DrQuincy Posted July 31, 2020 Share Posted July 31, 2020 In site/config I always thought $config->httpHosts was a list of HTTP hosts that were allowed to run the site. E.g. if domain1.com, www.domain1.com, domain2.com and www.domain2.com were all pointing to the web root and you only had ['domain1.com', 'www.domain1.com'] in $config->httpHosts then it prevents domain2.com and www.domain2.com from being allowed on the site (so you'd redirect them site-wide via .htaccess instead). But I have just been playing around with it and it doesn't seem to make a difference what the values of this array are. What does $config->httpHosts do exactly? Thanks. Link to comment Share on other sites More sharing options...
kixe Posted July 31, 2020 Share Posted July 31, 2020 1 hour ago, DrQuincy said: What does $config->httpHosts do exactly? Nearly nothing. Displays a warning in the backend and "HTML Markup Quality Assurance" displays a message in debug mode when sleepLinks() detects an absolute URL in a textarea field that does not refer to an allowed host. However, you can add functionality to check the current host. $this->wire('config')->httpHost https://processwire.com/api/ref/config/#pwapi-methods-HTTP-and-input https://processwire.com/docs/start/variables/config/#httphosts Link to comment Share on other sites More sharing options...
horst Posted July 31, 2020 Share Posted July 31, 2020 2 hours ago, DrQuincy said: (so you'd redirect them site-wide via .htaccess instead). If you need redirecting to the final domain name, you may have a look to this snippet. But you have to add it manually somewhere in the top of your root .htaccess file. ################################################################################ # Domain-Namen erzwingen # <IfModule mod_rewrite.c> RewriteEngine On AddDefaultCharset UTF-8 RewriteCond %{HTTP_HOST} ^example\.com [OR] RewriteCond %{HTTP_HOST} ^example-variation\.com [OR] RewriteCond %{HTTP_HOST} ^www\.example-variation\.com RewriteRule ^(.*)$ https://www.example.com/$1 [L,R=301] RewriteCond %{HTTPS} !=on RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] </IfModule> # ################################################################################ 3 Link to comment Share on other sites More sharing options...
teppo Posted July 31, 2020 Share Posted July 31, 2020 Probably worth mentioning that since this setting prevents ProcessWire from using unfamiliar hosts in output, it's actually pretty important: Let's say that your server was configured to serve your site with any host that a visitor happens to provide. (I've seen this happen, but admittedly it's a major configuration fumble.) Someone points some-weird-and-perhaps-malicious-domain.tld to your site, and then visits the site using said domain. This could be intentional, or even an accident (again this is something I've seen happen, as weird as it may sound.) Finally some code — your own, or perhaps code from a third party module, or even some core feature — asks ProcessWire for the full hostname, and makes use of it in output. Now, if the $config->httpHosts setting didn't exist, ProcessWire would have no way to know which domains are valid, and it would just have to trust that the domain specified by the user is indeed a valid one. Any output using this potentially malicious domain could then get cached, leading to various cache poisoning related issues: redirecting other visitors to this domain, or perhaps making the visitor or ProcessWire itself unknowingly send private data there, thus granting a third party access to it. 7 Link to comment Share on other sites More sharing options...
JayGee Posted February 23, 2021 Share Posted February 23, 2021 Sorry to necro an old post, but I was searching for a pointer on a PW .htaccess config ( @horst's post above super useful btw thanks). @teppo your reply got me thinking - wouldn't it therefore be useful/better if PW were to auto redirect any invalid host requests back to the first domain in the httpHosts array rather than successfully loading the page for the reasons you've outlined - or maybe it should throw an error? I get that it picks it up in debug mode or when you're logged into dashboard, but maybe not ever showing someone a page using an unlisted host on the frontend would be safer? On 7/31/2020 at 1:47 PM, teppo said: Probably worth mentioning that since this setting prevents ProcessWire from using unfamiliar hosts in output, it's actually pretty important: Let's say that your server was configured to serve your site with any host that a visitor happens to provide. (I've seen this happen, but admittedly it's a major configuration fumble.) Someone points some-weird-and-perhaps-malicious-domain.tld to your site, and then visits the site using said domain. This could be intentional, or even an accident (again this is something I've seen happen, as weird as it may sound.) Finally some code — your own, or perhaps code from a third party module, or even some core feature — asks ProcessWire for the full hostname, and makes use of it in output. Now, if the $config->httpHosts setting didn't exist, ProcessWire would have no way to know which domains are valid, and it would just have to trust that the domain specified by the user is indeed a valid one. Any output using this potentially malicious domain could then get cached, leading to various cache poisoning related issues: redirecting other visitors to this domain, or perhaps making the visitor or ProcessWire itself unknowingly send private data there, thus granting a third party access to it. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now