Better FastCGI support (fails on some servers) [#2838218]

We found shield 7.x-1.2 and 7.x-1.3 failing on a number of servers and decided to investigate.

We noticed that the REDIRECT_HTTP_AUTHORIZATION (which could be HTTP_AUTHORIZATION on other servers) was being set and the current CGI checks were failing as the REMOTE_USER value was never set.

Requires Drupal 7.23+ or a small modification to the .htaccess REWRITE rules for older versions.

This appears to be the normal practice for other modules that use HTTP authentication on FastCGI.

Comment	File	Size	Author
#2	shield-2838218-fastcgi-support.patch	2.15 KB	Alan D.
#2
#3	shield-2838218-3-fastcgi-support.patch	1.06 KB	Alan D.
#3
#6	interdiff-2838218-3-6.txt	1.29 KB	sjerdo
#6	shield-2838218-6-fastcgi-support.patch	1.15 KB	sjerdo
#6

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

21 December 2016 at 05:28

Alan D. created an issue. See original summary.

Comment #2

Alan D. CreditAttribution: Alan D. commented 21 December 2016 at 05:30

Status:	Active	» Needs review
Related issues:		+#1343750: Shield doesn't work on fastcgi (and some other configurations)

File	Size
shield-2838218-fastcgi-support.patch	2.15 KB

Comment #3

Alan D. CreditAttribution: Alan D. commented 22 December 2016 at 01:09

File	Size
shield-2838218-3-fastcgi-support.patch	1.06 KB

Or to enable by default without needing any config

Comment #4

Alan D. CreditAttribution: Alan D. commented 22 December 2016 at 01:25

Note, this is what Drupal 8 does too, so not applicable to forward port :)

Symfony\Component\HttpFoundation\ServerBag

        if (isset($this->parameters['PHP_AUTH_USER'])) {
            $headers['PHP_AUTH_USER'] = $this->parameters['PHP_AUTH_USER'];
            $headers['PHP_AUTH_PW'] = isset($this->parameters['PHP_AUTH_PW']) ? $this->parameters['PHP_AUTH_PW'] : '';
        } else {
            /*
             * php-cgi under Apache does not pass HTTP Basic user/pass to PHP by default
             * For this workaround to work, add these lines to your .htaccess file:
             * RewriteCond %{HTTP:Authorization} ^(.+)$
             * RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
             *
             * A sample .htaccess file:
             * RewriteEngine On
             * RewriteCond %{HTTP:Authorization} ^(.+)$
             * RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
             * RewriteCond %{REQUEST_FILENAME} !-f
             * RewriteRule ^(.*)$ app.php [QSA,L]
             */

            $authorizationHeader = null;
            if (isset($this->parameters['HTTP_AUTHORIZATION'])) {
                $authorizationHeader = $this->parameters['HTTP_AUTHORIZATION'];
            } elseif (isset($this->parameters['REDIRECT_HTTP_AUTHORIZATION'])) {
                $authorizationHeader = $this->parameters['REDIRECT_HTTP_AUTHORIZATION'];
            }

Comment #5

Alan D. CreditAttribution: Alan D. commented 5 June 2017 at 06:44

Wow, we the only ones that run FastCGI? Figured this would generate some interest...

New server build on AWS; a standard cPanel build on top of Centos with FastCGI enabled and this was required to get the module working...

Comment #6

sjerdo

Dutch

Haarlem

CreditAttribution: sjerdo at Synetic commented 26 November 2018 at 09:49

File	Size
shield-2838218-6-fastcgi-support.patch	1.15 KB

interdiff-2838218-3-6.txt	1.29 KB

1 file was hidden/shown/deleted

File	Size
shield-2838218-fastcgi-support.patch	2.15 KB

We have experienced the same bug for several of our clients.
I have updated the patch to make it more readable by removing the nested ternary operators.