Can't add headers in host and path levels with .php

[xm74]

See a strange H2O 2.2.2 behavior under FreeBSD. If site using PHP file as index than there is no possibility to add headers at host level. In other case when site usin index.html all works fine. PHP processing goes via file.custom-handler

...
file.custom-handler:
extension: ".php"
fastcgi.connect:
host: 127.0.0.1
port: 9000
type: tcp
...

Here is two sites. First don't using PHP index, and second does.

"first:443":
header.add: "Strict-Transport-Security: max-age=15768000; includeSubDomains; preload"
listen:
port: 443
ssl:
certificate-file: /usr/local/etc/letsencrypt/live/first/fullchain.pem
key-file: /usr/local/etc/letsencrypt/live/first/privkey.pem
paths:
"/":
file.dir: /usr/local/www/first
"second:443":
header.add: "Strict-Transport-Security: max-age=15768000; includeSubDomains; preload"
listen:
port: 443
ssl:
certificate-file: /usr/local/etc/letsencrypt/live/second/fullchain.pem
key-file: /usr/local/etc/letsencrypt/live/second/privkey.pem
paths:
"/":
file.dir: /usr/local/www/second

Answers:

--- curl -I https://first
HTTP/2 200
server: h2o/2.2.2
date: Sun, 14 May 2017 22:39:37 GMT
content-type: text/html
last-modified: Mon, 11 Jul 2016 17:55:34 GMT
etag: "5783dd96-38bd"
vary: accept-encoding
accept-ranges: bytes
strict-transport-security: max-age=15768000; includeSubDomains; preload
content-length: 14525
--- curl -I https://second
HTTP/2 200
server: h2o/2.2.2
date: Sun, 14 May 2017 22:39:14 GMT
x-powered-by: PHP/5.6.30
set-cookie: second_sessid=ea46d7ad1cb3766feb70e741efb59e9b; path=/; secure; HttpOnly
expires: Sun, 14 May 2017 22:39:14 GMT
last-modified: Sun, 14 May 2017 22:39:14 GMT
cache-control: private, no-cache, no-store, must-revalidate, post-check=0, pre-check=0
pragma: no-cache
x-dns-prefetch-control: off
x-frame-options: sameorigin
content-language: en
content-type: text/html; charset=UTF-8

[MxyzptlkFishStix]

+1

[yannick]

can you check if this also happens if you use header.set instead of header.add ?

[utrenkner]

I just tested it and can confirm the issue of @xm74 .

Changing from header.add to header.set does not make any difference on my test-server (h2o/2.2.2 on FreeBSD 11.0-RELEASE).

[utrenkner]

header.add and header.set both work at global and path level, though. Just not at host level.

[xm74]

Thanks for your comments! Hope it will be fixed soon.

[xm74]

Also I found that X-Frame-Options: header was set when H2O processed PHP file. Why and who does this?

[utrenkner]

In my test instance the X-Frame-Option header does not exist. I would guess you have configured it elsewhere in h2o.conf (e.g. globally) or it comes from the PHP application and is only passed on by h2o.

[xm74]

Thanks, @utrenkner. I just found that this headers comes from Roundcube installation wich I used for bug demonstration for "second" sample site. This is not H2O issue.

[xm74]

I found that header.add (and possible header.set) don't works in path level with .php too.

[MxyzptlkFishStix]

Same here. I checked with curl -IL and it mysteriously sends the header via the following 302 redirects:

http://domain.ext -> https://domain.ext (headers on 302) -> https://www.domain.ext (no headers on 200)

http://www.domain.ext -> https://www.domain.ext (no headers on 200)

https://domain.ext -> (headers on 302) -> https://www.domain.ext (no headers on 200)

https://www.domain.ext (no headers on 200)

I've tested on 2.2.1, 2.2.2 and 2.3.0-DEV. Same results.

[utrenkner]

I can confirm @xm74 : I have the typical combination of filedir for static files and redirect to /index.php/ for dynamic content. header.add in the path does not work on the PHP-part, only on the static assets.

[xm74]

Unfortunately I do not see any progress with this issue so I wrote the simple module addheaders.rb that extracts headers from a H2O format file and adds them to output.

# addheaders.rb - Processing headers from file
class Addheaders

    attr_accessor :path

    def initialize(path)
        @path = path
    end

    def call(env)
        headers = {}
        File.open(@path) do |file|
            file.each_line do |line|
                name, value = line.chomp[/^header.*: "(.*)"$/, 1].split(': ', 2)
                headers[name] = value.gsub('\"', '"')
            end
        end
        return [399, headers, []]
    end

end

headers.file can contain something like this

header.add: "X-Content-Type-Options: nosniff"
header.add: "X-XSS-Protection: 1; mode=block"
header.add: "X-Frame-Options: DENY"
header.add: "Strict-Transport-Security: max-age=15768000; includeSubDomains; preload"
header.add: "Public-Key-Pins: pin-sha256=\"B+Ty8+XerpRodPy44LG4pDGDLnm9Xf134IZoeQodq3Q=\"; pin-sha256=\"/77b5qXyAz84Mqd804mNZyA+qs+ebKc5xiF4sV/K5uM=\"; max-age=3456000; includeSubDomains"

In main h2o.conf it calling by standard way in path level:

        paths:
            "/":
                mruby.handler: |
                    require "/path/to/addheaders.rb"
                    Addheaders.new("/path/to/headers.file")
                    file.dir: /path/to/webdocs
            ...

Hope this hack will be usefull for a while.

[broiniac]

I can confirm that this problem still exists. header.add works only when setted globally. Host and path level are not working.

[xm74]

About year passed from initial post but problem still here without any movement.

[xm74]

Any chances for patch in 2.3 ?