The behavior of SetEnvIf on PHP routes

Question

We are using the mod_auth_openid plugin to provide OpenID support for part of our site. It works pretty well, but we're running into one of those "Do this, except when" conditions, and I'm not sure where I'm missing.

There are a few URIs that we don't want this applied. On the surface, this is pretty straight forward.

<Directory "/opt/homeapp/web">
  AuthType openid-connect
  SetEnvIf Request_URI "^/(callbacks.php.*)$" allow

  require claim hd:example.com
  require env allow
  require valid-user
</Directory>

This works fine for things that hit the callbacks.php file, and any other actual-file.

Where my problem comes in, is attempting to match Symfony routes. If the incoming request is to /combobulator/newForm, it seems like Request_URI should be equal to /combobulator/newForm. However, this is definitely not the case.

SetEnvIf Request_URI "^/combobulator/(.*)" allow
SetEnvIf Request_URI "combobulator/(.*)$" allow
SetEnvIf Request_URI "combobulator" allow
SetEnvIf Request_URI "(combobulator)" allow

All of those don't do the thing.

How do you match routes with SetEnvIf, or is that even possible?

Answer 1

Doing some investigation into how the dataflow works, I've implemented a bit of a test harness to see what Request_URI is at this stage of execution.

<Directory "/opt/homeapp/web">
  AuthType openid-connect
  SetEnvIf Request_URI "^/(callbacks.php.*)$" allow
  SetEnvIf Request_URI "(.*)" check_uri=$1

  require claim hd:example.com
  require env allow
  require valid-user
</Directory>

Then using a custom LogFormat statement using %{check_uri}e in it, I've managed to show that Request_URI at this stage for most routes is index.php.

Which is to day, The SetEnvIf method used for files, will not work for routes. Some other method will need to be used.

Answer 2

This solved an issue for me with the wp-json api route Require env REDIRECT_noauth Exclusion of a protected sub-url does not work on Apache 2.4?