 2018 01:50:00 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Tue, 22 May 2018 00:41:15 GMT
ETag: "40a4f-171cc-56cc0ad014724"
Accept-Ranges: bytes
Content-Length: 94668
X-My-Outside-Env-Var: Outside
X-My-Inside-Env-Var: Inside
Connection: close
Content-Type: application/vnd.oasis.opendocument.formula-template

And here's the result from my web host's LiteSpeed server:

ven42@git-build-test:~$ curl -I 'http://litespeed-test.mywebhost.com/assets/fonts/ProximaNova-Regular.otf'
HTTP/1.1 200 OK
Last-Modified: Tue, 22 May 2018 00:00:15 GMT
Content-Type: application/x-font-otf
Content-Length: 94668
Date: Thu, 24 May 2018 01:49:54 GMT
Accept-Ranges: bytes
X-My-Outside-Env-Var: Outside
X-My-Inside-Env-Var:
Connection: Keep-Alive

Notice that LiteSpeed failed to assign a value to the environment variable inside of the "FilesMatch" block, but the same assignment worked outside of the block. That seems kind of buggy to me. Apache assigned both variables properly.

Can anyone shed some light onto what might be happening here? Thanks.

 

[NiteWave]

I can reproduce the issue in lsws 5.2.6 and 5.2.7, and Apache/2.4.33
in summary:
SetEnvIf directive is ignored if it's in FilesMatch block, as if it doesn't exist, in litespeed 5.2.6/5.2.7
if it's out of FilesMatch block, it will work like apache 2.2/2.4
for the workaround, you can use rewrite rule E flag. for your original objective,

# CORS allowances for domain1 & domain2 subdomains to access my server's custom web fonts
<FilesMatch "\.(otf|ttf|eot|woff)$">
SetEnvIf Origin "^http(s)?://(.+\.)?(domain1.com|domain2.com)$" THE_ORIGIN=$0
Header set Access-Control-Allow-Origin %{THE_ORIGIN}e env=THE_ORIGIN
</FilesMatch>

try following

RewriteCond %{HTTP:Origin} ^http(s)?://(.+\.)?(domain1.com|domain2.com)$
RewriteRule \.(otf|ttf|eot|woff)$ - [E=THE_ORIGIN:%0]
Header set Access-Control-Allow-Origin %{THE_ORIGIN}e env=THE_ORIGIN

tested above rules, working with both lsws 5.2.7 and apache 2.4.33
please confirm if it works on your server with complicated rules as well.

 

[ven42]

@NiteWave Thank you very much for verifying that you can reproduce the problem in LiteSpeed, and for the workaround! Your method using mod_rewrite directives instead of mod_setenvif directives successfully gets around the problem on my LSWS 5.2.7 box, and it works on my lab Apache 2.2 box as well.

I'm going to go ahead and put the mod_rewrite workaround into production, but is there somewhere I should be officially reporting a bug to LiteSpeed? I'd like to do what I can to save anyone else the headache of wondering why their SetEnvIf directives are getting ignored when placed inside FilesMatch blocks.

 

[Michael A]

Hi ven42,
Having reported the issue here should be enough, I'll let our developers know as well just in case

Regards,
-Michael

Edit: Looks like it was already passed along. Thanks again for discovering this issue.

 

[ven42]

Thanks to everyone for your help with this. It's much appreciated!

 

[Bobby]

Sorry to piggy back on this, but I'm having CORS issues also. I've got CSS and fonts not loading at https://sub.domain.com because sub is trying to pull from root domain. I put the following:

RewriteCond %{HTTP:Origin} ^http(s)?://(.+\.)?(domain1.com|domain2.com)$
RewriteRule \.(otf|ttf|eot|woff)$ - [E=THE_ORIGIN:%0]
Header set Access-Control-Allow-Origin %{THE_ORIGIN}e env=THE_ORIGIN

In the .htaccess file on public_html for the main site, but it doesn't seem to help. I'm not sure what code to put and where to make it happy.

 

[NiteWave]

Sorry to piggy back on this, but I'm having CORS issues also. I've got CSS and fonts not loading at https://sub.domain.com because sub is trying to pull from root domain. I put the following:

RewriteCond %{HTTP:Origin} ^http(s)?://(.+\.)?(domain1.com|domain2.com)$
RewriteRule \.(otf|ttf|eot|woff)$ - [E=THE_ORIGIN:%0]
Header set Access-Control-Allow-Origin %{THE_ORIGIN}e env=THE_ORIGIN

In the .htaccess file on public_html for the main site, but it doesn't seem to help. I'm not sure what code to put and where to make it happy.

please go https://www.litespeedtech.com/support/forum/threads/cors-issue.16412/#post-102562 to follow up