Topic: Cross-Origin Resource Sharing configuration Issue in Apache

[nparikh]

We have following rule in httpd-vhosts.conf and it was working all ok.

All of sudden we have found on one day that it stopped working and we did some configuration tweak with this rule but none of them worked.

During troubleshooting, last change was disabling mod_security and after that it started working again. However, next day we had again enabled mod_security to get issue replicated but found it working all ok.

Anyone has any clue for such behaviour of Apache ? Why all of sudden following working rule may get stopped working and then starts working again ?

<IfModule mod_headers.c>
SetEnvIf Origin "https://(www\.)?(v1.abc.com|v1ak.abc.com|v2.asite.com)$" AccessControlAllowOrigin=$0$1
Header Set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header Set Access-Control-Allow-Credentials "true"
Header Set Access-Control-Allow-Methods "GET, POST, OPTIONS"
Header Set Access-Control-Allow-Headers "origin, content-type, accept, X-Requested-With"
Header always unset Expires
</IfModule>

OS and Apache Version details are below:
Apache Version :2.2.27(win32), OS: Windows 2008 R2, ModSecurity Rule Set ver.1.5

[James Blond]

You should enable the mod security log to find out which rules is a false positive.