Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Apache 2.4 + PHP-FPM and Authorization headers

Summary: Apache 2.4's mod_proxy does not seem to be passing the Authorization headers to PHP-FPM. Is there any way to fix this?

Long version: I am running a server with Apache 2.4 and PHP-FPM. I am using APC for both opcode caching and user caching. As recommended by the Internet, I am using Apache 2.4's mod_proxy_fcgi to proxy the requests to FPM, like this:

ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/foo/bar/$1 

The setup works fine, except one thing: APC's bundled apc.php, used to monitor the status of APC does not allow me to log in (required for looking at user cache entries). When I click "User cache entries" to see the user cache, it asks me to log in, clicking on the login button displays the usual HTTP login form, but entering the correct login and password yields no success. This function is working perfectly when running with mod_php instead of mod_proxy + php-fpm.

After some googling I found that other people had the same issue and figured out that it was because Apache was not passing the Authorization HTTP headers to the external FastCgi process. Unfortunately I only found a fix for mod_fastcgi, which looked like this:

FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -host 127.0.0.1:9000 -pass-header Authorization 

Is there an equivalent setting or some workaround which would also work with mod_proxy_fcgi?

like image 570
CodeTwice Avatar asked Jun 10 '13 07:06

CodeTwice


People also ask

Can you use PHP-FPM with Apache?

By default Apache will use mod_php so now you can configure Apache to use PHP-FPM.

What are Authorization headers?

What is an Authorization Request Header? The HTTP Authorization request header contains the credentials to authenticate a user agent with a server. APIs use authorization to ensure that client requests access data securely.

What is FPM Apache?

Apache and PHP PHP-FPM is the Fast Process Manager for PHP which runs as a service that spawns PHP processes as needed when files files are requested through the FastCGI interface.


1 Answers

Various Apache modules will strip the Authorization header, usually for "security reasons". They all have different obscure settings you can tweak to overrule this behaviour, but you'll need to determine exactly which module is to blame.

You can work around this issue by passing the header directly to PHP via the env:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 

See also Zend Server Windows - Authorization header is not passed to PHP script

In some scenarios, even this won't work directly and you must also change your PHP code to access $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] rather than $_SERVER['HTTP_AUTHORIZATION']. See When setting environment variables in Apache RewriteRule directives, what causes the variable name to be prefixed with "REDIRECT_"?

like image 75
Rich Avatar answered Sep 18 '22 20:09

Rich