urlify http basic authentication protected websites

I recently needed to access an RSS resource on the web that was protected via http basic authentication. Well, my feed-reader of choice doesn’t really support that. To work around the problem I wrote the following small PHP script that serves as a proxy. Now you can pass the username/password from the basic authentication login as part of the URL.

Update: now supports https connections.

< ?php
 
// determine if connections to other servers
// are to be allowed. change this password! seriously!
$allow_foreign = ( $_GET['proxy_pass'] == 'master_password' );
 
$url = parse_url( $_GET['feed'] );
// connect to an ssl encrypted site?
$use_ssl = $url['scheme'] == "https";
 
// determine the port to use based on passed URL
if( ! isset( $url['port'] ) ) {
	$port = ($use_ssl ? 443 : 80);
} else {
	$port = $url['port'];
}
 
// determine the host to connect to.
// only allow connections to servers other
// than localhost when the proxy_pass has been
// correctly passed.
if( $allow_foreign ) {
	$host = $url['host'];
} else {
	$host = "127.0.0.1";
}
 
// is this supposed to be an ssl connection?
// then use the ssl protocol.
if( $use_ssl ) {
	$host = "ssl://".$host;
}
 
// try to open a connection to the requested host
$fh = fsockopen( $host, $port );
if( $fh ) {
	fwrite( $fh, "GET ".$url['path']." HTTP/1.0\r\n" );
	// in case we deal with virtual hosts pass the domain we are interested in.
	fwrite( $fh, "Host: ".$url['host']."\r\n" );
	// rfc2617: basic authorization header plus base64 encoded username:password
	fwrite( $fh, "Authorization: Basic ".base64_encode($_GET['user'].":".$_GET['pass'])."\r\n" );
	// end of the request header
	fwrite( $fh, "\r\n" );
	 // practically ignore all answering headers send by the server
	while( ! feof( $fh ) && ($debug = fgets( $fh )) != "\r\n" ) /*echo $debug*/;
	// display only the body of the message
	while( ! feof( $fh ) ) {
		echo fgets( $fh );
	}
	fclose( $fh );
}
 
?>

Piece of advice:

  • Please note that if you use this in your web-browser your username/password might accidentally end up in some peoples web-server logs when your browser passes the reffer header around.
  • Change “master_password” to something secure. Otherwise you will open your server as a proxy to others to do all kinds of nasty things under your IP address.  If you don’t provide the “proxy_pass” parameter when you invoke the URL later you will only be able to access the local server where your script is placed!
  • If your script is publicly accessible you also might want to change the ($url['port'] ? $url['port'] : 80) part to always point to “80″.

How to use the script:

Save the script to your webserver. You can now invoke your protected? HTTP web resource via:
script_name.php?feed=[URL_TO_QUERY]&user=[YOUR_USERNAME]&pass=[YOUR_PASSWORD]

f.ex.:

http://www.default-route.de/proxy.php?feed=http://www.google.com/&user=myname&pass=mypassword

References:

rfc2617 – HTTP Authentication: Basic and Digest Access Authentication
basic authentication – article on wikipedia

Cheers.

About this entry

You’re currently reading “ urlify http basic authentication protected websites ,” an entry on coders

Author:
fschaper
Published:
2.3.09 / 7pm
Category:
programming, tools
Feedback:
1 2 3 4 5 0 votes, rate it!