Secret header is set twice in the request from Solr to Alresco repository (X-Alfresco-Search-Secret)

[Vincent-hubgit]

Hi,

I've installed Alfresco 7.2 with ansible (installer v2.0)
Communications between Alfresco and Solr were configured to use "secret"
Everything was working fine but then I added an apache proxy between Solr and Alfresco : solr started to throw 403 errors

After some investigations, I've discovered that the X-Alfresco-Search-Secret header is set twice in the request from solr to Alfresco.
This is not an issue on its own as it's allowed by http protocole but that should be corrected

In Apache proxy (and in other proxies too I believe), when a header is set twice, they are concatened in the response (or in the forwarded request to the backend).

So basically :

X-Alfresco-Search-Secret:MWSd8bhEtfgYidx_Jn6t
X-Alfresco-Search-Secret:MWSd8bhEtfgYidx_Jn6t

become :

X-Alfresco-Search-Secret:MWSd8bhEtfgYidx_Jn6t, MWSd8bhEtfgYidx_Jn6t

And then Alfresco is unable to interpret it correctly (I believe is taking the entire value as the secret)

[Vincent-hubgit]

Same issue was referenced here : https://hub.alfresco.com/t5/alfresco-content-services-forum/403-between-alfresco-and-solr/td-p/315595

[Vincent-hubgit]

For those who might encounter the same issue, I've used this workaround in Apache config for the <Location /alfresco> :

SetEnvIf X-Alfresco-Search-Secret ([^,\s]+) ALFRESCO_SECRET=$1
RequestHeader set X-Alfresco-Search-Secret "%{ALFRESCO_SECRET}e"

So only the first occurence of X-Alfresco-Search-Secret is transmitted to Alfresco
If Alfresco fix the issue in a future release, that will still work with a unique secret header

[AFaust]

This problem was in the handling of the search secret since its introduction. Fortunately, it only affects use cases where a proxy sits between ACS and Search Services - but this is also why it was not noticed/reported by paying customers earlier.
It should be fixed in ACS 7.4 or 23.1 and onwards via MNT-23241 - see 119ff30