apache2 – not able to edit authentication header based on path location in Apache virtualhost?


The application for which Apache is reverse proxy behaves like this:

  1. It requires basic authentication header to login to it.
  2. For the paths starting from /api/* requires just Bearer token.
  3. If there is basic token in header, the application returns 401, unauthorized http response – it requires needs only Bearer token.

CAS authentication is configured for all the URLs except /api/* path and I am setting the base authentication token inside vhost config file – to login a user without presenting a login form again after he/she authenticates with CAS.

Apache config file enterprise-search.conf:

<VirtualHost *:80>
        ServerName https://search.test.xyz
        ServerAdmin john@xyz

    RemoteIPHeader X-Client-IP
    RemoteIPInternalProxy 10.10.10.2
    LogFormat "%a %l %u %t "%r" %s %b "%{Referer}i" "%{User-agent}i"" combined-forwarded

    CustomLog ${APACHE_LOG_DIR}/enterprise-search-access.log combined-forwarded
    ErrorLog ${APACHE_LOG_DIR}/enterprise-search-error.log

    LogLevel debug
    
        CASRootProxiedAs https://search.xyz
    
    <Location />
        # authn type
        AuthType CAS
        CASScope /
        AuthName "KFUPM"
        # authz
        # Grant all groups access to the root
        AuthGroupFile "/etc/apache2/http-authz/enterprise-search"
        Require group all-enterpirse-search
        # Pass REMOTE_USER header to application
        RewriteEngine On
        RewriteCond %{LA-U:REMOTE_USER} (.+)$
        RewriteRule . - (E=RU:%1,NS)
        RequestHeader set REMOTE_USER %{RU}e
        RequestHeader set Authorization "Basic xxxxxxxxxx"
    </Location>

    # authz: local_groups
        <Location /all-enterpirse-search>
        AuthGroupFile "/etc/apache2/http-authz/enterprise-search"
        Require group all-enterprise-search all-enterpirse-search
    </Location>
        
    <Location /api/>
        # authn type
        AuthType none
        Allow from all
        Satisfy any
        
        # authz
        Require valid-user
        # Pass REMOTE_USER header to application
        RewriteEngine On
        RewriteCond %{LA-U:REMOTE_USER} (.+)$
        RewriteRule . - (E=RU:%1,NS)
        RequestHeader set REMOTE_USER %{RU}e
        RequestHeader edit Authorization "Basic(^,)+, " ""

        ProxyPass / http://localhost:3002/
    ProxyPassReverse / http://localhost:3002/
    
    
</VirtualHost>

The behavior of RequestHeader edit Authorization "Basic(^,)+, " "" is to replace Basic token header that is passed by the client and it works fine.

But what I actually want is to set Basic token in <Location /> and remove it in <Location /api/>. Using RequestHeader edit Authorization "Basic(^,)+, " "" inside <Location /api/> is not removing the basic token and the application is returning the API call with 401 response.

I am new to Apache configs, may be my approach to achieve my goal is not correct. Please suggest if there is better way to do this.

Thanks.