file_get_contents behind a proxy?

Question 1

At work we have to use a proxy to basically access port 80 for example, we have our own custom logins for each user.

My temporary workaround is using curl to basically login as myself through a proxy and access the external data I need.

Is there some sort of advanced php setting I can set so that internally whenever it tries to invoke something like file_get_contents() it always goes through a proxy? I'm on Windows ATM so it'd be a pain to recompile if that's the only way.

The reason my workaround is temporary is because I need a solution that's generic and works for multiple users instead of using one user's credentials ( Ive considered requesting a separate user account solely to do this but passwords change often and this technique needs to be deployed throughout a dozen or more sites ). I don't want to hard-code credentials basically to use the curl workaround.

Question 2

To use file_get_contents() over/through a proxy that doesn't require authentication, something like this should do :

(I'm not able to test this one : my proxy requires an authentication)

$aContext = array(
    'http' => array(
        'proxy'           => 'tcp://192.168.0.2:3128',
        'request_fulluri' => true,
    ),
);
$cxContext = stream_context_create($aContext);

$sFile = file_get_contents("http://www.google.com", False, $cxContext);

echo $sFile;

Of course, replacing the IP and port of my proxy by those which are OK for yours ;-)

If you're getting that kind of error :

Warning: file_get_contents(http://www.google.com) [function.file-get-contents]: failed to open stream: HTTP request failed! HTTP/1.0 407 Proxy Authentication Required

It means your proxy requires an authentication.

If the proxy requires an authentication, you'll have to add a couple of lines, like this :

$auth = base64_encode('LOGIN:PASSWORD');

$aContext = array(
    'http' => array(
        'proxy'           => 'tcp://192.168.0.2:3128',
        'request_fulluri' => true,
        'header'          => "Proxy-Authorization: Basic $auth",
    ),
);
$cxContext = stream_context_create($aContext);

$sFile = file_get_contents("http://www.google.com", False, $cxContext);

echo $sFile;

Same thing about IP and port, and, this time, also LOGIN and PASSWORD ;-) Check out all valid http options.

Now, you are passing an Proxy-Authorization header to the proxy, containing your login and password.

And... The page should be displayed ;-)

Question 3

Very very simply like this:

$url = $_GET['file'];
$path_parts = pathinfo($url);

$ext = $path_parts['extension'];
$filename = $path_parts['filename'];

header("Content-type: application/$ext");
header("Content-Disposition: attachment; filename=$filename");

echo file_get_contents($url);

If the file is larger than a few megabytes, use fopen fread and frwrite download the file in chunks and send to the client in chunks.

Question 4

Generate unique tokens. You're on the right track with a hash, but if you keep your private key constant, it'll eventually get brute-forced. From there, rainbow tables say hi.

You're effectively going to have to borrow a leaf or two from mechanisms used to prevent CSRF abuse, as you're effectively trying to do the same thing: limit the user to one query per token, with a token that cannot be regenerated by them.

There are tons of ways to do this, and the usual trade-off is between efficiency and security. The simplest is what you've suggested - which is easily brute-forceable. At the opposite end of the spectrum is the DB approach - generate a unique token per visit, store it in a DB, and validate subsequent calls against this. It is pretty DB-intensive but works out relatively well - and is virtually impossible to break unless the token generation is weak.

Question 5

To setup CNTLM for windows, follow this article. For Ubuntu, read my blog post.

Edit:

Basically, to use CNTLM in any platform, you need to setup your username and hashed password, before using http://127.0.0.1:3128 as a proxy to your parent proxy.

Edit the config and add important information like domain, username, password and parent proxy.
Generate hashed password.

Windows cntlm –c cntlm.ini –H

Ubuntu/Linux cntlm -v -H -c /etc/cntlm.conf
Remove plain text password from the config and replace them with the generated passwords.

To check if working:

Windows cntlm –M http://www.google.com

Ubuntu/Linux sudo cntlm -M http://www.google.com/

For more detailed instructions, see links above.

Update:

Just for completeness sake, I was able to configure and use CNTLM in Windows recently. I encountered a problem during the syncing process of Kindle for PC because of our proxy and installing and configuring CNTLM for Windows fixed that issue for me. Refer to my article for more details.

Question 6

Here is a link to the official Docker documentation for proxy HTTP: https://docs.docker.com/config/daemon/systemd/#httphttps-proxy

A quick outline:

First, create a systemd drop-in directory for the Docker service:

mkdir /etc/systemd/system/docker.service.d

Now create a file called /etc/systemd/system/docker.service.d/http-proxy.conf that adds the HTTP_PROXY environment variable:

[Service]
Environment="HTTP_PROXY=http://proxy.example.com:80/"

If you have internal Docker registries that you need to contact without proxying you can specify them via the NO_PROXY environment variable:

Environment="HTTP_PROXY=http://proxy.example.com:80/"
Environment="NO_PROXY=localhost,127.0.0.0/8,docker-registry.somecorporation.com"

Flush changes:

$ sudo systemctl daemon-reload

Verify that the configuration has been loaded:

$ sudo systemctl show --property Environment docker
Environment=HTTP_PROXY=http://proxy.example.com:80/

Restart Docker:

$ sudo systemctl restart docker

file_get_contents behind a proxy?

Answers

php,proxy