Httpd – configure Apache httpd to remove/replace all request headers that match a pattern

I'm using Apache httpd as a reverse proxy in front of a web application. Authentication is carried out by a module (mod_auth_mellon), which sets various request environment variables with details about the authenticated user (user name, display name and so on).

I use mod_headers to remove headers from the incoming request, and replace them with the value of request environment variables that were set by mod_auth_mellon.

RequestHeader unset mellon_uid
RequestHeader set mellon_uid "%{mellon_uid}e" env=mellon_uid

Thus any client-provided mellon_uid header is thrown away. If mod_auth_mellon considers the user to be logged in then a new mellon_uid request header is added to the request that is sent onward to the web application.

So far I've made this manageable by using mod_macro:

Use Attribute uid
Use Attribute display_name
Use Attribute email

… and so on, where Attribute is a macro that expands to the two RequestHeader directives above for the provided attribute.

However, some user details are multi-valued, for which mod_auth_mellon sets multiple request environment variables of the form:

mellon_foo_0 = first
mellon_foo_1 = second
mellon_foo_2 = third
mellon_foo_N = 3

Since the number of values for an attribute can vary, I can't rely on a static list of variables to process like this.

I would like to avoid using MellonMergeEnvVars, which would instead set the following:

mellon_foo = first;second;third
mellon_foo_N = 3

… because this means the web application now has to deal with the complexity of correctly parsing the mellon_foo request header, dealing with values that themselves contain semicolons, etc. Indeed, it's not clear to me that mod_auth_mellon performs any escaping, which makes unambiguous parsing impossible (if I'm right…)