shibboleth
shibboleth copied to clipboard
mitcho
added shibboleth_getenv
We're running various hosting services on our campus using different installations of PHP. Some folks have mod_php with the standard behavior. Others are using Apache + mod_fastcgi + php-fpm. On those servers, the Apache httpd rewrites all the environment variables from Shibboleth by prefixing them with 'REDIRECT_'. So for example,
eppn => REDIRECT_eppn
givenName => REDIRECT_givenName
etc.
One of our problems is that we'd like to offer the ability to move to newer PHP versions on the same server, which means moving from mod_php to mod_fastcgi and hoping that we don't break Wordpress and this Shibboleth plugin in particular.
The pull request is to include the code that I added to allow this plugin to handle Shibboleth environment variables the same way, regardless of whether the PHP engine is running as mod_php or mod_fastcgi. I've tested this modification on my Wordpress 4.2.2 test server, using mod_php 5.3.x and mod_fastcgi+php-fpm 5.4.x, 5.5.x, and 5.6.x. It appears to work correctly and transparently.
Overall, very nice. Happy to see that this is working on a larger variety of setups.
I agree with jrchamp's suggestions. I've replaced my function with his and tested it on my server. Still works as expected.
@cjbnc, would you update this PR so that it doesn't conflict any longer, please? mitcho may accept it then.
Here's the rebased copy I'm using: https://github.com/mitcho/shibboleth/compare/master...jrchamp:pr_getenv
@mitcho, would you mind to merge the pull request with the rebased copy by jrchamp?
Hi all,
I'm trying to identify why this is needed (for srguglielmo/SimpleShib#1). I'm running Apache 2.4, PHP 7.0 via FPM and mod_proxy_fcgi. My HTTP headers are not prefixed with REDIRECT_ (or anything else).
Additionally, I confirmed in the PHP IRC support channel on Freenode that this is non-standard and HTTP headers are not prefixed automatically based on mod_php/fpm/etc.
In rfc3875 section 4.1.18:
Meta-variables with names beginning with "HTTP_" contain values read from the client request header fields, if the protocol used is HTTP. The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "" and has "HTTP" prepended to give the meta-variable name.
However, Apache's mod_shib sends headers without the HTTP_ prefix (preventing client forgery). As such, the shib headers should be accessed via $_SERVER['eppn'].
What are the details of the environment in which this is happening? Even if the environment is behind a reverse proxy, the headers are generated via mod_shib on the local Apache instance and should not change...
All of my webservers still running RHEL6 + Apache 2.2.15 + mod_fastcgi-2.4.6 + php-fpm have this behavior. So does my RHEL7/Apache 2.4 based cpanel server running its PHP version picker (which I believe is fpm based).
Ok, I did some research on this. I think the difference is the cgi module being used. It looks like there's three available:
-
mod_fastcgi, a 3rd party Apache module released under a custom open-source license. Website offline, not sure if this is supported upstream (but there seem to be forks around). -
mod_fcgid, originally 3rd party, but moved to Apache core in 2009. -
mod_proxy_fcgi, new in Apache 2.4, officially part of Apache core.
I'm using mod_proxy_fcgi in 2.4 on RHEL7. I created a ticket to track this for my plugin.
Thanks for the info!
Sources: https://serverfault.com/a/783176 https://en.wikipedia.org/wiki/FastCGI#Web_Servers_that_implement_FastCGI
Hello, thank you for submitting this patch. I released version 1.8 today to resolve this and other issues and included a shoutout for your patch. I am the new maintainer of the plugin and all further work on the plugin will be done in a new GitHub repository. If you have any further issues, please don't hesitate to report them in the new repository.
