WP_CONTENT_URL being set as servers internal IP address

[benmay]

This could potentially be a bug with how I had nginx setup.

Using the skeleton recently on a dual server setup, behind a load balancer, very randomly, we'd get the site url being set as the servers internal IP address. Only on say 1 or 2 items in the loop. 95% of the site was perfect.

@jdub worked out that it was the following

define( 'WP_CONTENT_URL', 'http://' . $_SERVER['HTTP_HOST'] . '/content' );

being set wrong.

Again, it feels like a nginx issue, and it not passing the correct host through... To solve quickly, I updated my WP_CONTENT_URL constant to

define( 'WP_CONTENT_URL', WP_HOME . '/wp-content' );

Just posting in case others have hit this problem before or in the future.

[rmccue]

It's actually somewhat of a vulnerability to do this. If you are serving up a site behind a site configured as the default for nginx, any unknown hosts will get passed through and embedded here. A correctly forged Host header could cause an XSS injection when properly crafted.

In your case, it's likely that a reverse proxy somewhere (whether that's nginx or maybe something higher up than that) is removing the Host header, so PHP is falling back to the IP address (possibly the network name of the machine).