On 5 November 2013 15:25, António P. P. Almeida <appa@perusio.net> wrote:
> Assuming you're using php-fpm or php-cgi you can set a param to pass that as
> a server variable:
>
> fastcgi_param HTTP_PROXY 'http://proxy:myport';
>
> Then you'll have a $_SERVER['HTTP_PROXY'] entry for the global $_SERVER.
I don't think this is right, for a couple of reasons.
Firstly, some reading has suggested that there isn't a way to force
the stock PHP HTTP request libraries to use a proxy just by setting an
envvar. Witness, for instance, the code-level changes that are
(/were?) required to get a relatively mainstream piece of s/w like WP
to work with an outbound proxy:
http://wpengineer.com/1227/wordpress-proxysupport/
Secondly, the specific string mentioned would (unless I'm missing
something, which is very possible!) open a security hole: $_SERVER
contains all user-specified HTTP request headers with added "HTTP_"
prefixes. The method suggested, if it worked, would mean that, as a
user, I could simply provide a "Proxy: my.proxy.server.ip" header and
get all outbound HTTP traffic (for my request) proxied via *my*
external server. Thereby exposing internal information such as 3rd
party API passwords, internal HTTP API call details, etc etc.
Again, I may be missing something with either of these points but,
obviously, I don't see what it might be! :-)
Regards,
Jonathan
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx