2

I'm using nginx together with php5-fpm and with the following fastcgi_params file:

fastcgi_param   CONTENT_LENGTH      $content_length;
fastcgi_param   CONTENT_TYPE        $content_type;
fastcgi_param   DOCUMENT_ROOT       $document_root;
fastcgi_param   DOCUMENT_URI        $document_uri;
fastcgi_param   GATEWAY_INTERFACE   CGI/1.1;
fastcgi_param   HTTPS               $https;
fastcgi_param   PATH_INFO           $fastcgi_path_info;
fastcgi_param   PATH_TRANSLATED     $document_root$fastcgi_path_info;
fastcgi_param   QUERY_STRING        $query_string;
fastcgi_param   REDIRECT_STATUS     200;
fastcgi_param   REMOTE_ADDR         $remote_addr;
fastcgi_param   REMOTE_PORT         $remote_port;
fastcgi_param   REQUEST_METHOD      $request_method;
fastcgi_param   REQUEST_URI         $request_uri;
fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
fastcgi_param   SCRIPT_NAME         $fastcgi_script_name;
fastcgi_param   SERVER_ADDR         $server_addr;
fastcgi_param   SERVER_NAME         $server_name;
fastcgi_param   SERVER_PORT         $server_port;
fastcgi_param   SERVER_PROTOCOL     $server_protocol;
fastcgi_param   SERVER_SOFTWARE     nginx/$nginx_version;

I've noticed that the $_SERVER['HTTP_REFERER'] variable is not set. I searched the nginx wiki for any reference to the Referer header but I couldn't find anything mentioning problems related to fastcgi.

How can I make nginx pass that header? Am I missing something obvious here?

Alix Axel
  • 2,803
  • 6
  • 29
  • 30

1 Answers1

5

The HTTP_REFERER environment variable will be set by nginx for the CGI script if and only if the remote user agent (eg. web browser) provided the optional Referer: header. The contents of this header are also entirely arbitrary on the part of the remote user agent (though they should be the last page visited, this isn't always what it is, and nothing constrains it to be so).

Anytime your CGI script uses this variable, it should have an alternate control path to handle cases where it is not set, and it should recognize that it will often be wrong or spoofed.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
  • Oh snap! I thought that when following a Location header, the browser would send the Referer as well but I guess Chrome doesn't do that. Silly me. – Alix Axel Jul 01 '13 at 08:25