Home » Php » php – $_SERVER['HTTP_HOST'] not set

php – $_SERVER['HTTP_HOST'] not set

Posted by: admin July 12, 2020 Leave a comment

Questions:

I am getting lot of traffic to my php pages but without the variable $_SERVER['HTTP_HOST'] set.

This traffic is like 1 hit per second. I don’t know what it could be, but for reducing server load i am doing this at the top of every php pages:

if (!isset($_SERVER['HTTP_HOST']))
    exit;

Do you know what could cause this? Is it safe to exit whenever HTTP_HOST is not set?

Can a normal user visit my pages without setting HTTP_HOST?

  • PHP version: 5.2.0-8
  • Apache: 2.2.3
How to&Answers:

Mmm, might be as well the “apache dummy connections”. Check you access logs for “internal dummy connection”, theses are used by the master apache process to send orders to his child processes (like suicide yourself, or we need to reload conf). And theses connections are made in HTTP/1.0 without HOST set.

http://wiki.apache.org/httpd/InternalDummyConnection

Theses #$!”#sh#f#ck*$! connections are making a lot of bugs around there, (cache things, no HTTP/1.1, etc). One ‘simple’ solution is not having your hostname based Virtuahost serving you main application as the default virtualhost. Keep a very simple default virtualhost with the ‘it works’ page, or something very simple “if you get this page you might try to get a browser with HTTP/1.1 support somewhere”, as a static page. Then all HTTP/1.0 traffic or people accessing your server by IP only, will not be in your real application.

To be complete I’ve seen a company this year with bad proxies removing the Host header from all their outgoing HTTP traffic. But theses bad guys are dumbs, I don’t think there’s a lot of people still browsing in HTTP/1.0 without hosts.

Answer:

HTTP_HOST is a part of the client’s HTTP request and specifies which host name the request is to be directed to. It is necessary to tell apart the right site in a multi-site setup.

If HTTP_HOST is not set, the client is either very, very old (HTTP 1.0 doesn’t support HTTP_HOST) or has made a request directly to your web site’s IP.

I can’t see any harm in blocking that the way you do. However if you are worried about traffic, it might be wiser to fix this on web server level.