Skip to content
Advertisement

file_get_contents() security issue on local domain only with CentOS security settings

I know there are a hundred posts about file_get_contents() on SO but nothing seems to solve my problem:

Everything was working fine fifteen minutes ago, until I ran some security stuff via SSH. I added some iptables rules and I file_get_contents and I ran service proftpd restart and a few installs/uninstalls which seems to have disabled PHP’s fopen() functions somehow.

In php.ini, I have: allow_url_fopen = on & extension=php_openssl.dll on

I’m trying a simple test: (this file loads fine via the browser)

echo file_get_contents("https://www.this-domain.com/logo.gif");
//...failed to open stream:HTTP request failed! HTTP/1.1 404 Not Found...

//However both of the following work absolutely fine:

echo file_get_contents("https://www.google.com/");
echo file_get_contents("/home/user/domains/this-domain.com/private_html/media/logospin.gif");

I cannot change the file_get_contents() code (to cURL or otherwise) – this is a server settings issue. Possibly something to do with the firewall. Can someone please suggest a fix?

Advertisement

Answer

The problem was in fact a DNS issue. file_get_contents() was bizarrely routing through our backup nameservers (ns3 & ns4) for some reason, while browsers were routing through the primary nameservers (ns1 & ns2). Unlike the primaries, the backups point to a different server, which does not yet have identical files – hence the unusual 404.

I had set up these backup nameservers only a few hours before tinkering with the firewall etc and by the time they propagated, it looked very much like the ssh commands had taken file_get_contents() offline.

Thanks for all the comments guys – very much appreciated.

User contributions licensed under: CC BY-SA
9 People found this is helpful
Advertisement