Login/Register
$_SERVER['HTTP_HOST'] not set
Asked Answered
Solved phpapache
N

3

8

I am getting lot of traffic to my php pages but without the variable $_SERVER['HTTP_HOST'] set.

This traffic is like 1 hit per second. I don't know what it could be, but for reducing server load i am doing this at the top of every php pages:

if (!isset($_SERVER['HTTP_HOST']))
    exit;

Do you know what could cause this? Is it safe to exit whenever HTTP_HOST is not set?

Can a normal user visit my pages without setting HTTP_HOST?

  • PHP version: 5.2.0-8
  • Apache: 2.2.3
Nanette answered 1/1, 2011 at 12:38 Comment(2)
Do you have any statistics? Which resources being requested? what are ip addresses? whatever else - a user agent probably?Earthquake
As a side note: A "normal" user is likely to use a "normal" browser and they all have used HTTP/1.1 for a long time and that version requires the Host: ... header. So, it could happen that a normal user access your website without the Host: ... header, but it is really unlikely.Volny
D
7

Mmm, might be as well the "apache dummy connections". Check you access logs for "internal dummy connection", theses are used by the master apache process to send orders to his child processes (like suicide yourself, or we need to reload conf). And theses connections are made in HTTP/1.0 without HOST set.

http://wiki.apache.org/httpd/InternalDummyConnection

Theses #$!"#sh#f#ck*$! connections are making a lot of bugs around there, (cache things, no HTTP/1.1, etc). One 'simple' solution is not having your hostname based Virtuahost serving you main application as the default virtualhost. Keep a very simple default virtualhost with the 'it works' page, or something very simple "if you get this page you might try to get a browser with HTTP/1.1 support somewhere", as a static page. Then all HTTP/1.0 traffic or people accessing your server by IP only, will not be in your real application.

To be complete I've seen a company this year with bad proxies removing the Host header from all their outgoing HTTP traffic. But theses bad guys are dumbs, I don't think there's a lot of people still browsing in HTTP/1.0 without hosts.

Dock answered 2/1, 2011 at 17:50 Comment(2)
exaclty that... in the log i got internal dummy connection. Problem is for domain configuration I need my main as the default virutalhost.Nanette
Check on google, there are some usefaull mod_rewrite rules to ignore apache dummy connexions and throw them before real request handling.Dock
A
5

HTTP_HOST is a part of the client's HTTP request and specifies which host name the request is to be directed to. It is necessary to tell apart the right site in a multi-site setup.

If HTTP_HOST is not set, the client is either very, very old (HTTP 1.0 doesn't support HTTP_HOST) or has made a request directly to your web site's IP.

I can't see any harm in blocking that the way you do. However if you are worried about traffic, it might be wiser to fix this on web server level.

Aluminize answered 1/1, 2011 at 12:49 Comment(1)
That's probably also a good way to differentiate them. But the Host: header was supported in HTTP 1.0, and many 1.0 clients actually send it. It's just that it was made mandatory for HTTP 1.1 compliance, #4032912Countermarch
F
1

If you're using HTTP/3 with Nginx versions 1.25 or 1.26, the HTTP_HOST variable does not exist in $_SERVER due to a bug in Nginx.

Please refer to the discussion on php-src@GitHub and nginx-quic@Github.

Considering https://mailman.nginx.org/pipermail/nginx-devel/2024-January/LCIUMLKCM2EBMEMTU3KXMW74AP2C4FYZ.html , nginx does it (emulates host header) already for HTTP/2 so the best solution would be if they did for HTTP/3 as well. There's nothing we can do on PHP side so closing this.

From @bukka

As a temporary solution, I manually set the HTTP_HOST in $_SERVER at the start of the PHP script since the HTTP_HOST does not change for a live website.

$_SERVER["HTTP_HOST"] = "www.example.com";
Flaminius answered 4/7 at 12:30 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.