Apache 2.4 + PHP-FPM 和授权标头 [英] Apache 2.4 + PHP-FPM and Authorization headers

问题描述

总结:Apache 2.4 的 mod_proxy 似乎没有将 Authorization 标头传递给 PHP-FPM.有没有什么办法解决这一问题?

Summary: Apache 2.4's mod_proxy does not seem to be passing the Authorization headers to PHP-FPM. Is there any way to fix this?

长版:我正在运行带有 Apache 2.4 和 PHP-FPM 的服务器.我将 APC 用于操作码缓存和用户缓存.按照网上的推荐，我使用 Apache 2.4 的 mod_proxy_fcgi 将请求代理到 FPM，如下所示:

Long version: I am running a server with Apache 2.4 and PHP-FPM. I am using APC for both opcode caching and user caching. As recommended by the Internet, I am using Apache 2.4's mod_proxy_fcgi to proxy the requests to FPM, like this:

ProxyPassMatch ^/(.*\.php)$ fcgi://127.0.0.1:9000/foo/bar/$1

设置工作正常，除了一件事:APC 捆绑的 apc.php，用于监控 APC 的状态不允许我登录(需要查看用户缓存条目).当我单击用户缓存条目"以查看用户缓存时，它要求我登录，单击登录按钮显示通常的 HTTP 登录表单，但输入正确的登录名和密码没有成功.当使用 mod_php 而不是 mod_proxy + php-fpm 运行时，此功能运行良好.

The setup works fine, except one thing: APC's bundled apc.php, used to monitor the status of APC does not allow me to log in (required for looking at user cache entries). When I click "User cache entries" to see the user cache, it asks me to log in, clicking on the login button displays the usual HTTP login form, but entering the correct login and password yields no success. This function is working perfectly when running with mod_php instead of mod_proxy + php-fpm.

经过一番谷歌搜索后，我发现其他人也有同样的问题，并发现这是因为 Apache 没有将 Authorization HTTP 标头传递给外部 FastCgi 进程.不幸的是，我只找到了 mod_fastcgi 的修复程序，如下所示:

After some googling I found that other people had the same issue and figured out that it was because Apache was not passing the Authorization HTTP headers to the external FastCgi process. Unfortunately I only found a fix for mod_fastcgi, which looked like this:

FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi -host 127.0.0.1:9000 -pass-header Authorization

是否有等效的设置或一些解决方法也适用于 mod_proxy_fcgi?

Is there an equivalent setting or some workaround which would also work with mod_proxy_fcgi?

推荐答案

各种 Apache 模块都会去除 Authorization 标头，通常是出于安全原因".它们都有不同的模糊设置，您可以调整以否决这种行为，但您需要确切地确定应该归咎于哪个模块.

Various Apache modules will strip the Authorization header, usually for "security reasons". They all have different obscure settings you can tweak to overrule this behaviour, but you'll need to determine exactly which module is to blame.

您可以通过 env 将标头直接传递给 PHP 来解决此问题:

You can work around this issue by passing the header directly to PHP via the env:

SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1

另见Zend Server Windows - 授权标头未传递给 PHP 脚本

在某些情况下，即使这样也不能直接工作，您还必须更改 PHP 代码以访问 $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] 而不是 $_SERVER['HTTP_AUTHORIZATION'].请参阅 在 Apache RewriteRule 指令中设置环境变量时，是什么导致变量名称以REDIRECT_"为前缀?

In some scenarios, even this won't work directly and you must also change your PHP code to access $_SERVER['REDIRECT_HTTP_AUTHORIZATION'] rather than $_SERVER['HTTP_AUTHORIZATION']. See When setting environment variables in Apache RewriteRule directives, what causes the variable name to be prefixed with "REDIRECT_"?

这篇关于Apache 2.4 + PHP-FPM 和授权标头的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！