我们有一个基于 java servlet 的应用程序(非常古老的代码库)，它由带有 Apache httpd 2.4.43 和 mod_proxy 的 tomcat 8 提供。应用程序有一些与 Java Web 应用程序捆绑在一起的静态 Assets (CSS、CS、图像)。

我正在尝试通过添加 apache 规则来修改这些 Assets 的 header cookie，但似乎这可能不起作用，因为文件不在 apache 级别内？

<FilesMatch ".(js|css)$">
Header edit Set-Cookie (.*) "$1;HttpOnly;Secure;SameSite=Strict"
</FilesMatch>

我尝试在没有 FilesMatch 条件的情况下添加规则并且它有效，但这不是我需要的。 关于如何在 Apache 级别完成此操作的任何想法。这是 httpd conf 的摘录

<VirtualHost *:443>

        DocumentRoot "/apps/httpd/htdocs1"
        ServerName www.mydomain.com
        ServerAlias mydomain.com

        RewriteEngine on
        RewriteCond %{REQUEST_URI}    ^/version$
        RewriteRule ^/.*$             /version.html  [R=301,L]

   
      RewriteCond %{HTTP_HOST} !^www\. [NC]
      RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=302,L]


   <Proxy balancer://${HOSTNAME}-http-cluster>

        Header add Set-Cookie "MYAPP_SESSION=jacplus.%{BALANCER_WORKER_ROUTE}e;path=/;"

              BalancerMember http://myhost-002:31080 min=1 max=1000 loadfactor=1 retry=1 timeout=240 route=myhost-002
              BalancerMember http://myhost-003:31080 min=1 max=1000 loadfactor=1 retry=1 timeout=240 route=myhost-003


   </Proxy>

   ProxyPass / balancer://${HOSTNAME}-http-cluster/ stickysession=MYAPP_SESSION  lbmethod=byrequests
   ProxyPassReverse / balancer://${HOSTNAME}-http-cluster/ stickysession=MYAPP_SESSION

   <Location /balancer-manager>
    SetHandler balancer-manager
    Order deny,allow
    Deny from all
    Allow from 10.25.0.0/16
   </Location>
...

</VirtualHost>

最佳答案

来自 mod_header 的 apache 文档:

Conditionally send MyHeader on the response if and only if header MyRequestHeader is present on the request. This is useful for constructing headers in response to some client stimulus. Note that this example requires the services of the mod_setenvif module.

SetEnvIf MyRequestHeader myvalue HAVE_MyRequestHeader
Header set MyHeader "%D %t mytext" env=HAVE_MyRequestHeader

来自 rewrite flags 的文档

With the [E], or [env] flag, you can set the value of an environment variable. Note that some environment variables may be set after the rule is run, thus unsetting what you have set. See the Environment Variables document for more details on how Environment variables work.

结合两者，您可以在路径匹配 js 或 css 文件时有条件地修改标题:

RewriteRule ^.*\.(js|css)$ - [E=SET_COOKIE:true]
Header edit Set-Cookie (.*) "$1;HttpOnly;Secure;SameSite=Strict" env=SET_COOKIE

关于java - 修改 tomcat 上静态 Assets 的 header cookie 并使用 apache httpd 代理，我们在Stack Overflow上找到一个类似的问题： https://stackoverflow.com/questions/64484577/