hours changed; totalhours set

chris — Tue, 19 Jul 2016 10:53:32 GMT

hours changed from 0 to 0.5
totalhours set to 0.5

For Apache we need to unset any incoming PROXY headers:

RequestHeader unset Proxy early

For the Nginx reverse proxy to php5-fpm this needs adding to remove the PROXY header from incoming HTTP requests:

fastcgi_param HTTP_PROXY "";

So on Crin1, which is running Apache, the following was added to all the VirtualHosts:

        <IfModule headers_module>
                # https://httpoxy.org/
                RequestHeader unset Proxy early
        </IfModule>

On Crin2 every section of Nginx configuration which passes requests to php5-fpm and or Tomcat had the following added:

fastcgi_param HTTP_PROXY "";

On Crin4 the same was done as for Crin2 but also this was added for the dev site proxy to the live site for media files:

proxy_set_header Proxy "";

status changed; resolution set

chris — Tue, 19 Jul 2016 10:55:23 GMT

status changed from new to closed
resolution set to fixed

hours, totalhours changed

chris — Tue, 19 Jul 2016 12:25:30 GMT

hours changed from 0 to 0.25
totalhours changed from 0.5 to 0.75

Testing this on Crin1, creating a https://wiki.crin.org/w/asdfagagda.php test file containing:

<?php
// Show all information, defaults to INFO_ALL
phpinfo();
// Show just the module information.
// phpinfo(8) yields identical results.
//phpinfo(INFO_MODULES);
?>

And using the Firefox Modify Headers and livehttpheaders add ons to test:

https://wiki.crin.org/w/asdfagagda.php
GET /w/asdfagagda.php HTTP/1.1
Host: wiki.crin.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Proxy: http://foo.bar/
Connection: keep-alive
HTTP/1.1 200 OK
Date: Tue, 19 Jul 2016 12:15:34 GMT
Server: Apache/2.4.10 (Debian)
Strict-Transport-Security: max-age=31536000
X-Frame-Options: sameorigin
Vary: Host,Accept-Encoding
Content-Encoding: gzip
Content-Length: 27158
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
----------------------------------------------------------

And the HTTP_PROXY env var isn't set, so that worked, deleting the asdfagagda.php file.

Testing on Crin4 (on the basis that if it is fixed here it'll be fixed on the live server), created /var/www/dev/docroot/asgaadgagad.php and testing it via https://dev.crin.org/asgaadgagad.php and the HTTP_PROXY env var isn't set, so the fix works:

https://dev.crin.org/asgaadgagad.php
GET /asgaadgagad.php HTTP/1.1
Host: dev.crin.org
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Proxy: http://foo.bar/
Connection: keep-alive
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Tue, 19 Jul 2016 12:22:28 GMT
Content-Type: text/html; charset=UTF-8
php-cache: HIT
Content-Encoding: gzip
X-Firefox-Spdy: 3.1
----------------------------------------------------------

CRIN Trac: Ticket #78: HTTP_PROXY possible security risk

hours changed; totalhours set

status changed; resolution set

hours, totalhours changed