Define a proxy for Nginx

Jonathan Matthews contact at jpluscplusm.com
Wed Nov 6 09:24:07 UTC 2013


On 5 November 2013 15:25, António P. P. Almeida <appa at perusio.net> wrote:
> Assuming you're using php-fpm or php-cgi you can set a param to pass that as
> a server variable:
>
> fastcgi_param HTTP_PROXY 'http://proxy:myport';
>
> Then you'll have a $_SERVER['HTTP_PROXY'] entry for the global $_SERVER.

I don't think this is right, for a couple of reasons.

Firstly, some reading has suggested that there isn't a way to force
the stock PHP HTTP request libraries to use a proxy just by setting an
envvar. Witness, for instance, the code-level changes that are
(/were?) required to get a relatively mainstream piece of s/w like WP
to work with an outbound proxy:
http://wpengineer.com/1227/wordpress-proxysupport/

Secondly, the specific string mentioned would (unless I'm missing
something, which is very possible!) open a security hole: $_SERVER
contains all user-specified HTTP request headers with added "HTTP_"
prefixes. The method suggested, if it worked, would mean that, as a
user, I could simply provide a "Proxy: my.proxy.server.ip" header and
get all outbound HTTP traffic (for my request) proxied via *my*
external server. Thereby exposing internal information such as 3rd
party API passwords, internal HTTP API call details, etc etc.

Again, I may be missing something with either of these points but,
obviously, I don't see what it might be! :-)

Regards,
Jonathan



More information about the nginx mailing list