Error: RewriteRule flag E is unsupported,

[proginter]

I have this code and I am getting this error.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

[rkaiser0324]

Yes, per the README this flag is unsupported - I looked into this awhile back and verified that nginx doesn't expose environmental variables in the same way that Apache does.

[proginter]

Why just not set fastcgi_param HTTP_AUTHORIZATION "" or maybe doing a fastcgi_ignore_header HTTP_AUTHORIZATION??

[e404]

@proginter you are welcome to submit code to this repository. According to my experience with Lua integration in nginx, this is not directly possible.
Using environment variables in rewrite rules is uncommon and also not best practice.
However, I'll continue thinking about a possible solution, possibly with a 3rd party tool / Shell command.

[rkaiser0324]

While I'm not a fan of setting environment variables this way either, even if it was possible, this .htaccess is default for WordPress (e.g., see https://serverfault.com/questions/1094686/rewriterule-e-http-authorizationhttpauthorization-what-does-it-mean) so given the popularity I think we should handle this case gracefully. @e404 any objection to ignoring E= directives entirely and noting it in the README? If so I will submit a PR.

[e404]

@rkaiser0324 maybe not in this particular case, but there are instances where env vars are dynamically set and used in the same htaccess file, so ignoring it breaks the intended behavior. I'm a big fan of letting the script fail if "standard" (expected) behavior cannot be met. Otherwise a parallel solution with numerous deviations is crafted, which defeats the whole purpose of this project.
I think it is a better idea to actually implement it; setting and reading env vars via Lua and shell script. This is a bigger task, however.

[rkaiser0324]

@e404 point taken regarding making the script fail if we cannot guarantee the same behavior. Can you describe how "setting and reading env vars via Lua and shell script" might work?

[e404]

@rkaiser0324 it is possible in Lua to directly execute shell commands.
Example:

htaccess-for-nginx/htaccess.lua

Line 169 in a62ee27

local hosts_proc = assert(io.popen('getent ahosts '..shell_escape_arg(host)..' | awk \'{ print $1 }\' | sort -u')) -- get all associated IP addresses (IPv4 and IPv6) for host

Using io.popen(), any environment variable can be output as well.
This opens up several security concerns. Imagine, in a Docker environment there might be credentials stored in env variables, this is also a security flaw in Apache, though.
Something like
io.popen("echo ${VARIABLE_NAME}") should theoretically do it. When wrapped in a helper function, this can be used to process all env variables mentioned in the htaccess. Shell escaping should be performed to avoid arbitrary code execution.

Also, I'm not sure if in general environment variables are properly exposed to the session used by nginx/Lua and popen(). This might be worth a try.

It would make sense to also implement SetEnvIf and SetEnvIfNoCase (not SetEnvIfExpr because of its weirdness) directives in conjunction with the above. A concern here is if env variables set via shell script (io.popen("export VARIABLE_NAME='VALUE'")) are properly passed to PHP or other processors. This again is a question of how unix sessions are handles in the nginx/Lua stack and therefore subject to trial/error.

[danielaraujobc]

any update on this issue?

I have moved this to the nginx proxy fcgi, but native support would be nice.

location ~ \.php$ {
    fastcgi_pass 127.0.0.1:9000;
    fastcgi_index index.php;

    # Other FastCGI settings...
 
    # Set Authorization header as an environment variable
    fastcgi_param HTTP_AUTHORIZATION $http_authorization;
}