Fixing apache_request_headers Authorization Not Working – A System Administrator's Guide

Verify apache_request_headers is Enabled

• The function apache_request_headers is only available if the Apache module is properly installed and PHP is running as an Apache module (not CGI or FPM).

Steps to Verify:

1. Check if Apache headers module is enabled:
   apachectl -M | grep headers

   Look for headers_module (shared) in the output. If it's not present, enable it:

   sudo a2enmod headers
   sudo systemctl restart apache2
2. If you're using PHP-FPM or running PHP as CGI, apache_request_headers might not work. Use $_SERVER['HTTP_AUTHORIZATION'] instead (explained in Step 4).

Ensure Apache Passes Authorization Headers

In some configurations, Apache strips the Authorization header before passing the request to PHP.

Steps to Fix:

1. Open your Apache configuration file (e.g., httpd.conf, apache2.conf, or the specific virtual host configuration file).
2. Ensure the following directive is present:

   SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

3. Restart Apache:
   sudo systemctl restart apache2

   This ensures the Authorization header is preserved and made available to PHP.

Check .htaccess Rules

If your server uses .htaccess files, ensure that no rules are stripping headers.

Steps:

1. Open the .htaccess file in the root directory of your application.
2. Add the following lines (or ensure they are present):

   RewriteEngine On
   RewriteCond %{HTTP:Authorization} ^(.*)
   RewriteRule ^(.*) - [E=HTTP_AUTHORIZATION:%1]

3. Save the file and restart Apache:
   sudo systemctl restart apache2

Use $_SERVER as an Alternative

If apache_request_headers is still not working, you can access the Authorization header directly from the $_SERVER superglobal.

PHP Code Example:

Add the following fallback logic in your application:

<?php
if (isset($_SERVER['HTTP_AUTHORIZATION'])) {
    $authHeader = $_SERVER['HTTP_AUTHORIZATION'];
} elseif (function_exists('apache_request_headers')) {
    $headers = apache_request_headers();
    $authHeader = $headers['Authorization'] ?? null;
} else {
    $authHeader = null;
}

if ($authHeader) {
    echo "Authorization header: " . $authHeader;
} else {
    echo "Authorization header not found.";
}
?>

Debug with Logs

Enable detailed logging in Apache to verify if the Authorization header is being received from the client and passed to PHP.

Steps to Enable Logging:

1. Open the virtual host file or apache2.conf.
2. Add or modify the LogLevel directive:

   LogLevel debug

3. Check the logs after restarting Apache:
   sudo tail -f /var/log/apache2/error.log

   Look for the incoming Authorization header to confirm if Apache is receiving it.

Check Proxy or Load Balancer Settings

If your server is behind a proxy or load balancer (e.g., NGINX), the Authorization header may be stripped before reaching Apache.

For NGINX:

1. Open the NGINX configuration file (e.g., /etc/nginx/nginx.conf or the specific site configuration file).
2. Add the following directive:

   proxy_set_header Authorization $http_authorization;

3. Reload NGINX:
   sudo systemctl reload nginx

Verify PHP Configuration

Some PHP configurations may interfere with headers. Verify that no restrictive settings are in place.

Steps:

1. Check the php.ini file for any header-related directives:
   sudo nano /etc/php/8.0/apache2/php.ini

   Look for:

   variables_order = "EGPCS"

   Ensure E (Environment) is included, as it allows Apache to pass environment variables like Authorization.

2. Restart PHP and Apache:
   sudo systemctl restart php8.0-fpm
   sudo systemctl restart apache2

Test the Solution

1. Make a request to your application with an Authorization header using tools like Postman or curl:
   curl -H "Authorization: Bearer YOUR_TOKEN" http://yourserver.com/api
2. Check if the application receives the Authorization header properly.

Final Checklist

By following these steps, the apache_request_headers Authorization not working issue can be resolved.