I've setup an NGINX box with PHP-FPM. Everything works great, but my requests to that box send an extra request header, like: http_a_xpto (yes, it starts with "http_", and I cannot change it).
For some reason, all the headers with underscore ( _ ) are ignored and not able to be captured on PHP $_SERVER var.
I've enable "underscores_in_headers on;" at http directive, and even at server directive, on NGINX config file.
It's something missing in my config??
Thanks!
Richard was right.
So, apparently it seems that only with "service nginx restart", that flag at HTTP directive, was loaded. For production environment, where you "normally" don't restart but reload, this might be an issue.
This is an output by experience since I did not find any information related with HTTP directive changes only work with restart. If anyone have a link explaining that, please share here.
Thanks!
Related
I have written a web application that uses someone else's API that requires ETags. I have tried this code:
header("ETagbleh: whatever");
Which works perfectly. However, when I set this:
header("ETag: whatever");
Nothing happens. I have heard that it may be Apache blocking the sending of ETags, but I'm not sure. I've done a search for ETag in my apache2.conf and can't find anything to uncomment / remove, so I came here to ask.
So, how can I stop Apache blocking my headers?
Edit: I'm using Apache 2.2.22, and I assumed that the scripting language was irrelevant, given that PHP 5.4.4, which is what I'm using, can set any other header fine.
I've had the same problem.
A very popular way to remove ETags in Apache2 is adding the following configuration:
Header unset ETag
FileETag None
Remove the first config line, if you find it in your configuration.
A bit more difficult to find is mod_include causing the problem. By default the ETag-Header is removed by this module. But you can allow it by configuration. So add something like this:
<IfModule mod_include.c>
SSIETag on
</IfModule>
See here for more information.
I want to add the following settings to my server:
ServerSignature Off
ServerTokens Prod
However after research I have to add these settings in my httpd.conf or apache2.conf file. It wont work in my php.ini or .htaccess on my public webroot. If I have not got access to these two server files (httpd.conf or apache2.conf) how can I get access or is there an alternative way to get these settings to work. It is a security issue I need to sort out ASAP. Thanks
No, you can't configure Apache (as these are apache settings) via php nor any other language.
You may hide these values from showing on error pages with a little of mod_rewrite that any request to your server or web application gets directed to a php script that outputs whatever error you want.
These values are also shown in the http response headers that apache sends to the browser, so maybe you can overwrite them with php via the header function, using the optional param $bool_replace = true (which is the default value):
header("Server: IIS/6.0", true); // this will fool observers
header("X-Powered-By: Feces-Throwing-Monkey 3.14", true);
edit: Judging from a comment in php's header documentation, this works, and you should also overwrite the X-Powered-By header.
According to RFC 2616, which defines HTTP/1.1, the Host: header is mandatory.
A client MUST include a Host header field in all HTTP/1.1 request messages .
But the PHP manual implies that it could be empty:
'HTTP_HOST': Contents of the Host: header from the current request, if there is one.
In which situations could this header, and thus $_SERVER['HTTP_HOST'], be empty? Could my application depend on its being there?
It can be empty in HTTP 1.0. If no host header is specified, virtual hosting won't work at all, so the default vhost in your web server will be used.
I just tested this myself; in PHP under Nginx the $_SERVER['HTTP_HOST'] variable got set to the name of the virtual host, which is _ in my case. But that also depends on your fastcgi_params configuration in Nginx.
On shared hosting this is not important since the default vhost will be set to some information page from the hosting company, and so your script will not be run. Could be a good thing to keep in mind for your own server though.
Crawlers (e.g. google), scrapers or even perfectly legal scripts interfacing with your API may accidentally or ignorantly skip the Host header.
I added this answer because this question came up on google when I looked for the same thing.
The setup:
On a Mac OS X 10.5.8, with the original Apache 2.2, where the only change is to uncomment
LoadModule php5_module
In the _DocumentRoot_ dir, /Library/Webserver/Documents/, in a file named info.php, write:
<? php phpinfo(); ?>
The problem:
Request http://localhost/info.php and the response is the output from the function (i.e. PHP executed the file).
However, request from domain 127.0.0.1 or 192.168.1.x and the response is the content of the file, w/ a header of Content-Type application/x-httpd-php.
The file is always found via the request, so it's not a hosts mapping problem. However, it's treated as an executable only when the request is for domain localhost. There are no virtual hosts set up in the apache conf, so I figure the behaviour should be the same regardless of the domain.
Any idea how to remedy this so that I could use this server on my LAN?
Thanks.
Not sure if this is the problem, but do you have any allow/deny from all settings on your mod_php module's configuration? I'm not sure if it allows that or not.
The reason I ask is because today I wound up tracking down an issue with a preconfigured Apache instance where mod_proxy was set to only allow on requests from localhost. Switching it to allow requests from 10.* fixed the problem of another machine on the network correctly proxying.
Look at the virtual hosts section of the httpd.confg? Is there anything there that sets the PHP filetype? In either case AddHandler php5-script php should be somewhere in the .conf.
I'm having a strange problem here and can't figure the cause. I have a php-script on an nginx server which triggers a redirect to a different (sub)domain on the same server:
For instance:
foo.domain.com/redirect.php
header("Status:301");
header("location:http://www.domain.com/new_url/");
The result is that I'm getting redirected to:
foo.domain.com/new_url
The domain doesn't change at all although my response headers look fine .
Any ideas?
Ok, I finally found the cause for my troubles. Neither Nginx, nor PHP caused the issues. My webservers are behind a loadbalancer running with Pound.
Pound has a feature to rewrite domains inside header redirects (enabled by default). We now turned this feature off and all redirects finally work as expected!
Check your containing your site in an iframe,
Some hosts can do this if its free hosting, all so some domains setup allows the site to be contained in an iframe witch would cause the properly your describing