Jump to content
gunter

production site: all admin view links showing to localhost...

Recommended Posts

I have the actual version of pw,

I had my pw installation at my localhost and copied 2 days ago everything to my production server,

everything ok... but today I noticed that all *view page* links in the admin are showing to my localhost...

Share this post


Link to post
Share on other sites

@gunter: see if httpHosts setting is in place in your /site/config.php and contains only "localhost", that's the most likely culprit.

Ryan: if you're reading this and if aforementioned really is the problem here, I'd say that this is an issue that should be dealt with.. personally I'm against this whole setting (I'm seeing more issues than benefits there), but at least it should stay out of way as far as possible -- opt-in instead of opt-out.

  • Like 4

Share this post


Link to post
Share on other sites

hm, thanks a lot!!! ​I changed it to array('')  ...and it works now! 


/**
* Installer: HTTP Hosts Whitelist
*
*/
$config->httpHosts = array('localhost');
 

Share this post


Link to post
Share on other sites

An HTTP hosts whitelist is important from a security aspect because http_host comes from the request rather than from the server... Meaning it can be forged. Maybe not a big deal since we always sanitize it, until you are dealing with cache, which the opens up the possibility of cache poisoning for any page that makes use of the http host. Imagine a hacker priming your cache with their own URL. Unfortunately, PHP's safe server_name variable is not reliable enough to reflect the potential diversity of http host names. So the only safe thing to do is to have a whitelist. If you aren't using the whitelist, I recommend adding it to your config.php.

It's actually a little unusual for the http host to be used in PW because usually you'd just use the url() methods, which just output paths and not hosts. There's really no reason to use httpUrl() in most cases. So if you are using it, double check that you need to - it's extra unnecessary bytes unless you need to switch hostnames or schema. But with the next version of ProCache supporting multi-hosts, having an http host whitelist is now absolutely necessary.

  • Like 1

Share this post


Link to post
Share on other sites

Isn't host header exactly what the server uses to decide which site, if any, to serve.. or could it be that this is specific to virtual host setups? Those have been the most efficient option for me so far, so I haven't really had to set anything else up, which could explain why I'm having trouble following you here. With that kind of setup your vhost files include all possible hosts for each site, in which case whole httpHosts whitelist seems unnecessary (and even confusing) repetition :)

Just gave this a try on my own site by providing dummy host header (testing via telnet) and that -- as expected -- resulted in Apache default page showing up. I'm not seeing how anyone could use that for their benefit. Then again, if this isn't always the case, there definitely could be potential for abuse.

Also: the problem, as explained by @gunter, is with ProcessPageEdit; it uses httpUrl for view links. That does seem a bit weird, so perhaps it's a leftover or something?

Share this post


Link to post
Share on other sites

Thanks for that! I stand corrected; I did not know that requesting an absolute URI would result in Host header being ignored. That's quite interesting -- or "frightening" even, as one commenter there pointed out about the whole thing.

Now the only thing I'm not getting here is that wouldn't it, in this case, make more sense to look for an absolute URI in REQUEST_URI and if found, use that instead of host header? I guess this wouldn't solve the problem for various dedicated hosting setups, though, so perhaps it's not really viable "global" solution.

I guess I'm mostly annoyed about having to keep an up-to-date list of hosts in multiple places instead of letting Apache take care of that. So much potential for unexpected misconfigurations :)

admin.view cans sswich frm http https

httpUrl necessarios

This is exactly what I don't understand -- why would I want to redirect user from HTTPS to HTTP when "view" is clicked? Not much of a problem usually, but I find it a bit strange :)

.. and back to the original topic:

Personally I still feel that this is a problem. When installed locally, PW offers "localhost" as the default httpHosts value. That's fine until you move the site to your web host and suddenly things won't work. I'm afraid that a lot of people won't really think twice about that setting or even remember it exists.

Of course it might be just me who's got such a crappy memory, but I wouldn't be surprised if topics like this started popping up quite often. Not sure if there's any bulletproof solution to this, though (other than making this an optional security setting, that is -- and making security "optional" always sounds awful).

Share this post


Link to post
Share on other sites

So, is the solution to the original question to add domain names to the whitelist in config.php, like below?

/**
* Installer: HTTP Hosts Whitelist
*
*/
$config->httpHosts = array('localhost','example.com','www.example.com');

Share this post


Link to post
Share on other sites

I have mine set up as virtual hosts, actually two, if this matches my domain name then i presume it will be of no issue?

Share this post


Link to post
Share on other sites

@etling: that's right, include the domains you'll want to use this site with there and things should work just fine.

@bwakad: sorry, I'm not really sure what you're saying there, but whatever domains your site uses need to be included in httpHosts config setting. It's that simple.

Share this post


Link to post
Share on other sites

I had ('localhost','www.domain.net') and it still said localhost in the view links and admin pages <title>, then I switched their order and now the links are going to www.domain.net/~username... How do I get rid of the ~username part?

Share this post


Link to post
Share on other sites

Sounds like you might need to add this to your .htaccess file. There are some commented examples already in that file.

RewriteBase /~username/

Share this post


Link to post
Share on other sites

Bumping this old thread to shine some light on an obscure fact about that whitelist for domain names. Here's my story:


Moved site from development server to real server. Some users (not all) reported View links sending them to the development server. Never happened to other users.

Clearing browser cache did not help. Dumping DB and searching text for the development server domain name did not turn up anything. The only place I could find the development server domain name was in the config file in the array defining $config->httpHosts.

Documentation calls $config->httpHosts a whitelist so I assumed I could put both the dev and real domain names in the list and maintain a single config file to use in both places.

It's not just a whitelist!!

The source code of ProcessWire.php explains that If you have not explicitly set $config->httpHost (note: no "s" on end) and the PHP vars for $_SERVER['SERVER_NAME'] and $_SERVER['HTTP_HOST'] don't match anything in $config->httpHosts (with "s") the getHttpHost function defaults to...

"no valid host found, default to first in whitelist"

The server's environment variables had the domain with www on it but the server accepts URLs with or without the www and people use either one. My dev site was the first one in the list.

  • Like 4

Share this post


Link to post
Share on other sites

@SteveB: thanks for sharing this.  Generally speaking I'd advice against a setup where the site can be accessed with both www and non-www domain – for reasons that include SEO considerations, caching, and consistency in general – but there are many situations where multiple httpHosts can (and should) be present and this kind of situation might occur, in which case it's good to keep this feature in mind :)

  • Like 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By spercy16
      After doing a Google search for the issue I saw several previous posts mentioning this same issue but cannot figure out how to fix it and shouldn't have to spend a half hour trying to. ProcessWire frequently logs out of the admin area after less than five minutes. It shouldn't time-out ever, and if someone wanted that option for security reasons they should be able to enable it through the settings in their admin panel. In addition to it not being the default setting, users also shouldn't need to edit your config files manually to change these kinds of settings. Please fix the major issue in a future release. It's absured imho that developers don't realize the inconvenience it places on other people if they have to login every time they switch back to that page. It has also logged me out without warning without any visual que that it did so. If someone was working on paragraphs of content they could easily lose their work do to this bug as well... Please don't refer me to a forum with a dozen possible solutions to the issue and fix it yourselves. I'm sick of looking at them. It's your job to troubleshoot your software, not your users!
    • By benbyf
      Hello, and welcome to what I though was either my client being silly and changing things, or some evil doer. Turns out its reproducible and therefore something in Proceswire (I checked my templates and modules but couldnt find anything that would be doing this...). So what is it doing? Check out the video for evidence.
      A repeater field is interacting with a page template and another repeater field somehow to swap the fields in the template and repeater over...
      I have a template called team, and a repeater field called team_repeater with label Team. Some how and for some reason, when I change my fields on repeater called main_menu_links my team template gets those fields and when I try and revert the team template fields to the fields it should have, they get given to the repeater main_menu_links. Also this to say HELP!!!!!
      video: https://www.dropbox.com/s/exkdhc6n7x0xpsa/strange-repeater-PW-mega-bug.mov?dl=0
    • By ICF Church
      Hi 👋
      Anyone else having this problem?
      Requirements:
      - Repeater (matrix & normal) with mutlilanguage fields (text, textarea…) 
      - Backend language set to something other than default (ie. German) 
      Reproduce:
      - Add a new repeater Item (ajax, I found no way to possible to disable it with matrix)

      (Notice how the default language tab is active instead of the backend language…)
      - Write something into the (default language) field
      - Try to save, if field is required, this will not work. If not required, then when reloading, the content will be inside the backend language field, instead of the default language field who was (presumably) active
      Analysis:
      When  loading  a new repeater element with ajax, the default langue tab is active, but the backend language inputfield is visible (with no visual indication). When writing into the field, it will populate the backend language. When manually clicking on the default language tab (which is already active), the field will switch to the actual default language field (which is [now] empty) (that can now be populated…)
      Also Notice, the labels of the elements to be added are in default language as well instead of the translated label (images instead of Bilder)…
      ProcessWire 3.0.148, Profields 0.0.5…
      Is it my system configuration, or does anyone else have the same issue? This is a screen recording of the problem:
      Issue: https://github.com/processwire/processwire-issues/issues/1179

      Screen Recording 2020-02-25 at 14.18.31.mov
    • By humanafterall
      I'm using some Custom fields for images: 
      https://processwire.com/blog/posts/pw-3.0.142/#custom-fields-for-files-images

      When I save the page, and return the fields are blank. When I re-add the text to the fields and save again then the fields save as expected.

      I know this is stated as being quite experimental but it's super useful feature I'd love to get working correctly.
      I have fields that are CKEditor fields but have overidden this on the image specific template. I've also tried it with regular text fields and I get the same bug.
      (currently using Processwire 3.0.155)
      **UPDATE**
      I've found this issue is specific to editing on pages using the PageTable fieldtype. The fields are not saving when I save the page in the PageTable.
    • By Atlasfreeman
      So im doing a website. and i put on multi language on the website and uploaded some new images when i decide to make a new page...
      This i can't do anymore...

      It sais : 
      Add New
      The process returned no content.
      Unknown template.

      Well the website is showing fine, but i can't make new pages 😞

      Do any have any idea what to do?
×
×
  • Create New...