Migrate Apache Authorization Header rule to Lighttpd

I would like to understand what is it doing

1. It sets an environment variable called HTTP_AUTHORIZATION to the value of the Authorization HTTP request header (if any). This might not be necessary on your server config. PHP should set this automatically, however, depending on how PHP is installed on some Apache configs this does not happen - hence this bit of code. (Note that the above code tries to set this in two different ways - but the net result is "almost" the same.)

2. Front controller - All requests that do not map to existing files (or directories) are internally rewritten to /api/index.php. This is a standard "front controller pattern".

So, basically, the above code is just a standard front-controller that directs all requests to /api/index.php.

and rewrite it based on lighttpd configuration

Unfortunately, I don't speak lighttpd, but Googling lighttpd front controller pulls up some possibilities. For example, from this page, providing the necessary modules are enabled, they suggest you can do something like:

url.rewrite-once = ( "^/(.*)\.(.*)" => "$0", "^/([^.]+)$" => "/index.php", "^/$" => "/index.php" )

Although, that doesn't look like it actually checks for the existence of a requested file, but rather assumes that requests for files will have a file extension (my interpretation).

Setting the HTTP_AUTHORIZATION ("CGI") environment variable should happen as part of the CGI setup (headers are passed as HTTP_...), and lighttpd does NOT exclude the "Authorization"-header from this, so nothing to do here in lighttpd.

The rewrite config rewrites all requests not targeting static files or directories in the /api/ sub-path. The closest in lighttpd (1.4.24+) without using mod_magnet would be:

url.rewrite-if-not-file = ( "^/api/" => "/api/index.php" )

This will also trigger for directories (only regular files are not rewritten), but I think it is unlikely that you actually need dirlistings within the /api/ path, so it is probably fine.