nhalstead · January 30, 2018 16:42 · nhalstead · Jan 30, 2018
diff --git a/proxy.php b/proxy.php
 <?php
  /**
   * Warning! Read and use at your own risk!
   *
   * This tiny proxy script is completely transparent and it passes
   * all requests and headers without any checking of any kind.
   * The same happens with JSON data. They are simply forwarded.
   *
   * This is just an easy and convenient solution for the AJAX
   * cross-domain request issue, during development.
   * No sanitization of input is made either, so use this only
   * if you are sure your requests are made correctly and
   * your urls are valid.
   *
   */
   
  $method = $_SERVER['REQUEST_METHOD'];

  if ($_GET && $_GET['url']) {
    $headers = getallheaders();
    $headers_str = array();
    $url = $_GET['url'];

    // Convert the Client Request Headers to CURL Headers
    foreach ( $headers as $key => $value){
      if($key == 'Host')
        continue;
      $headers_str[]=$key.":".$value;
    }

    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_URL, $url);

    if( $method !== 'GET') {
      curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
    }

    if($method == "PUT" || $method == "PATCH" || ($method == "POST" && empty($_FILES))) {
      curl_setopt($ch, CURLOPT_POSTFIELDS, file_get_contents('php://input'));
    }
    elseif($method == "POST") {
      $data_str = array();
      if(!empty($_FILES)) {
        foreach ($_FILES as $key => $value) {
          $full_path = realpath( $_FILES[$key]['tmp_name']);
          $data_str[$key] = '@'.$full_path;
        }
      }

      curl_setopt($ch, CURLOPT_POSTFIELDS, $data_str+$_POST);
    }

    curl_setopt($ch, CURLOPT_TIMEOUT, 120);
    curl_setopt($ch, CURLINFO_SSL_VERIFYRESULT, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt( $ch, CURLOPT_AUTOREFERER, true );
    curl_setopt( $ch, CURLOPT_MAXREDIRS, 10 );
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt( $ch, CURLOPT_HTTPHEADER, $headers_str );
    curl_setopt($ch, CURLOPT_ENCODING, 'identity');

    $result = curl_exec($ch);
    $contentType = curl_getinfo($ch, CURLINFO_CONTENT_TYPE);
    $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    $requestTime = curl_getinfo($ch, CURLINFO_TOTAL_TIME);
    $targetIP = curl_getinfo($ch, CURLINFO_PRIMARY_IP);
    curl_close($ch);

    header('Access-Control-Allow-Origin: *');
    header('Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT');
    header('Content-Type: '.$contentType);
    header('X-RequestTime: '.$requestTime);
    header('X-RequestTarget: '.$targetIP);
    header('X-XSS-Protection: 0');
    header('X-Frame-Options: ALLOWALL');
    header('X-Content-Type-Options: nosniff');
    header('Strict-Transport-Security: max-age=0');
    http_response_code($httpCode);

    echo $result;
  }
  else {
    echo $method;
    var_dump($_POST);
    var_dump($_GET);
    $data_str = file_get_contents('php://input');
    echo $data_str;
  }

 ?>
	<?php
	/**
	* Warning! Read and use at your own risk!
	*
	* This tiny proxy script is completely transparent and it passes
	* all requests and headers without any checking of any kind.
	* The same happens with JSON data. They are simply forwarded.
	*
	* This is just an easy and convenient solution for the AJAX
	* cross-domain request issue, during development.
	* No sanitization of input is made either, so use this only
	* if you are sure your requests are made correctly and
	* your urls are valid.
	*
	*/

	$method = $_SERVER['REQUEST_METHOD'];

	if ($_GET && $_GET['url']) {
	$headers = getallheaders();
	$headers_str = array();
	$url = $_GET['url'];

	// Convert the Client Request Headers to CURL Headers
	foreach ( $headers as $key => $value){
	if($key == 'Host')
	continue;
	$headers_str[]=$key.":".$value;
	}

	$ch = curl_init($url);
	curl_setopt($ch, CURLOPT_URL, $url);

	if( $method !== 'GET') {
	curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
	}

	if($method == "PUT" \|\| $method == "PATCH" \|\| ($method == "POST" && empty($_FILES))) {
	curl_setopt($ch, CURLOPT_POSTFIELDS, file_get_contents('php://input'));
	}
	elseif($method == "POST") {
	$data_str = array();
	if(!empty($_FILES)) {
	foreach ($_FILES as $key => $value) {
	$full_path = realpath( $_FILES[$key]['tmp_name']);
	$data_str[$key] = '@'.$full_path;
	}
	}

	curl_setopt($ch, CURLOPT_POSTFIELDS, $data_str+$_POST);
	}

	curl_setopt($ch, CURLOPT_TIMEOUT, 120);
	curl_setopt($ch, CURLINFO_SSL_VERIFYRESULT, false);
	curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
	curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
	curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
	curl_setopt( $ch, CURLOPT_AUTOREFERER, true );
	curl_setopt( $ch, CURLOPT_MAXREDIRS, 10 );
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
	curl_setopt( $ch, CURLOPT_HTTPHEADER, $headers_str );
	curl_setopt($ch, CURLOPT_ENCODING, 'identity');

	$result = curl_exec($ch);
	$contentType = curl_getinfo($ch, CURLINFO_CONTENT_TYPE);
	$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
	$requestTime = curl_getinfo($ch, CURLINFO_TOTAL_TIME);
	$targetIP = curl_getinfo($ch, CURLINFO_PRIMARY_IP);
	curl_close($ch);

	header('Access-Control-Allow-Origin: *');
	header('Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT');
	header('Content-Type: '.$contentType);
	header('X-RequestTime: '.$requestTime);
	header('X-RequestTarget: '.$targetIP);
	header('X-XSS-Protection: 0');
	header('X-Frame-Options: ALLOWALL');
	header('X-Content-Type-Options: nosniff');
	header('Strict-Transport-Security: max-age=0');
	http_response_code($httpCode);

	echo $result;
	}
	else {
	echo $method;
	var_dump($_POST);
	var_dump($_GET);
	$data_str = file_get_contents('php://input');
	echo $data_str;
	}

	?>