I write an API with PHP ZF2 they use HTTP Authorization. I fetch all HTTP Headers with apache_request_headers() (also tested with ZF2's $this->getRequest()->getHeaders()).
It works on my locale installed version. But on my server the HTTP Authorization Header are not available. My Browser Debug tool show me that the Authorization header properly send.
Both server are running with the same software: Ubuntu 14.04 with Apache2 (Server version: Apache/2.4.7 (Ubuntu)).
Enabled apache2 modules (auth_basic is enabled):
Is there a PHP ini setting to allow Authorization header?
edit 2015-05-13:
$headers = apache_request_headers();
if (isset($headers['Authorization'])) {
echo 'you are auth';
} else {
echo 'there is no Authorization';
}
On my locale system this returns 'you are auth', on the server 'there is no Authorization'. Tested with Postman app in Chrome browser.
edit 2015-05-14:
I think it is an Apache2 topic.
How can i enable the Authorization header in Apache2?
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
in the .htaccess solves the problem.
But i do not know why this is not necessary on my locale system.
As bitkorn suggested, you can add the following to your .htaccess:
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
If that doesn't solve your problem, then you can try the following:
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
However, something that must be mentioned is that if you're using either solution, you must access your header with the HTTP_AUTHORIZATION header. If you try to use Authorization it will be null.
Server: Almalinux 8, Panel: WHM/CPANEL;
The reason is apache. Something removes the header. To prevent;
Open httpd.conf
<VirtualHost>
# ...
Include "/etc/apache2/conf.d/userdata/*.conf"
# ...
</VirtualHost>
place will be detected by apache.
And create a special conf to prevent removed automatically.
nano /etc/apache2/conf.d/userdata/{username}.conf
Add this line;
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
Restart Apache;
service httpd restart
Related
I have a website that uses the same core .htaccess details as many other websites; however this website does not properly load the .htaccess directives -- giving a basic HTTP header set of:
HTTP/1.1 200 OK
Date: Mon, 12 Nov 2018 09:34:28 GMT
Server: Apache
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
The website itself loads fine, but additonal headers in .htaccess are not being agknowledged / loaded.
So .htaccess is being read, right?
Yes -- The htaccess file contains HTTPS forced redirects and domain name redirects (from the .co.uk to .com address (both to the same website account))
These work.
Headers supplied by PHP are being loaded fine, too
The PHP headers on a test page are loading just fine:
<?php
header("Cache-Control: no-cache, must-revalidate");
header('Content-Type: text/html; charset=utf-8');
header("X-Clacks-Overhead: GNU Terry Pratchett");
header("Content-Language: en");
header("X-XSS-Protection: 1; mode=block");
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
?>
But the same headers set in the .htaccess are not being agknowledged.
So it's an .htaccess syntax error!
Not that I can see; usually with a .htaccess error the site loads an HTTP-500 error message, however here the site loads in the browser without issue.
When there IS a deliberate syntax error the error-500 HTTP response comes back as expected.
Ok bozo, check your error logs!
Absolutely; I couldn't agree more. The Apache error logs are empty!
What have you tried to do to fix this?
Confirmed httpd.conf allows reading of .htaccess
Confirmed that mod_headers.c is loaded on the server
Commented out and re-written various rules, to no effect
Read lots (maybe 6-8) of posts on Stack Overflow and Server Fault - Stackoverflow posts don't appear to relate or their issues had distinct differences.
Confirmed my .htaccess has the correct permissins (0644)
Told my staff (He's a Graphic Designer).
Cried myself to sleep.
Right then - Get your file out! Show me the magic!
Here:
Options +FollowSymLinks
Options -Indexes
RewriteEngine On
ErrorDocument 404 /index.php?msg=404
ErrorDocument 403 /index.php?msg=403
#Set asset items to cache for 1 week.
<FilesMatch "\.(gif|jpe?g|png|ico|css|js|swf|mp3)$">
Header set Cache-Control "max-age=1972800, public, must-revalidate"
</FilesMatch>
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
## This does not appear to work (for either)
#Header always set Strict-Transport-Security "max-age=31536000;" env=HTTPS
Header always set Strict-Transport-Security "max-age=31536000; includeSubdomains;" "expr=%{HTTPS} == 'on'"
Header set Expect-CT enforce,max-age=2592000
RewriteCond %{HTTP_HOST} ^(www\.)?thewebsite\.co\.uk$ [NC]
RewriteRule ^/?(.*)$ https://www.thewebsite.com%{REQUEST_URI} [R=301,L]
###
##### Seems to workdown to roughly this point.
###
#force requests to begin with a slash.
RewriteCond %{REQUEST_URI} !^$
RewriteCond %{REQUEST_URI} !^/
RewriteRule .* - [R=403,L]
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^ https://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
RewriteCond %{ENV:REDIRECT_STATUS} 200
RewriteRule .* - [L]
### This file does not exist on the directory at present.
<Files .account-user.ini>
order allow,deny
deny from all
</Files>
###
#### None of these appear on assessment tools such as Security Headers
#### Or redbot.
###
Header set Cache-Control no-cache,must-revalidate
Header set X-Clacks-Overhead "GNU Terry Pratchett"
Header set X-XSS-Protection 1;mode=block
Header set X-Content-Type-Options nosniff
Header always set X-Frame-Options SAMEORIGIN
Header set Expect-CT enforce,max-age=2592000
Header set Content-Language en
Header set Referrer-Policy origin-when-cross-origin
<LimitExcept GET POST HEAD>
deny from all
</LimitExcept>
And finally it would really help if you gave me a final summary of all of the above!
Header setting commands in .htaccess do not appear to work.
ALL parts of the file are used on other live sites elsewhere without issue.
Headers can be set in PHP without issue
No errors arise from these Headers in the .htaccess.
Headers appear to fail silently.
No Apache error logs are recorded.
The .htaccess is being read by Apache because other commands (such as mod_Rewrites) are being actioned
UPDATE:
From research by other parties (the hosting providers) it seems that somehow the .htaccess works and loads all the correct headers for non PHP pages.
For even plain PHP pages; the headers are blank.
Clarification
whatever.html pages load the headers all ok.
PHP pages display headers set by Header("...");
PHP pages refuse to load any headers set by .htaccess. This is the problem.
So it looks like my .htaccess can't set headers for PHP pages. How can I fix this?
It seems that PHP ignores headers defined in .htaccess when working as a FastCGI module.
There are a lot of suggestions how to fix this. In your case I would recommend to have a file that defines all your headers
<?php
// file headers.php
header('Cache-Control: no-cache,must-revalidate');
header('X-Clacks-Overhead: "GNU Terry Pratchett"');
header('X-XSS-Protection: 1;mode=block');
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: SAMEORIGIN');
header('Expect-CT: enforce,max-age=2592000');
header('Content-Language: en');
header('Referrer-Policy: origin-when-cross-origin');
?>
and save it to your DocumentRoot directory. Then add this entry to your .htaccess file to include it with every request:
php_value auto_prepend_file /var/www/html/headers.php
Testing it:
<?php
// file test.php
die("hello world");
?>
And the headers are being sent:
$ curl -I ubuntu-server.lan/test.php
HTTP/1.1 200 OK
Date: Sun, 25 Nov 2018 09:37:52 GMT
Server: Apache/2.4.18 (Ubuntu)
Cache-Control: no-cache,must-revalidate
X-Clacks-Overhead: "GNU Terry Pratchett"
X-XSS-Protection: 1;mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Expect-CT: enforce,max-age=2592000
Content-Language: en
Referrer-Policy: origin-when-cross-origin
Content-Type: text/html; charset=UTF-8
Always keep in mind that when you change headers in .htaccess to also change them in headers.php.
Hope this helps!
➥ previous answer
I think this problem results from the httpd/apache2 headers_module not being loaded correctly (although you state otherwise in one of the above comments). You can check this by executing this command in the terminal:
apachectl -M | grep headers_module
If you get no output headers_module (shared) (or similar), then you have to activate the httpd/apache2 headers module. On a CentOS system you have to load the respective source file in your configuration (default /etc/httpd/conf/httpd.conf).
You have to add this line
LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
and then restart the http server wih sudo systemctl restart httpd.service
With EasyApache 4 the folder where httpd/apache2 modules are located might differ and be /usr/lib64/apache2/modules/.
I hope this helps!
It is not so much FastCGI as it is mod_proxy_fcgi, the method of asking Apache to "execute" FastCGI by passing it to some other listener.
When you use any mod_proxy* module, .htaccess isn't processed at all, because you're acting as a proxy and short-circuiting any disk-related configuration sections.
php-fpm will be looking at the request URL and reading data from disk, but Apache isn't. It is just confusing to people because they can be running on the same host and the files are often in a directory httpd could serve directly.
After much exploration it was found the issue was the PHP Handler -- the fastCGI (cgi) handler was not keeping the headers.
Changing to the suphp handler immediately resolved the issues.
I had same problem.
Please enable cache module in Linux Ubuntu.
sudo a2enmod cache
Then run:
sudo service apache2 start
I am trying to configure everything in order to run simultaneously php5 and php7 on Fedora 27. I am using Remi's guides from here and here, I am able to switch versions in the command line with module load/unload php71/php56
but on the page where I output phpinfo(); I get php version of 7.1. I have also
running php56-php-fpm.service and php71-php-fpm.service running.
What should I check or where to search? Thank you.
php.conf file:
# Redirect to local php-fpm if mod_php (5 or 7) is not available
<IfModule !mod_php5.c>
<IfModule !mod_php7.c>
# Enable http authorization headers
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
</FilesMatch>
</IfModule>
</IfModule>
also there are php56-php.conf and php71-php.conf files. As I understand mod_php is serving files instead of php-fpm, is there any method to disable it?
Check all SetHandler Directives in /etc/httpd/conf.d/*conf
Each package comes with its configuration file (php##-php.conf), you may have to disable them to be able to set the proper version per vhost / project / directory, or ensure your configuration files are loaded after provided ones.
So all the answers already available on Google, here on SO and even on DigitalOcean only discuss either about PHP5.6 or less OR Apache2 v2.3 or less OR only v.14.04 or less of Ubuntu which are all outdated solutions that won't work/give errors on a latest PHP7.0 + Apache2 v. 2.4.18 on Ubuntu 16.04 server setup that has wordpress with redis, memcache and varnish setup for DB+Object caching, backend speed enhancement and reverse proxy respectively.Just a clear picture of my setup so you don't have to keep on figuring out vague ideas or answers and get the right solutions for people with the latest/almost same setup as mine! :)
Since I use a micro AWS instance that's super slow - sever response time 1.5s to 5.4s on the minimalist pages! I found out that fastcgi is a real gold here that can speed up servers up to 20x to 50x! But I'm unable to get the right setup solutions as they're outdated and PHP after v7.0 has changed pretty much everything about folders and files where we need to store our data and configurations.
So, I followed this Stack Overflow issue https://askubuntu.com/questions/378734/how-to-configure-apache-to-run-php-as-fastcgi-on-ubuntu-12-04-via-terminal and followed the solution provided by Evan Mattson and Nazq (3rd last and last answers), replacing everything with php7.0 and removing php5.6 but as Evan mentions in his answer:
Now create the following PHP file in the document root /var/www/html:
sudo nano /var/www/html/info.php
Add:
<?php phpinfo(); ?>
save & exit.
Now we call that file in a browser (e.g.
http://your-server-ip/info.php)
Under Server API at the top you should see FPM/FastCGI.
Success!
I don't see it! I get the usual default Apache 2.0 Handler in the Server API block of my info.php file which means something is wrong here.
The suggestions ask to:
edit /etc/apache2/conf-available/php5-fpm.conf with
<IfModule mod_fastcgi.c>
AddHandler php5-fcgi .php
Action php5-fcgi /php5-fcgi
Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi
FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -socket /var/run/php5-fpm.sock -pass-header Authorization -idle-timeout 3600
<Directory /usr/lib/cgi-bin>
Require all granted
</Directory>
</IfModule>
And then executing:
#sudo a2enconf php5-fpm
#sudo apache2 restart
Replacing them for PHP7.0 Here's my version of these steps:
I edited /etc/apache2/conf-enabled/php7.0-fpm.conf and
/etc/apache2/conf-available/php7.0-fpm.conf BOTH with:
<IfModule mod_fastcgi.c>
AddHandler php7.0-fcgi .php
Action php7.0-fcgi /php7.0-fcgi
Alias /php7.0-fcgi /usr/lib/cgi-bin/php7.0-fcgi
FastCgiExternalServer /usr/lib/cgi-bin/php7.0-fcgi -socket /var/run/php7.0-fpm.sock -pass-header Authorization -idle-timeout 3600
<Directory /usr/lib/cgi-bin>
Require all granted
</Directory>
</IfModule>
So now, these 2 files look exactly (same) like this:
# Redirect to local php-fpm if mod_php is not available
<IfModule !mod_php7.c>
<IfModule proxy_fcgi_module>
# Enable http authorization headers
<IfModule setenvif_module>
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>
<FilesMatch ".+\.ph(p[3457]?|t|tml)$">
SetHandler "proxy:unix:/run/php/php7.0-fpm.sock|fcgi://localhost"
</FilesMatch>
<FilesMatch ".+\.phps$">
# Deny access to raw php sources by default
# To re-enable it's recommended to enable access to the files
# only in specific virtual host or directory
Require all denied
</FilesMatch>
# Deny access to files without filename (e.g. '.php')
<FilesMatch "^\.ph(p[3457]?|t|tml|ps)$">
Require all denied
</FilesMatch>
</IfModule>
</IfModule>
<IfModule mod_fastcgi.c>
AddHandler php7.0-fcgi .php
Action php7.0-fcgi /php7.0-fcgi
Alias /php7.0-fcgi /usr/lib/cgi-bin/php7.0-fcgi
FastCgiExternalServer /usr/lib/cgi-bin/php7.0-fcgi -socket /var/run/php7.0-fpm.sock -pass-header Authorization -idle-timeout 3600
<Directory /usr/lib/cgi-bin>
Require all granted
</Directory>
</IfModule>
Then I execute #sudo a2enconf php7.0-fpm (--> replaced) and
#sudo service apache2 restart
#sudo systemctl restart apache2
And I call the file in a browser (e.g. http://your-server-ip/info.php)
Under Server API at the top you should see FPM/FastCGI.
But I still see: The usual default Apache 2.0 Handler in the Server API block of my info.php file which means something is wrong here.
Please help! I'm stuck on this for so long!
P.S.: Please give solutions that you have found correct/working as this is for my production site, experimentation may cause something to break, suggestions are welcome but please don't go for something that is irreversible/disaster! Thanks!
I'm currently running a main server from a raspberry pi (32 GB) and a secondary server (4 TB) running as the file storage server. Both servers are running Debian Linux with Apache2 installed. I've been successful to bring PHP output from secondary server to main server with this code:
Main server:
<?php
$results = file_get_contents('http://example.org:700/handle.php');
echo $results;
?>
Secondary Server
<?php
header('Access-Control-Allow-Origin: http://example.org');
//Rest of code
?>
So I came to the problem where the main server would be able to show pictures and play mp3/wav from the secondary server, but in my case, it wouldn't work with FLAC (with a bit of javascript code), it simply showed me this error:
XMLHttpRequest cannot load http://example.org:700/music/soundfile.flac. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://example.org' is therefore not allowed access.
I know there is nothing wrong with the javascript coding because it will play music from other websites like this example: Debussy_-_Pour_les_accords.flac and has worked just fine earlier.
I simply want to allow all traffic between the two servers to be secure and with no Access-Allow-Origin errors. Is it something in the apache2.conf or other configuration files that can help me solve this problem?
https://stackoverflow.com/a/35707821/6802309
as simple as it looks.
this is how to fix this:
sudo nano /etc/apache2/apache2.conf
Put in this code at the bottom:
.
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin: "http://example.org"
Header set Access-Control-Allow-Credentials: true
Header set Access-Control-Expose-Headers: "Content-Length"
Header set Access-Control-Allow-Methods: "POST, GET, PUT, OPTIONS, DELETE, HEAD"
Header set Access-Control-Allow-Headers: "Range"
</IfModule>
Enable headers in config file: sudo a2enmod headers
Check for errors do: sudo apachectl -k graceful
sudo service apache2 reload
sudo service apache2 restart
Done
I have Apache (2.2.22 on Debian) configured to handle PHP files via FastCGI:
<FilesMatch ".+.php$">
SetHandler application/x-httpd-php
</FilesMatch>
Action application/x-httpd-php /fcgi-bin/php5-fpm virtual Alias
/fcgi-bin/php5-fpm /fcgi-bin-php5-fpm FastCgiExternalServer
/fcgi-bin-php5-fpm -socket /var/run/php5-fpm.sock -idle-timeout 600
-pass-header Authorization
To show a custom File Not Found (HTTP 404) page is configured in Apache as follows:
<Directory "/home/http/domain/root">
..
ErrorDocument 404 /pagenotfound.htm
..
</Directory>
Requests for non-existing non-PHP files are answered with the custom 404 pagenotfound.htm file. No problem.
But requests for non-existing PHP files are answered with http-status-header "HTTP/1.1 404 Not Found" and contents "File not found.", so not my custom error page. Problem!
The Apache error log shows (in the latter case):
[Sat Nov 21 14:03:07 2015] [error] [client xx.xxx.xx.xx] FastCGI: server "/fcgi-bin-php5-fpm" stderr: Primary script unknown
How can I configure a custom 404 page for non-existing PHP files when using PHP-FPM?
set "ProxyErrorOverride on" in either your global server config or in individual virtual hosts, see http://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyerroroverride
When 'File not found' is shown instead of custom error page for non-existing .php files (and all other non-existing files get the correct custom error page)...
Centos 8, PHP 7.2.11
File: /etc/httpd/conf.d/php.conf
Add 'ProxyErrorOverride On' after the SetHandler
<FilesMatch \.(php|phar)$>
SetHandler "proxy:unix:/run/php-fpm/www.sock|fcgi://localhost"
ProxyErrorOverride On
</FilesMatch>
Not sure if required, but I then did:
systemctl restart httpd
Option: ProxyErrorOverride
ProxyErrorOverride can be used if you have access to the server's configuration. But it doesn't work within the .htaccess context and it will prevent PHP from outputting dynamic response bodies for all configured status codes (default: 400 to 599).
Option: <If> directive (Apache 2.4+)
Let Apache check if the file exists, before invoking PHP:
<Files "*.php">
<If "-e %{REQUEST_FILENAME}">
# Assuming PHP-FPM over Unix socket via mod_proxy_fcgi.
SetHandler proxy:unix:/path/to/php-fpm.sock|fcgi://
</If>
<Else>
# Ensure that *.php files are never handled by the default handler.
Redirect 404
</Else>
</Files>
Docs: <If>, Expression parser, Redirect
Option: mod_rewrite
The ErrorDocument can be triggered using mod_rewrite:
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule "\.php$" - [R=404]
Note: This only works if REQUEST_FILENAME has already been determined (so not in the server config or virtual host, but in a directory or .htaccess context). Otherwise it is equal to REQUEST_URI and that probably wouldn't be an existing local file.