[wp-hackers] When HTTP_HOST does not point to the blog

Andy Skelton skeltoac at gmail.com
Wed Jun 25 03:31:29 GMT 2008

On Tue, Jun 24, 2008 at 2:52 PM, Oliver Hohlfeld <oliver at ohohlfeld.com> wrote:
> Right. I forgot to mention something. Our web servers are not directly
> reachable from the outside world and are accessed though an Apache
> server running mod_proxy. The proxy will direct the requests to the
> right machines and will thus change the HTTP_HOST in the internal
> request (from the proxy to the web server)...
> This causes the host mismatch. The correct host is supplied in
> X-Forwarded-Host, but there is probably a way to solve this Apache
> related issue.

Okay, now this is familiar territory! Since it is an issue with your
configuration, you should put the fix in your customized wp-config.php
file rather than in WordPress. Something like this:

if ( isset( $_SERVER['HTTP_X_FORWARDED_HOST'] ) )

Of course, HTTP headers should be treated as suspiciously as any
user-supplied input. Take precautions against clients spoofing headers
even if it just means verifying that your proxy won't allow that
header to pass. Maybe you should also ensure that the request came
through the proxy by checking REMOTE_ADDRESS and X_FORWARDED_FOR for
sanity, but here you have the basic solution.


More information about the wp-hackers mailing list