I'm trying to set headers if the origin is a particular site to solve a resource conflict I'm having (using Mautic hosted on a subdomain).
If I add the headers for any situation I get a 500 error when I try to use Mautic, but the resource being accessed from my site works, hence I only want to set them when my site is the origin.
This is what I have:
RewriteEngine On
#preserve HTTP(S)
RewriteCond %{HTTPS} =on
RewriteRule ^(.*)$ - [env=proto:https]
RewriteCond %{HTTPS} !=on
RewriteRule ^(.*)$ - [env=proto:http]
<IfModule mod_headers.c>
SetEnvIfNoCase Origin %{ENV:proto}://mysite.com ENV_SET
SetEnvIfNoCase Origin %{ENV:proto}://mautic.mysite.com ENV_SET=0
Header add Access-Control-Allow-Origin %{ENV:proto}://mysite.com env=ENV_SET
Header set Access-Control-Allow-Credentials true env=ENV_SET
Header set Access-Control-Allow-Methods: GET, POST, PATCH, PUT, OPTIONS env=ENV_SET
Header set Access-Control-Allow-Headers: Origin, Content-Type, X-Auth-Token env=ENV_SET
</IfModule>
As far as I understood that would make the headers set conditionally on existence of the environment variable, but they're being set no matter what. If I remove the SetEnvIf lines they're still set. I did find this which suggests that it should be placed in configuration instead of .htaccess, but I'm not sure what that means.
Any suggestions on how I can fix this, or another way to make it work?
Thanks
EDIT: syntax updated with advice from w3dk, now looks like
SetEnvIfNoCase Origin "%{ENV:proto}://mysite.com" ENV_SET
SetEnvIfNoCase Origin "%{ENV:proto}://mautic.mysite.com" !ENV_SET
Header set Access-Control-Allow-Origin "%{ENV:proto}://mysite.com" env=ENV_SET
Header set Access-Control-Allow-Credentials "true" env=ENV_SET
Header set Access-Control-Allow-Methods "GET, POST, PATCH, PUT, OPTIONS" env=ENV_SET
Header set Access-Control-Allow-Headers "Origin, Content-Type, X-Auth-Token" env=ENV_SET
EDIT 2: Turns out it doesn't like the %{ENV:proto} part, so I've changed that to http and added another line for https. The subdomain is working fine and the headers are setting, except that I'm getting 'Credentials flag is 'true', but the 'Access-Control-Allow-Credentials' header is 'true, true'.' in the console. It's only being set once (I also tried 'merge', and I'm using set for the Allow-Origin; I can't figure out where else this would be set.
Best Answer
If the value contains spaces then it should be surrounded in double quotes. Probably safer to always enclose the value in quotes. You should also omit the
:
at the end of the header name. So, for example:UPDATE: The third argument to
SetEnvIf[NoCase]
is a regex, so server variables (ie.%{ENV:proto}
are not expanded - they will be matched literally. If you need to match eitherhttp
orhttps
then build that into a single regex, eg.https?
(The?
makes the previous character optional). (However, your site should be either one or the other, not both?)To unset/remove an environment variable, you should prefix it with an
!
(exclamation mark) rather than set it to0
(this is still set). For example:Probably because of failing to quote the header value. But this could also be a caching issue - so make sure all caches are cleared.
By "configuration" they are probably referring to the server config. This would be preferable (and disable the use of
.htaccess
files). However, it's not the cause of this issue.