|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2020-12-28 19:44 UTC] bukka@php.net
-Assigned To:
+Assigned To: bukka
[2020-12-28 19:44 UTC] bukka@php.net
[2020-12-28 19:46 UTC] bukka@php.net
[2020-12-28 21:27 UTC] bukka@php.net
-Status: Assigned
+Status: Feedback
[2021-01-10 04:22 UTC] php-bugs at lists dot php dot net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Jun 10 23:01:26 2025 UTC |
Description: ------------ Hi, Setup: centos 7, 3.10.0-1160.2.2 apache: 2.4.6-97 php: 7.2.34, but also tested with php 7.0 and 7.4 Description: We are using kerberos for sso to login into our website. In some cases users can have have a lot of groups (1000+), so the kerberos ticket and also the request header is very large. If the limit of the header exceeds a not clearly defined value due to the increased size of the kerberos ticket, the user gets back a white blank page. Status code is 200 and the size of the response header is 0. This can be caused by setting the HTTP_AUTHORIZATION variable via setenvif in apache. SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 We need this variable for another application, so its necessary. We are facing this issue only when we are using php-fpm, with the internal apache php_module this issuse disappears. There are no errors in the log of apache or php-fpm, even I set it to debug or trace8. The LimitRequestFieldSize is not the problem, I already increased this value and if this was the problem the user gets a normal error message. I hope somebody as an idea, was this problem caused. Look forward to any help. Here is our config of apache and php-fpm. apache: <VirtualHost *:80> ServerName XXX RewriteEngine On RewriteRule ^(.*)$ https://XXX$1 [R=301,L] </VirtualHost> <VirtualHost *:443> ServerName XXX ServerAlias XXX ServerAdmin XXX # Let apache know we're behind a SSL reverse proxy SetEnvIf X-Forwarded-Proto "^http$" HTTPS=on # override client IP from Header with mod_remoteip RemoteIPHeader X-Forwarded-For SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1 # haproxy RemoteIPInternalProxy 10.XX.XX.XX RemoteIPTrustedProxy 10.XX.XX.XX SSLEngine on SSLProtocol -all +TLSv1.2 SSLHonorCipherOrder on SSLCompression off SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLCertificateFile /etc/pki/httpd/XXX.crt SSLCertificateKeyFile /etc/pki/httpd/XXX.key DirectoryIndex index.html index.php ProxyTimeout 240 <Proxy "unix:/run/php-fpm/XXX.sock|fcgi://php-fpm"> # Note: If you configure php-fpm to use the "pm = ondemand" then use "ProxySet disablereuse=on" ProxySet disablereuse=off </Proxy> <FilesMatch \.php$> SetHandler proxy:fcgi://php-fpm </FilesMatch> DocumentRoot /var/www/html/XXX/current/public_html/ <Directory /var/www/html/XXX/current/public_html/> Options -ExecCGI +FollowSymlinks -Includes -IncludesNOEXEC -Indexes -MultiViews -SymlinksIfOwnerMatch AllowOverride All Require all granted </Directory> <Location /> SetEnvIf Request_URI ^/XXX/.*$ noauth=1 SetEnvIf Request_URI ^/XXX/.*$ noauth=1 <RequireAny> AuthType KerberosV5 AuthName "XXX" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthoritative On KrbAuthRealms XXX KrbVerifyKDC Off KrbServiceName HTTP Krb5KeyTab /etc/httpd/conf/XXX.http.keytab KrbSaveCredentials On KrbLocalUserMapping Off require valid-user # Monitoring - Icinga2 (Master Node I) Require ip 10.XXX.XX.XXX # Monitoring - Icinga2 (Master Node II) Require ip 10.XXX.XX.XXX # Monitoring - Icinga2 (DMZ Satellite Node) Require ip 10.XXX.XX.XX # Monitoring - Lokale Checks Require ip 127.0.0.1 Require ip 10.XX.XX.XXX Require ip 10.XX.XX.XXX Require ip 10.XX.XXX.XX Require env noauth Require env REDIRECT_noauth Require valid-user </RequireAny> </Location> <IfModule mod_negotiation.c> <IfModule mod_include.c> Alias /error/ "/var/www/html/XXX/shared/config" <Directory "/var/www/html/XXX/shared/config/error/"> Options -ExecCGI +FollowSymlinks -Includes -IncludesNOEXEC -Indexes +MultiViews -SymlinksIfOwnerMatch # AllowOverride None AddOutputFilter Includes html AddHandler type-map var LanguagePriority de en es fr ForceLanguagePriority Prefer Fallback Require all granted </Directory> ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var ErrorDocument 410 /error/HTTP_GONE.html.var ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var </IfModule> </IfModule> Alias /icons/ "/var/www/html/XXX/shared/config" <Directory "/var/www/html/XXX/shared/config/icons/"> Options -ExecCGI +FollowSymlinks -Includes -IncludesNOEXEC -Indexes +MultiViews -SymlinksIfOwnerMatch AllowOverride None Require all granted </Directory> <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options nosniff Header set Content-Security-Policy "script-src 'unsafe-inline' 'self' collab1-XXX https://www.googletagmanager.com https://www.google-analytics.com; connect-src 'self' https://collab1-XXX wss://collab1-XXX;" Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" Header set Content-Security-Policy "frame-ancestors 'self' Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure" Header set Referrer-Policy "strict-origin-when-cross-origin" Header always set Feature-Policy "geolocation 'none'; midi 'none'; camera 'none'; usb 'none'; magnetometer 'none'; accelerometer 'none'; vr 'none'; speaker 'none'; ambient-light-sensor 'none'; gyroscope 'none'; microphone 'none'" </IfModule> LogLevel warn ErrorLogFormat "[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i" LogFormat "%h %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined LogFormat "%{X-Forwarded-For}i %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" proxy SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded ErrorLog /var/log/httpd/XXX-error.log CustomLog /var/log/httpd/XXX-access.log combined env=!forwarded CustomLog /var/log/httpd/XXX-access.log proxy env=forwarded </VirtualHost> php-fpm: ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; This file is managed by ansible; manual changes are overwritten ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; [XXX] user = apache group = apache listen = /run/php-fpm/XXX.sock listen.backlog = 511 listen.owner = apache listen.group = apache listen.mode = 0660 pm = dynamic pm.max_children = 150 pm.start_servers = 10 pm.min_spare_servers = 10 pm.max_spare_servers = 35 pm.process_idle_timeout = 10s pm.max_requests = 2500 pm.status_path = /fpm-status ping.path = /fpm-ping ping.response = pong access.format = "%R - %u %t \"%m %r\" %s" slowlog = /var/log/php-fpm/XXX-slow.log request_slowlog_timeout = 5s request_terminate_timeout = 240s catch_workers_output = no clear_env = yes security.limit_extensions = .php php_admin_value[session.save_path] = "/var/www/html/XXX/shared/session" php_admin_value[upload_tmp_dir] = "/var/www/html/XXX/shared/tmp/upload_tmp_dir" php_admin_value[soap.wsdl_cache_dir] = "/var/www/html/XXX/current/cache/wsdl_cache_dir" php_admin_value[opcache.file_cache] = "/var/www/html/XXX/current/cache/opcache_file_cache" php_admin_value[session.save_handler] = files php_admin_value[date.timezone] = Europe/Berlin php_admin_value[max_execution_time] = "180" php_admin_value[max_input_time] = "180" php_admin_flag[expose_php] = off php_admin_flag[log_errors] = on php_admin_value[error_log] = /var/log/php-fpm/XXX-php-error.log php_admin_flag[display_startup_errors] = off php_admin_flag[display_errors] = on php_admin_value[error_reporting] = E_ALL & ~E_DEPRECATED & ~E_STRICT php_admin_flag[track_errors] = off php_admin_value[memory_limit] = "512M" php_admin_value[post_max_size] = "100M" php_admin_value[upload_max_filesize] = "100M" php_admin_value[realpath_cache_size] = "64k" php_admin_value[opcache.memory_consumption] = 320 php_admin_value[opcache.max_accelerated_files] = 13000 php_admin_value[opcache.validate_timestamps] = on php_admin_value[opcache.revalidate_freq] = 30