FedoraForum.org - Fedora Support Forums and Community
Results 1 to 9 of 9
  1. #1
    Join Date
    Oct 2017
    Location
    alaska
    Posts
    32

    Cool php $_SERVER[] variables are not set correctly in Fedora

    Even when I connect to my server via https on port 443, and no, the connection is not being proxied or tunneled in any way, the following assertions are true.
    PHP Code:
    !isset($_SERVER['HTTPS'])

    $_SERVER['SERVER_PORT'] == '80' 
    even though the actual connection is secure to port 443.

    Relevant code snippet
    PHP Code:
    if (isset($_SERVER['SERVER_PORT'])) switch ($_SERVER['SERVER_PORT'])
    {
    case 
    '80':
            echo 
    '<h1 style="color:red;">HTTP insecure connection</h1>' "\n"
                    
    '<p>please consider using '
                    
    '<a href="https://'
                    
    $_SERVER['SERVER_NAME']
                    . 
    '/">https</a></p>' "\n";
            break;
    case 
    '443':
            echo 
    '<h1 style="color:green">HTTPS</h1>' "\n"
                    
    'your connection is secure';

            break;
    default:
            echo 
    '<h1 style="color:yellow">UNKNOWN PROTOCOL PORT ' $_SERVER['SERVER_PORT'] . "</h1>\n";

    from this page https://miel.colmena.biz/

    see https://miel.colmena.biz/phpinfo.php for the output of phpinfo().
    Last edited by justinacolmena; 10th November 2017 at 09:29 PM. Reason: line break for clarity

  2. #2
    Join Date
    Oct 2017
    Location
    alaska
    Posts
    32

    Re: php $_SERVER[] variables are not set correctly in Fedora

    So ecommerce of any kind is impossible on Fedora. That shopping cart application will not run when
    PHP Code:
    !isset($_SERVER['HTTPS']) && $_SERVER['SERVER_PORT'] == '80'

  3. #3
    Join Date
    Oct 2017
    Location
    alaska
    Posts
    32

    Angry Re: php $_SERVER[] variables are not set correctly in Fedora

    I'm a bloodhound, something really, really smells about this, and I'm staying on the trail. They silenced Stefan Esser of PHP security research fame, and now they've crippled php entirely? What is going on here?


  4. #4
    Join Date
    Sep 2004
    Location
    Champagne
    Posts
    120

    Re: php $_SERVER[] variables are not set correctly in Fedora

    Sorry, but I cannot reproduce this issue, from phpinfo;

    $_SERVER['HTTPS'] on
    $_SERVER['SERVER_PORT'] 443

  5. #5
    Join Date
    Oct 2017
    Location
    alaska
    Posts
    32

    Re: php $_SERVER[] variables are not set correctly in Fedora

    Quote Originally Posted by remi
    Sorry, but I cannot reproduce this issue, from phpinfo;

    $_SERVER['HTTPS'] on
    $_SERVER['SERVER_PORT'] 443
    Vague denial is not helpful. Details? Proof? Software version?

  6. #6
    Join Date
    Oct 2017
    Location
    alaska
    Posts
    32

    Re: php $_SERVER[] variables are not set correctly in Fedora

    I think I may have solved my own problem here. Various SELinux permissions for httpd:

    Code:
    [root@miel ~]# getsebool -a | grep httpd_can_
    httpd_can_check_spam --> off
    httpd_can_connect_ftp --> off
    httpd_can_connect_ldap --> off
    httpd_can_connect_mythtv --> off
    httpd_can_connect_zabbix --> off
    httpd_can_network_connect --> on
    httpd_can_network_connect_cobbler --> off
    httpd_can_network_connect_db --> on
    httpd_can_network_memcache --> off
    httpd_can_network_relay --> off
    httpd_can_sendmail --> off
    [root@miel ~]#
    It seems to be necessary to set at least two of these variables ON with the -P option in order to actually enable httpd to connect to an external database.

    Code:
    [root@miel ~]# setsebool -P httpd_can_network_connect 1
    [root@miel ~]# setsebool -P httpd_can_network_connect_db 1
    [root@miel ~]#
    OFF-TOPIC (by-the-way):
    The following permission, on the other hand is unnecessary...

    [root@miel ~]# getsebool httpd_enable_homedirs
    httpd_enable_homedirs --> off
    [root@miel ~]#

    because as an ordinary user I am able to
    Code:
    [justina@miel ~]$ chcon -R -t httpd_sys_content_t public_html/
    [justina@miel ~]$
    to allow httpd to serve my homedir WITHOUT httpd_enable_homedirs...

  7. #7
    Join Date
    Oct 2017
    Location
    alaska
    Posts
    32

    Re: php $_SERVER[] variables are not set correctly in Fedora

    There is an apparently undocumented little directive in httpd.conf

    Code:
    UseCanonicalPhysicalPort On
    ref: https://stackoverflow.com/questions/...verserver-port

    Compare: Apache Environment / SERVER_PORT

    ... But "$_SERVER['HTTPS'] is still not set for a secure connection. (Theoretically it is possible to have an insecure plaintext connection on port 443.)
    Last edited by justinacolmena; 14th November 2017 at 10:07 PM. Reason: refs, HTTPS var?

  8. #8
    Join Date
    Oct 2017
    Location
    alaska
    Posts
    32

    Re: php $_SERVER[] variables are not set correctly in Fedora

    This is not at all a complete solution
    https://miel.colmena.biz/phpinfo.php
    https://stackoverflow.com/questions/...cheme-reliable
    PHP Code:
    $_SERVER['REQUEST_SCHEME'] == http && !isset($_SERVER['HTTPS']) 
    Even with /etc/httpd/conf.d/ssl.conf
    Code:
    SSLOptions +StdEnvVars +ExportCertData
    The documented SSL environment variables are not being set.
    https://httpd.apache.org/docs/2.4/mod/mod_ssl.html

    I suspect this is due to a certain "business" userbase with large content distribution networks who offload ssl termination and maintain large unsecured internal networks, and they do not want their sites to "look" any less secure than properly secured sites ssl-terminated at the server.

  9. #9
    Join Date
    Oct 2017
    Location
    alaska
    Posts
    32

    Re: php $_SERVER[] variables are not set correctly in Fedora

    Code:
    [root@miel ~]# dnf list installed | grep selinux
    libselinux.x86_64                       2.6-7.fc26                     @updates 
    libselinux-python3.x86_64               2.6-7.fc26                     @updates 
    libselinux-utils.x86_64                 2.6-7.fc26                     @updates 
    rpm-plugin-selinux.x86_64               4.13.0.2-1.fc26                @updates 
    selinux-policy.noarch                   3.13.1-260.14.fc26             @updates 
    selinux-policy-targeted.noarch          3.13.1-260.14.fc26             @updates 
    [root@miel ~]# setsebool -P httpd_can_network_connect 1
    libsepol.context_from_record: type svnserve_log_t is not defined
    libsepol.context_from_record: could not create context structure
    libsepol.context_from_string: could not create context structure
    libsepol.sepol_context_to_sid: could not convert system_u:object_r:svnserve_log_t:s0 to sid
    invalid context system_u:object_r:svnserve_log_t:s0
    [root@miel ~]# setsebool -P httpd_can_network_connect_db 1
    libsepol.context_from_record: type svnserve_log_t is not defined
    libsepol.context_from_record: could not create context structure
    libsepol.context_from_string: could not create context structure
    libsepol.sepol_context_to_sid: could not convert system_u:object_r:svnserve_log_t:s0 to sid
    invalid context system_u:object_r:svnserve_log_t:s0
    [root@miel ~]#
    It got even worse. A recent update really, really borked the SELinux policy in fedora. that "svnserve_log_t" type is from a hacked development machine.

    On the other hand it might have been borked before an this fixed it. At any rate,

    Code:
    [root@miel ~]# touch /.autorelabel
    [root@miel ~]# reboot
    Rather brutal, but it works.
    Last edited by justinacolmena; 17th November 2017 at 06:57 AM.

Similar Threads

  1. Setting environment variables on Fedora 16?
    By shaunsingh14 in forum Installation, Upgrades and Live Media
    Replies: 4
    Last Post: 30th April 2012, 03:32 PM
  2. 64bit Fedora 12 is not working correctly
    By Linux85 in forum Linux Chat
    Replies: 26
    Last Post: 18th December 2009, 01:40 PM
  3. Post variables broken, Fedora 10
    By cuban_cigar in forum Using Fedora
    Replies: 0
    Last Post: 11th February 2009, 12:12 AM
  4. Fedora N seems to be named correctly
    By SlowJet in forum Fedora Focus
    Replies: 2
    Last Post: 17th August 2008, 10:11 AM
  5. Fedora doesn't correctly install KDE
    By stodge in forum Installation, Upgrades and Live Media
    Replies: 1
    Last Post: 1st November 2004, 05:24 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •