{"id":814,"date":"2017-03-18T17:54:19","date_gmt":"2017-03-18T12:24:19","guid":{"rendered":"https:\/\/www.wikitechy.com\/technology\/?p=814"},"modified":"2017-03-29T14:48:48","modified_gmt":"2017-03-29T09:18:48","slug":"http_host-vs-server_name","status":"publish","type":"post","link":"https:\/\/www.wikitechy.com\/technology\/http_host-vs-server_name\/","title":{"rendered":"PHP-HTTP_HOST vs. SERVER_NAME"},"content":{"rendered":"<h4 id=\"server_name\"><span style=\"color: #ff6600;\"><strong>SERVER_NAME:<\/strong><\/span><\/h4>\n<ul>\n<li>The name of the server host under which the current script is executing.<\/li>\n<li>If the script is running on a virtual host, this will be the value defined for that virtual host.<\/li>\n<li>SERVER_NAME comes from the server\u2019s VirtualHost definition and is therefore considered more reliable.<\/li>\n<li>It can, however, also be manipulated from outside under certain conditions related to how your web server is set up.<\/li>\n<\/ul>\n<h4 id=\"http_host\"><span style=\"color: #808000;\"><strong>HTTP_HOST:<\/strong><\/span><\/h4>\n<ul>\n<li>Contents of the Host: header from the current request, if there is one.<\/li>\n<li>HTTP_HOST is the target host sent by the client. It can be manipulated freely by the user.<\/li>\n<li>It\u2019s no problem to send a request to your site asking for a HTTP_HOST<\/li>\n<li>HTTP_HOST vs SERVER_NAME:<\/li>\n<li>Imagine your web server has a default host set up as follows:<\/li>\n<li>UseCanonicalName Off<br \/>\nServerName example.org<\/li>\n<li>The ServerName directive might seem like the only thing that affects $_SERVER[\u2018SERVER_NAME\u2019], but is this a safe assumption?<\/li>\n<li>To determine what affect the Host header has, if any, create an index.php in the document root of the default host with the following code<\/li>\n<\/ul>\n[pastacode lang=\u201dphp\u201d manual=\u201d%3C%3Fphp%20%20%0Aecho%20%22HTTP_HOST%20%5B%7B%24_SERVER%5B\u2019HTTP_HOST\u2019%5D%7D%5D%5Cn%22%3B%20%0Aecho%20%22SERVER_NAME%20%5B%7B%24_SERVER%5B\u2019SERVER_NAME\u2019%5D%7D%5D%22%3B%20%0A%20%3F%3E%0A\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<p>You can test several different values for Host easily enough with telnet:<\/p>\n[pastacode lang=\u201dphp\u201d manual=\u201dtelnet%20example.org%2080%0A\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n[ad type=\u201dbanner\u201d]\n<p>Here are a few tests and corresponding results. For each test, we show the exact request and the content of the response.<\/p>\n<p><strong>1. No Host, HTTP\/1.0<\/strong><\/p>\n<h4 id=\"request\"><span style=\"color: #808000;\"><strong>Request:<\/strong><\/span><\/h4>\n[pastacode lang=\u201dphp\u201d manual=\u201dGET%20%2F%20HTTP%2F1.0%0A\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<h4 id=\"result\"><span style=\"color: #800080;\"><strong>Result:<\/strong><\/span><\/h4>\n[pastacode lang=\u201dphp\u201d manual=\u201dHTTP_HOST%20%5B%5D%0ASERVER_NAME%20%5Bexample.org%5D\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<p><strong>Empty Host, HTTP\/1.0<\/strong><\/p>\n<h4 id=\"request-2\"><span style=\"color: #ff6600;\"><strong>Request:<\/strong><\/span><\/h4>\n[pastacode lang=\u201dphp\u201d manual=\u201dGET%20%2F%20HTTP%2F1.0%0AHost%3A%0A\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<h4 id=\"result-2\"><span style=\"color: #808000;\"><strong>Result:<\/strong><\/span><\/h4>\n[pastacode lang=\u201dphp\u201d manual=\u201dHTTP_HOST%20%5B%5D%0ASERVER_NAME%20%5B%5D%0A\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<p>With an empty Host, SERVER_NAME is empty.<\/p>\n<p><strong>Empty Host, HTTP\/1.1<\/strong><\/p>\n<h4 id=\"request-3\"><span style=\"color: #808000;\"><strong>Request:<\/strong><\/span><\/h4>\n[pastacode lang=\u201dphp\u201d manual=\u201d%20GET%20%2F%20HTTP%2F1.1%0A%20Host%3A%0A\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<h4 id=\"result-3\"><span style=\"color: #ff6600;\"><strong>Result:<\/strong><\/span><\/h4>\n[pastacode lang=\u201dphp\u201d manual=\u201dHTTP_HOST%20%5B%5D%0ASERVER_NAME%20%5B%5D%0A\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<h4 id=\"request-4\"><span style=\"color: #808000;\"><strong>Request:<\/strong><\/span><\/h4>\n[pastacode lang=\u201dphp\u201d manual=\u201dGET%20%2F%20HTTP%2F1.1%0AHost%3A%20%3Cscript%3Ealert(\u2018XSS\u2019)%3C%2Fscript%3E%0A\u201d message=\u201dPhp code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<h4 id=\"result-4\"><span style=\"color: #800080;\"><strong>Result:<\/strong><\/span><\/h4>\n[pastacode lang=\u201dphp\u201d manual=\u201dHTTP_HOST%20%5B%3Cscript%3Ealert(\u2018XSS\u2019)%3C%2Fscript%3E%5D%0ASERVER_NAME%20%5B%26lt%3Bscript%26gt%3Balert(\u2018XSS\u2019)%26lt%3B%2Fscript%26gt%3B%5D%0A\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n[ad type=\u201dbanner\u201d]\n<p>With a non-empty Host, SERVER_NAME is the HTML-escaped host value.<\/p>\n<p>SQL Injection Host, HTTP\/1.1<\/p>\n<h4 id=\"request-5\"><span style=\"color: #808000;\"><strong>Request:<\/strong><\/span><\/h4>\n[pastacode lang=\u201dphp\u201d manual=\u201dGET%20%2F%20HTTP%2F1.1%0AHost%3A%20chris\u2019%20\u2013%0A\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<h4 id=\"result-5\"><span style=\"color: #ff6600;\"><strong>Result:<\/strong><\/span><\/h4>\n[pastacode lang=\u201dphp\u201d manual=\u201dHTTP_HOST%20%5Bchris\u2019%20\u2013%5D%20%0ASERVER_NAME%20%5Bchris\u2019%20\u2013%5D\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<ul>\n<li>As you can see by the results Under certain circumstances, the Host header can affect $_SERVER[\u2018SERVER_NAME\u2019].<\/li>\n<li>The ServerName directive is used when the Host header is absent, and apparently $_SERVER[\u2018SERVER_NAME\u2019] is escaped with something like htmlentities().<\/li>\n<li>Sometimes, it\u2019s hard to tell whether a particular element in $_SERVER can be affected by the HTTP request (ask Sean about PHP_SELF)<\/li>\n<li>so I find it easier to treat everything from $_SERVER just as if it were something like $_GET or $_POST.<\/li>\n<li>SERVER_NAME instead of HTTP_HOST<\/li>\n<li>We found a problem with our configuration (nginx and php-fpm).<\/li>\n<li>When you define domain in your plugin you are using SERVER_NAME as its value.<\/li>\n<li>SERVER_NAME with this configuration is not the same as HTTP_HOST, so the plugin is not working.<\/li>\n<li>We have changed it to get the SERVER_NAME from HTTP_HOST that it\u2019s what the user is really loading in its browser.<\/li>\n<li>With this line in wp-config.php it\u2019s working well<\/li>\n<\/ul>\n[pastacode lang=\u201dphp\u201d manual=\u201d%24_SERVER%5B\u2019SERVER_NAME\u2019%5D%20%3D%20%24_SERVER%5B\u2019HTTP_HOST\u2019%5D%3B%0A\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n<h4 id=\"get-host-name-or-server-name-in-php\"><span style=\"color: #800080;\"><strong>Get host name or server name in PHP:<\/strong><\/span><\/h4>\n<ul>\n<li>$_SERVER[\u2018HTTP_HOST\u2019] give you host infomration obtained from the HTTP request header and this is what the client actually used as \u201ctarget host\u201d of the request.<\/li>\n<li>$_SERVER[\u2018SERVER_NAME\u2019] normally returns the same result as $_SERVER[\u2018HTTP_HOST\u2019], but is defined in server config.<\/li>\n<li>However, if you server is running behind the proxy, then should use $_SERVER[\u2018HTTP_X_FORWARDED_HOST\u2019] and<\/li>\n<\/ul>\n[pastacode lang=\u201dphp\u201d manual=\u201d%24_SERVER%5B\u2019HTTP_X_FORWARDED_SERVER\u2019%5D%C2%A0in%20place%20of%C2%A0%24_SERVER%5B\u2019HTTP_HOST\u2019%5D%C2%A0and%C2%A0%24_SERVER%5B\u2019SERVER_NAME\u2019%5D.%20%0A\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n[pastacode lang=\u201dphp\u201d manual=\u201d%24host_name%20%3D%20isset(%24_SERVER%5B\u2019HTTP_X_FORWARDED_HOST\u2019%5D)%20%3F%20%20%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%24_SERVER%5B\u2019HTTP_X_FORWARDED_HOST\u2019%5D%20%3A%20%24_SERVER(%22HTTP_HOST%22)%3B%20%20%0A%24server_name%20%3D%20isset(%24_SERVER%5B\u2019HTTP_X_FORWARDED_SERVER\u2019%5D)%20%3F%20%20%20%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%24_SERVER%5B\u2019HTTP_X_FORWARDED_SERVER\u2019%5D%20%3A%20%24_SERVER(%22SERVER_NAME%22)%3B%20%0A\u201d message=\u201dPhp Code\u201d highlight=\u201d\u201d provider=\u201dmanual\u201d\/]\n[ad type=\u201dbanner\u201d]\n","protected":false},"excerpt":{"rendered":"<p>SERVER_NAME: The name of the server host under which the current script is executing. If the script is running on a virtual host, this will be the value defined for that virtual host. SERVER_NAME comes from the server\u2019s VirtualHost definition and is therefore considered more reliable. It can, however, also be manipulated from outside under [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[1503,1505,1511,1509,1507,1512,1502,1504,1508,1506,1510],"class_list":["post-814","post","type-post","status-publish","format-standard","hentry","category-php","tag-am-i-understanding-the-man-pages-correctly","tag-how-reliable-is-http_host","tag-httpheader-net-as-http_host","tag-incorrect-string-length-of-_serverserver_name","tag-is-there-a-good-alternative-to-_serverserver_name","tag-make-apache-send-a-false-server_name-to-php","tag-php-_serverhttp_host-vs-_serverserver_name","tag-php-redirect-based-on-http_hostserver_name-within-same-domain","tag-php-_server-variables-_serverhttp_host-vs-_serverserver_name","tag-server-variable-is-not-recognizable-in-other-pages","tag-what-does-this-statement-returns-_serverserver_protocol"],"_links":{"self":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts\/814","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/comments?post=814"}],"version-history":[{"count":0,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/posts\/814\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/media?parent=814"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/categories?post=814"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.wikitechy.com\/technology\/wp-json\/wp\/v2\/tags?post=814"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}