I'd like to remove the following headers:
Connection: Keep-Alive
Server: Apache/2.2.13 (Win32)
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=66
I don't think this can be done properly in PHP, as these headers are set by Apache.
There is PHP 5.3's header_remove() but that can remove only headers set by PHP (If I understand correctly). You could also overwrite the undesired headers by sending them again with empty values, but the original values will be sent anyway.
The best thing would be to fix this at the root, in Apache's configuration. For example, the ServerTokens directive can change the "Server:" header.
Related: apache_response_headers()
You could turn your script into a non-parsed-header CGI. For that you have to rename your example.php script into nph-script.cgi, make it executable (+x) and add the shebang:
#!/usr/bin/php-cgi
<?php
This requires you to send ALL http headers yourself however, including the HTTP/1.0 200 OK status line. (see rfc2616 php.ini config)
Oh, and actually I have no clue if this still works for current Apache versions.
Using PHP (or any other server site language) and sending the header Connection: close. This will cause Apache to omit the Keep-Alive header, since the connection is no longer keepalive. e.g.
header('Connection: close');
Not sure if it works same on all types of servers, suggestions welcome.
Read More here
Related
I'm using Apache 2.2 and PHP 7.0.1. I force chunked encoding with flush() like in this example:
<?php
header('HTTP/1.1 200 OK');
echo "hello";
flush();
echo "world";
die;
And I get unwanted characters at the beginning and end of the response:
HTTP/1.1 200 OK
Date: Fri, 09 Sep 2016 15:58:20 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/7.0.9
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
a
helloworld
0
The first one is the chunk size in hex (10 = A). I'm using Klein as PHP router and I have found that the problem comes up only when the HTTP status header is rewritten. I guess there is a problem with my Apache config, but I wasn't able to figure it out.
Edited: My problem had nothing to do with Apache but Nginx and chunked_transfer_encoding directive. Check the answer below.
This is how Transfer-Encoding: chunked works. The extra characters you're seeing are part of the encoding, rather than the body.
A client that understands the encoding will not include them in the result; a client that doesn't doesn't support HTTP/1.1, and should be considered bugged.
As #Joe pointed out before, that is the normal behavior when Chunked transfer enconding is enabled. My tests where not accurate because I was requesting Apache directly on the server. Actually, when I was experiencing the problem in Chrome I was querying a Nginx service as a proxy for Apache.
By running tcpdump I realized that Nginx was rechunking responses, but only when rewritting HTTP status header (header('HTTP/1.1 200 OK')) in PHP. The solution to sending Transfer-Encoding: chunked twice is to set chunked_transfer_encoding off in the location context of my Nginx .php handler.
I have an application (CakePHP 2.2) that worked fine up until lately, however all of a sudden it's started only delivering part of the page. The HTML for the page is truncated, however it doesn't always truncate at exactly the same place each time (although it's about the same place).
I've had someone else test this from another location & they also experienced the same problem.
The first time I had this problem I restarted the server & it appeared to resolve the problem, however it's happened again. This time I've tried restarting Apache, rather than the whole server & it does not appear to have resolved the problem.
I'm not sure what else to try, so any suggestions welcome.
Thanks in advance.
Update: I've also now tried disabling APC but the problem continued after this was disabled.
Another update: Having tried adding content above & below the point it was truncating, it would appear that it is truncating at a certain distance from the end of the file, as the approximate break point only moved when content is added after where it's breaking.
Yet another update...
OK, so I've done even more digging & there seems to be a problem with the calculation of the content length on my production server. Here's the output from my digging (Date headers stripped to save space)...
Server with Content-Length unset
If I unset the Content-Length header in the CakeResponse::_setContentLength(), the full page displays fine, & this is the header returned…
Connection close
Server Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/1.0.0-fips mod_bwlimited/1.4
Transfer-Encoding chunked
X-Powered-By PHP/5.3.24
Server with Content-Length set
If I don't unset the Content-Length header then the page displayed is truncated, & the response headers are…
Connection close
Content-Length 2455
Content-Type text/html; charset=UTF-8
Server Apache/2.2.24 (Unix) mod_ssl/2.2.24 OpenSSL/1.0.0-fips mod_bwlimited/1.4
X-Powered-By PHP/5.3.24
Local Machine with Standard Content-Length
I would think it's the header length calculation, apart from the fact that on my local machine, even without unsetting the Content-Length header, the full page displays, even though the Content-Length returned is the same as on the production server...
Connection Keep-Alive
Content-Length 2455
Content-Type text/html; charset=UTF-8
Keep-Alive timeout=5, max=100
Server Apache/2.2.22 (Unix) DAV/2 PHP/5.3.15 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/0.9.8x
X-Powered-By PHP/5.3.15
From what I can gather,
the script must be die'ing and then stopping the HTML after the die code from displaying.
You need to look further into the code of CakePHP, and check that the logical functions are not ending unexpectedly and that there is no outstanding die function that could cause the HTML from loading.
When I try to use this code:
header('X-Powered-By: ASP.NET');
header('Server: Microsoft-IIS/7.5');
the headers that have sent are:
Server:Apache/2.2.22 (Win64) PHP/5.4.3
X-Powered-By:ASP.NET
What do I need to do?
Your Server header is being replaced by apache2.
The solution may be to completly disable sending Server header by web server. In fact apache (and most of web servers) does not allow you to completly disable server signature.
You can find some useful information here: Removing http headers in Apache2
On the embedded device I'm working on, the web-pages' Javascript sends requests to local PHP files and then uses the responses to update DOM elements dynamically. Everything works fine: AJAX is cool.
Annoyingly, though, all the responses are gzip encoded even though I'd rather they weren't (the target device's processor doesn't have much processing bandwidth). The problem is that I can't see how to disable gzip compressing the responses.
Note that:
(1) On the server side, I'm testing using PHP 5.3.10 and Apache/2.2.22 under Ubuntu
(2) On the client side, I'm using Firefox 19.0 and Firebug
(3) The PHP files are just echoing their output, i.e. I don't think they're invoking ob_gzhandler()
(4) The JavaScript is using GET rather than POST (it's what was specified for the project)
According to Firebug, the request headers look lke this:
Accept text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding gzip, deflate
Accept-Language en-gb,en;q=0.5
Cookie PHPSESSID=<whatever>
Host 10.0.2.15
Referer http://10.0.2.15/pages/status.php
User-Agent Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:19.0) Gecko/20100101 Firefox/19.0
And the response headers typically look like this:-
Cache-Control no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Connection Keep-Alive
Content-Encoding gzip
Content-Length 59
Content-Type text/html
Date Wed, 13 Mar 2013 12:08:02 GMT
Expires Thu, 19 Nov 1981 08:52:00 GMT
Keep-Alive timeout=5, max=43
Pragma no-cache
Server Apache/2.2.22 (Ubuntu)
Vary Accept-Encoding
X-Powered-By PHP/5.3.10-1ubuntu3.5
Approaches I've already tried (but without any success):-
(a) Preventing php files' output from being gzipped via the local .htaccess file
<IfModule mod_env.c>
SetEnvIfNoCase Request_URI "\.php$" no-gzip dont-vary
</IfModule>
This was as per http://support.modwest.com/content/1/117/en/how-do-i-turn-off-webservers_-gzip-compression.html but didn't seem to have any effect, even when I restarted apache2 between calls.
(b) Preventing php files' output from being gzipped via the /etc/apache2/httpd.conf file
<Directory /myfolder>
RemoveOutputFilter php
</Directory>
This also didn't seem to have any obvious effect, even when I restarted apache2 between calls.
(c) Setting the "Accept-Encoding" header to "" or "identity" using XMLHttpHeader.setHeaderRequest()
I tried both
xmlhttp.setRequestHeader("Accept-Encoding", "identity");
...and...
xmlhttp.setRequestHeader("Accept-Encoding", "");
Neither seemed to have any obvious effect: Firebug still reports that the request header holds
Accept-Encoding gzip, deflate
I checked the spec for this, and it seems as though setRequestHeader() should be allowed to change the AcceptEncoding header line, so this is a bit odd. Possibly a FF security hole that's been filled?
http://www.w3.org/TR/2006/WD-XMLHttpRequest-20060405/#dfn-setrequestheader
Note that the setRequestHeader() mechanism is apparently working ok, because adding...
xmlhttp.setRequestHeader("X-FavouriteFruit", "banana");
...adds a line to the Firebug request output:
X-FavouriteFruit banana
Basically, I'm pretty much out of ideas. How else can I stop my php responses being gzipped?
it would seem you use apache on the device to serve the PHP files, which means you could try something like this in /etc/php.ini (or in .htaccess via #php_value)
zlib.output_compression = Off
in the Language options section.
When I simply echo something out of php file, I do not send any headers intentionally, however - there are some default headers present anyway when I look at firebug response:
response headers:
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 23 Jun 2011 19:33:51 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
X-Powered-By: PHP/5.3.6-6~dotdeb.1
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Encoding: gzip
I'm curious - are these default response headers set by the server(nginx) or by PHP?
I believe it is a combination of both... You can tell that "X-Powered-By: PHP/5.3.6-6~dotdeb.1" comes from PHP and "Server: nginx" comes from NGINX.
You can alter the headers in PHP as follows:
<?php
header("HTTP/1.0 404 Not Found");
?>
The gzip header most definitely comes from NGINX as it is compressing the output (html) to the browser. PHP can "add" to the headers by calling a function like the one above. Then the server combines it with the PHP headers and serves the request.
It depends on your server whether or not the PHP headers take precedence over the server headers.
Hope this helps.
The majority are set by nginx, for example the Server, Date, Content-Encoding, and Connection. However, some other headers are set by PHP, and you can add others in PHP like this header("Name: Value");
The X-Powered-By header is controlled by the value of the expose_php directive in php.ini:
Decides whether PHP may expose the fact that it is installed on the server (e.g. by adding its signature to the Web server header). It is no security threat in any way, but it makes it possible to determine whether you use PHP on your server or not.
Most headers are sent by nginx. To list the headers (to be) sent by PHP, use the function headers_list:
<?php
echo htmlentities(print_R(headers_list(), true));
?>
PHP automatically sets some of them, like Content-Type: text/html for the hello world page. nginx sets the ones that have to do with the socket, like Connection: keep-alive.
You'll find settings for connections in nginx's configuration. Content-wise, it's PHP. You're allowed to override quite a few of them with the header() function in PHP, as well as add your own custom headers.
http://php.net/manual/en/function.header.php
For example, you could set the Content-Type to application/json if you're planning to have PHP send out a JSON string.
What's still missing in the answers is the role of PHP:
Some of the headers are indeed set by PHP itself, but the reason is not that easy to find. It's the default session cache delimiter behavior explained here: http://www.php.net/manual/en/function.session-cache-limiter.php
What's afaik not in the docs is how to turn them off completely - simply pass some undefined value to it:
session_cache_limiter(false);
You must to do this before you start your session. In case you are using the Zend Framework, you have to set this before your applications bootstrap() - otherwise it won't work.
You can also overwrite any of the default server headers using the header() function. For example, if you include in your PHP header('Server: ') this will reset the Server: header to be blank.