Getting Apache, php-fpm, and in-app HTTP authentication working
Inside the vhost config for the site, include the following:
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
That way, the Authorization header will be passed through regardless of Apache’s usual filtering. Keep in mind that with this rule in place, you have to check for HTTP_AUTHORIZATION being empty too.