Where is the debug information "Current character set: utf8" comming from?
It appears always first when I echoing something within my index.php (slim) script.
I really become desperate trying to suppress this.
May it caused by the .htaccess rules?
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ %{ENV:BASE}index.php [QSA,L]
Here my setting:
Server: Apache/2.4.9 (Win32) OpenSSL/1.0.1g PHP/5.5.11
X-Powered-By: PHP/5.5.11
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36
The relevant section of the index.php:
function echoRespnse($status_code, $response) {
$app = \Slim\Slim::getInstance();
// Http response code
$app->status($status_code);
$app->config('debug', false);
// setting response content type to json
$app->contentType('application/json');
//$app->response()->header('Content-Type', 'application/json');
echo json_encode($response);
}
Any help would be greatly appreciated
Related
I am new to posting here, so sorry if I don't make it how it should be, and I could not decide what to make the title.
So, I am new to Nginx and Docker, I am wanting to use Nginx Proxy Manager to proxy all my websites that are hosted on 'php:8.1-apache' images for now.
I am proxying a website from a docker container (Named 'ApacheDefault') running a custom image of 'php:8.1-apache' through Nginx Proxy Manager (Assets Caching disabled, Block Common Exploits disabled), and I am having issues when going through the proxy that does not appear when reaching straight to the website.
When reaching through the proxy, it randomly works and then stops working.
On the root of my website, I got /test.php which is just the phpinfo function, /index.php which handle the routing, some assets in the /assets/ folder, and a /.htaccess with
Options +FollowSymLinks
RewriteEngine on
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php?url=$1 [QSA,L]
Using 'my.domain' as an example, my domain is using Cloudflare DNS.
When reaching my.domain/test.php, I either get the regular phpinfo page or a page with this:
Warning: require_once(assets/php/config.php): Failed to open stream: No such file or directory in /var/www/html/assets/php/content.php on line 2
Fatal error: Uncaught Error: Failed opening required 'assets/php/config.php' (include_path='.:/usr/local/lib/php') in /var/www/html/assets/php/content.php:2 Stack trace: #0 /var/www/html/index.php(19): include() #1 /var/www/html/assets/php/classes/Route.php(37): {closure}('test.php') #2 /var/www/html/assets/php/classes/Router.php(40): Route->call() #3 /var/www/html/index.php(23): Router->run() #4 {main} thrown in /var/www/html/assets/php/content.php on line 2
^ "/var/www/html/assets/php/content.php" is not a file that does not exists and "assets/php/config.php" is never called in my code
The Nginx Proxy Manager log shows this (The first line landed on the error page, the second showed the regular phpinfo page):
[07/Oct/2022:16:20:22 +0000] - 200 200 - GET https my.domain "/test.php" [Client X.X.X.X] [Length 339] [Gzip -] [Sent-to ApacheDefault] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" "-"
[07/Oct/2022:16:20:23 +0000] - 200 200 - GET https my.domain "/test.php" [Client X.X.X.X] [Length 23591] [Gzip -] [Sent-to ApacheDefault] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" "-"
For some reason, the Length changes, and I can't get to understand why.
I tried:
Disabling Nginx caching from "Custom Nginx Configuration".
Disabling Nginx GZip (from "Custom Nginx Configuration") but could not manage to do it.
Enabling Cloudflare's Development Mode.
Thank you to anyone that can bring me the slightest help!
EDIT:
After testing a bit more I noticed something. When defining NPM (Nginx Proxy Manager)'s "Forward Hostname / IP" to my server raw IP or the website docker container's IP, the error does not appear anymore. The error only appears when using the docker container name as hostname instead of its IP. But I would like to rely on the hostname and not the IP because the IP can change, and seeing hostname is easier.
RE EDIT:
After removing my initial network connecting NPM & The Website Container and re creating it, it seems like it fixed the issue.
No idea why but i dont care, its fixed !
This question already has answers here:
Apache 2.4 + PHP-FPM and Authorization headers
(4 answers)
Closed 11 months ago.
I have defined the rule into .htaccess like this:
# Ensure Authorization header is passed along
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
And I have passed "Authorization Bearer Token" into HTTP request like below:
:authority: demo.com
:method: POST
:path: /data-list
:scheme: https
accept: application/json, text/plain, */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,hi-IN;q=0.8,hi;q=0.7,gu-IN;q=0.6,gu;q=0.5
authorization: Bearer IiwiZGVzdCI6Imh0dHBzOlwvXC93Yy1rdW5hbGcubXlzaG9waWZ5LmNvbSIsImF1ZCI6ImI4NzMyYTZkNjcyMGFiNjNlN2IwZTRkNDExNzVhNTZlIiwic3ViIjoiNDQ1MDIxMjI2MjkiLCJleHAiOjE2NDg0NDEwODYsIm5iZiI6MTY0ODQ0MTAyNiwiaWF0IjoxNjQ4NDQxMDI2LCJqdGkiOiIyMjZiM2
content-length: 22
content-type: application/x-www-form-urlencoded
dnt: 1
origin: https://demo.com
referer: https://demo.com/data?hmac=18dc09298e1bd09d95c02ada793f57140804bf42380be07&host=d2Mta3VuYWxnLm15c2lmeS5jb20vYWRtaW4&locale=en-IN&session=55bfc54daf6945e3ca50b2da7f5830d88dcfcb8f4d103b97518166d9fd7b00c9&shop=demo.com×tamp=1648441021
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="99", "Google Chrome";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.82 Safari/537.36
But, using PHP variable $_SERVER or any other PHP variables I am not getting "authorization: Bearer Token".
I am using a digital ocean server for this.
I have tried PHP variables like $_SERVER or any other PHP variables that get "authorization: Bearer Token".
I am getting blank array response for printing $_SERVER['HTTP_AUTHORIZATION'].
Is there any information that I am missing?
Works fine for me with this code in .htaccess :
RewriteCond %{HTTP:Authorization} .+
RewriteRule ^ - [E=HTTP_AUTHORIZATION:%0]
I tried to reproduce the issue but didn't get any error. Try to make the same request.
HTTP-Request
POST /data-list
Host: demo.com
authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9XXXXXXX
In PHP
function getToken(){
$bearerToken = null;
if (isset($_SERVER['AUTHORIZATION'])) {
$bearerToken = $_SERVER['AUTHORIZATION'];
}elseif (isset($_SERVER['HTTP_AUTHORIZATION'])) { //Nginx or fast CGI
$bearerToken = $_SERVER["HTTP_AUTHORIZATION"];
}elseif (isset($_SERVER['REDIRECT_HTTP_AUTHORIZATION'])) {
$bearerToken = $_SERVER["REDIRECT_HTTP_AUTHORIZATION"];
}
return $bearerToken;
}
echo getToken(); // This returned a Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9XXXXXXX
As new Opera 65 came few days ago with address bar redesign, I have noticed an issues on my web page.
While typing or copying an address into the bar, Opera sends requests to server, however, I am not able to capture the requests in PHP, as it seems, Fetch API is used under the hood.
Is there any way to deny or block the Fetch API requests in PHP 7 or Apache 2.4? In other words, block the requests on server side produced by Opera while typing / copying (PHP preferred)?
Particularly, I need to exclude GET requests providing an action with hash key in a query (test in the sample bellow).
When the address is copied (from mail for e.g.) to the address bar, Opera sends the request "in the background", the request is executed, however after submitting the address by Enter, second request returns error, because of forbidden operation (hash key is not valid anymore).
From Apache log:
127.0.0.1 - - [29/Nov/2019:01:56:08 +0100] "GET /? HTTP/1.1" 200 179736
127.0.0.1 - - [29/Nov/2019:01:56:08 +0100] "GET /?t HTTP/1.1" 200 179813
127.0.0.1 - - [29/Nov/2019:01:56:08 +0100] "GET /?te HTTP/1.1" 200 179808
127.0.0.1 - - [29/Nov/2019:01:56:08 +0100] "GET /?tes HTTP/1.1" 200 179819
127.0.0.1 - - [29/Nov/2019:01:56:08 +0100] "GET /?test HTTP/1.1" 200 179823
From Wireshark (one of the requests):
/?test HTTP/1.1
Host: sk.localhost
Connection: keep-alive
Sec-Fetch-Site: none
Sec-Fetch-Mode: no-cors
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36 OPR/65.0.3467.48
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Used technologies:
PHP 7.3.7, Apache/2.4.39
The requests can be denied (response sent) by Apache rewrite conditions or PHP response based on parsed headers.
Opera sends two Fetch API headers while typing:
Sec-Fetch-Site: none
Sec-Fetch-Mode: no-cors
List of all headers can be found at https://w3c.github.io/webappsec-fetch-metadata/.
To not sent a full response (not engage PHP) for requests with this headers, you can use Apache 2.4 mod rewrite module:
RewriteCond %{HTTP:Sec-Fetch-Site} ^none$ [NC]
RewriteCond %{HTTP:Sec-Fetch-Mode} ^no-cors$ [NC]
RewriteRule ^ - [R=204,L]
or send response via PHP (sample using Kohana/Koseven FW):
$header_sec_fetch_site = $this->request->headers('Sec-Fetch-Site');
$header_sec_fetch_mode = $this->request->headers('Sec-Fetch-Mode');
if (isset($header_sec_fetch_site, $header_sec_fetch_mode)
&& $header_sec_fetch_site == 'none'
&& $header_sec_fetch_mode == 'no-cors')
{
$message = 'Header ' . $header_sec_fetch_mode . ' received. No content for this request.';
Log::instance()->add(Log::NOTICE, $message);
throw HTTP_Exception::factory(204, $message, array(
':uri' => Request::current()->uri(),
));
}
The headers should be available in global variables:
$_SERVER['HTTP_SEC_FETCH_DEST']
$_SERVER['HTTP_SEC_FETCH_SITE']
$_SERVER['HTTP_SEC_FETCH_USER']
$_SERVER['HTTP_SEC_FETCH_MODE']
After 450 hours of work my web-app doesn't work anymore, and I don't know how to solve it. Let me explain the situation:
I was inserting my website into the server and playing around with htaccess.
I have changed many times the htaccess playing around with symlinks, rewriting url to go to redirect to https, etc.
My website was logging in the user and now not anymore working for this function anymore:
The Apache log is this one repeating the same name of the folder:
[13/Oct/2017:21:44:59 +0200] "GET
/developement/index.php/fold/fold/fold/fold/fold/fold/loginform.inc.php
HTTP/1.1" 302 9358 "-" "Mozilla/5.0 (Windows NT 6.2; WOW64;
Trident/7.0; rv:11.0) like Gecko"
I have just changed the httpd.conf in Xampp inserting: AllowOverride All
after I discovered it was on none
I don't really know what's going on:
I think I have a problem in my php where I write the header:
header("Location: ../invoice.php"); if the user is logging in.
I have read that you can't have any echo in the php file before header if not is not working
Further info:
I have included a core.php file in all the files so I define some functionlike the below:
<?
ob_start();//to use the header func to redirect to index.php after log in
session_name("test");//to hide session id def cookie name PHPSESSID=
session_start();//to save the global var user id after log in
//Errors On/off
if(strstr($_SERVER['SERVER_NAME'],"localhost")) {
// Make sure we show all errors
ini_set('display_errors', 1);
ini_set('log_errors', 1);
error_reporting(E_ALL);
ini_set('html_errors', 'On');
ini_set('display_startup_errors','On');
} else {
//IMP: DA VERIFICARE SE FUNZIONA NEL SERVER!!!!!!!!!!!!!!!!!!!
// We also want to suppress all warnings
ini_set('display_errors', 0);
error_reporting(0);
ini_set('html_errors', 'Off');
ini_set('display_startup_errors','Off');
}
//this to define links in my HTML (in header(Location: MIO./myfolder ) it does not work !!!)
//define http root
define("MINE",($_SERVER["SERVER_NAME"] == "localhost")? "http://localhost/developement/" : "https://www.mywebsite.it/");
//echo MINE;
?>
Content of .htaccess:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^mywebsite.it [OR]
RewriteCond %{HTTP_HOST} ^www.mywebsite.it [NC]
RewriteRule ^(.*)$ https://www.mywebsite.it/$1 [L,R=301]
Xampp Apache Access Log:
::1 - - [15/Oct/2017:00:47:10 +0200] "POST /developement/elgin/loginform.inc.php HTTP/1.1" 200 10325 "http://localhost/developement/elgin/loginform.inc.php" "Mozilla/5.0 (Windows NT 6.2; WOW64; Trident/7.0; rv:11.0) like Gecko"
Xampp Apache Error Log:
Failed loading C:\xampp\php\ext\php_xdebug-2.5.4-7.1-vc14.dll
6] AH01909: www.example.com:443:0 server certificate does NOT include an ID which matches the server name
Just some php files had the BOM.
Saved to BOM and re-saved to UTF-8 w no BOM
I have a session variable that I set like this:
<?php
$token = md5(uniqid(rand(), true));
session_start();
$_SESSION['token'] = $token;
print $_SESSION['token'];
?>
Then on another page I have this:
<?php
session_start();
print $_SESSION['token'];
?>
The problem is that they don't match. I get two completely different strings. register_globals is off. I did notice that when I set md5(....) to a constant string eg: md5('example') that it works as expected and the two strings match. But that shouldn't matter. Any ideas on what's going on here?
EDIT: Apache Acces Log:
127.0.0.1 - - [18/Sep/2010:17:46:09 -0500] "GET /index.php HTTP/1.1" 200 3182 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.59 Safari/534.3"
127.0.0.1 - - [18/Sep/2010:17:46:09 -0500] "GET /style/style.css HTTP/1.1" 304 - "http://cmb.local:8888/index.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.59 Safari/534.3"
127.0.0.1 - - [18/Sep/2010:17:46:09 -0500] "GET /js/signup.js HTTP/1.1" 304 - "http://cmb.local:8888/index.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.59 Safari/534.3"
127.0.0.1 - - [18/Sep/2010:17:46:09 -0500] "GET /index.php HTTP/1.1" 200 3182 "http://cmb.local:8888/index.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.59 Safari/534.3"
127.0.0.1 - - [18/Sep/2010:17:46:10 -0500] "GET /index.php HTTP/1.1" 200 3182 "http://cmb.local:8888/index.php" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_4; en-US) AppleWebKit/534.3 (KHTML, like Gecko) Chrome/6.0.472.59 Safari/534.3"
I'm not quite sure how to read that but it looks to me that my file (index.php which I assume is the '/') is being called three times. Am I reading that right? What's going on there?
Completely stupid mistake on my part. I had some empty <img> tags in there that were causing the extra requests. facepalm Sorry everyone, problem solved. Thanks for your help!!
The only solution I can think of is that you are making a second request to the first page without knowing it. You should probably check your apache access log for this second access...
Making a simple request counter would be another solution to check this:
$_SESSION['counter'] = isset($_SESSION['counter'])? $_SESSION['counter'] +1 : 0;
You will notice that every time you revisit the first page, your session variable will change. Since it works for a constant string, 'example', I will assume that you revisit page 1 to view what is stored there.
A fix could be checking to ensure that that session variable is not set before you set it again.
i.e.
<?php
session_start();
if(!empty($_SESSION['token'])){
$token = md5(uniqid(rand(), true));
$_SESSION['token'] = $token;
}
print $_SESSION['token'];
?>
This chunk of code should work as expected.
Looks weird. That first chunk of code that resets the token must have been run again somehow.