PHP-FPM: Passing Authorization Header


I’m currently using OAuth which consumes a REST API that uses Zend_Controller_Request_Http to extract the OAuth Authorization header. The SERVER environment variable and apache_request_headers function are used indirectly to resolve the Authorization header via that Zend class.

class Zend_Controller_Request_Http extends Zend_Controller_Request_Abstract {


      public function getHeader($header)
        if (empty($header)) {
            #require_once 'Zend/Controller/Request/Exception.php';
            throw new Zend_Controller_Request_Exception('An HTTP header name is required');

        // Try to get it from the $_SERVER array first
        $temp = 'HTTP_' . strtoupper(str_replace('-', '_', $header));
        if (isset($_SERVER[$temp])) {
            return $_SERVER[$temp];

        // This seems to be the only way to get the Authorization header on
        // Apache
        if (function_exists('apache_request_headers')) {
            $headers = apache_request_headers();
            if (isset($headers[$header])) {
                return $headers[$header];
            $header = strtolower($header);
            foreach ($headers as $key => $value) {
                if (strtolower($key) == $header) {
                    return $value;

        return false;



However, my local environment is running PHP 5.4 with php5-fpm. Thus the function apache_request_headers does not exist as it is only available when php is installed as a apache module. So I need to know how the authorization headers can be forwarded via the SERVER environment variable using php-fpm so that the Zend_Controller_Request_Http::getHeader() function is able to discover the headers and application (Magento) is able to authorize the request.


  • PHP 5.4
  • Apache 2.4
  • PHP5-FPM

I found a solution that is adequate for the time being. That is to explicitly set environment variables for the required headers when they exist. Below is an example of the vhost file I’m using.

   ProxyPassMatch ^/(.*\.php(/.*)?)$ fcgi://$1
   SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
   SetEnvIf Content-Type "(.*)" HTTP_CONTENT_TYPE=$1
   SetEnvIf Accept "(.*)" HTTP_ACCEPT=$1

Though I would be interested in a more elegant solution. Preferably one which accounts for all headers and passes them as variables which are uppercased and prefixed with HTTP_ – If that is possible.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.