Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Community News:
HTTPoxy Vulnerability Announcement
Jul 19, 2016 @ 12:40:10

Recently a major security vulnerability was announced centering around the the HTTP "Proxy" header and how incorrect handling could result in major issues with external requests. In the PHP ecosystem, a major HTTP library - Guzzle - was vulnerable (along with any application using it). However, according to Michael Dowling, a lead developer on the project, a new release has already been made to correct the problem.

httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict [between the "Proxy" and "HTTP_Proxy" headers]. This leads to a remotely exploitable vulnerability. If you’re running PHP or CGI, you should block the Proxy header now. Here’s how.

The main HTTPoxy site as more information about how you can test to see if your application is vulnerable and what software/server configurations are typically vulnerable. There's also more language-specific information on the page as well as some immediate mitigations for various web server types.

tagged: httpoxy http proxy header vulnerability announcement guzzle webserver

Link: https://httpoxy.org/

ProDevTips.com:
Proxying with PHP in Ubuntu 14.04 (Apache 2.4, PHP 5.4+)
Jan 21, 2016 @ 10:46:38

The ProDevTips.com site has a tutorial posted showing you how to proxy requests with PHP on Ubuntu using Apache 2.4 and PHP version 5.4 or later.

I’ve just had to evade a Russian block of one of my employer’s sites, let’s call it CasinoX. Presumably they had blocked both www.casinox.com and www.casinox.com’s IP address (which is a Cloud Flare IP btw).

Simply pointing ru.casinox.com to the real IP address of www.casinox.com’s server was a not a viable solution though as that would expose the real IP publicly which is a no-go in the online casino business as it is basically an invitation to be DDoS’ed.

The solution they came up with was to set up a server that operates as a proxy and sends all traffic to the actual web server, save the assets (images, Javascript files, etc). They include the changes you'll need to the .htaccess configuration on the proxy server to forward the requests. Then they show the updated version of your virtual hosts configuration to match these changes. From there the rest of the handling lives in PHP. They include the code for the index.php proxy handling, a Proxy class that makes curl requests to the actual web server and an ip_in_range function to get the actual IP of the user/client making the request.

tagged: proxy server apache webserver tutorial htaccess virtualhost

Link: http://www.prodevtips.com/2016/01/16/proxying-with-php-in-ubuntu-1404-apache-24-php-54/

Snack Overflow:
Unit testing static calls without refactoring the world in php
Feb 27, 2015 @ 11:55:06

The "Snack Overflow" blog (from tech.graze.com) has a recent post sharing some suggestions to help unit test static calls without having to "refactor the world" away from them.

Imagine you have a situation [using a static method call] in some legacy code. Currently we can't unit test this as we can't mock out the doSomethingElse() call. So what do we do? Well we have two options really [...] neither of which is very appealing. [...] There is, however, a third option that gains us the ability to unit test Foo without having to touch Bar at all.

This option involves creating a "proxy" object of the "Bar" class that's non-static and only returns the result of the previous class' static method. You can then correctly mock that class and return the result in a more self-contained way. He lists a few caveats with this method including the fact that it could lead to a lot of proxy objects if there are a lot of static methods to replicate.

tagged: unittest static method refactor proxy object mock tutorial

Link: http://tech.graze.com/2015/02/26/unit-testing-static-calls-without-refactoring-the-world-in-php/

SitePoint PHP Blog:
Personal Packagist with Toran Proxy
Sep 09, 2014 @ 11:43:43

In a recent tutorial to on the SitePoint PHP blog, Alexander Cogneau shows you how to create a personal Packagist (the repository for Composer packages) using the Toran proxy.

Most of you reading this already know Composer. For those who don’t, you can read a previous article of mine before continuing. We can all agree that Composer has brought many good things into the PHP world. If one dares however to look for drawbacks, or better put, not included features, he could state that it is not possible to work with private repositories. That argument won’t hold anymore, since there is Toran Proxy.

He calls this the "end of the Satis era", replacing the Packagist clone that mirrors the packages locally rather than pulling them right from GitHub. Using the Toran proxy, he walks you through the setup of the proxy and using the wizard to complete the configuration. There's a personal use license for Toran that allows for one developer but after that you'd need to upgrade to the yearly/per developer pricing structure.

tagged: toran proxy packagist tutorial setup configure

Link: http://www.sitepoint.com/personal-packagist-toran-proxy/

The PHP.cc Blog:
PHPUnit 4.0: Test Proxies
Mar 12, 2014 @ 10:13:08

On thePHP.cc blog today there's another post looking at an improvement in the latest release of the popular PHP unit testing tool, PHPUnit 4.0.0. In the post Sebastian Bergmann looks at test proxies.

One of the highlights of PHPUnit 4.0, which was released last week, is improved support for integration testing through so-called test proxies. [...] PHPUnit has had built-in support for stubs and mocks for quite some time. These stubs and mocks can be used in every context where an object of the original class is expected. As it should be, the code of the original class is not executed when a method is called on the stub or mock. [...] PHPUnit 4.0 introduces the concept of test proxies [...] to have an object that provides the same API for expectations as a mock object while at the same time proxying method calls to the original class.

He includes some code examples to help illustrate. He creates a "SimpleWorkflow" class and shows how to test the execution of its "doWork" function to return the correct kind of "Result".

tagged: phpunit test proxy unittest introduction release

Link: http://thephp.cc/viewpoints/blog/2014/03/phpunit-4-0-test-proxies

Chris Hartjes:
The Power of the BrowserProxyMob
Nov 19, 2013 @ 10:49:38

In this new post to his site Chris Hartjes shares a tool he's found to help with automated front-end testing for web applications - BrowserMobProxy

At work I have been involved with an effort to put some automated front-end testing in place. The combination of Behat, Mink running tests using PhantomJS is a good one for this. Open source, easy to configure, handles JavaScript-heavy pages reasonably well. There was just one wrinkle in our plans: our use of local host files. [...] So clearly what was needed [to solve a hosts file switching issue] was a proxy. After doing a little bit of digging around I found a solution: BrowserMobProxy.

He briefly introduces the tool and helps you get it installed (as well as the library you'll need to interface with the proxy). His library hooks into a running PhantomJS instance and the BrowserMobProxy, generates the right hosts file (not included) and continues on with the tests.

tagged: browserproxymob proxy http request phantonjs unittest behat mink

Link: http://www.littlehart.net/atthekeyboard/2013/11/18/the-power-of-the-browserproxymob/

PHPMaster.com:
Getting Started with Varnish
Jan 22, 2013 @ 10:37:17

On PHPMaster.com today there's a new tutorial that can help you increase the performance of your application relatively painlessly with the help of the Varnish proxy tool. The article helps you get started.

Varnish is a reverse proxy server; it sits in front of your web server and serves content from your server and no one else’s. Reverse proxy servers are tightly coupled to the web server and can act on messages received from it. [...] Simply put, Varnish does one thing: serve web content super fast.

You'll need command line access to the machine (as well as permissions to install the software) but getting it installed is a simple "apt-get" away. There's a bit of configuration to set up to get it up and working, but it's only a few lines...and examples are included in the tutorial. They get into some of the more advanced configuration options too, like the time-to-live and changing the port it listens on. Varnish isn't just for PHP applications either - it can be used effectively for any kind of web application as it's just a proxy layer that sits on top and waits for requests.

tagged: varnish tutorial application cache reverse proxy

Link:

Shashikant Jagtap:
Automating Web Performance Data Collection with Behat and BrowserMob Proxy
Oct 31, 2012 @ 10:19:40

Shashikant Jagtap has Behat TDD testing tool and the BrowserMob-Proxy to make an automated system that collects performance data on your applications (including load time, recording headers and simulations of network traffic and latency).

BrowserMob Proxy is a utility which is used for capuring HTTP traffic and performance data from the browser. BrowserMob-Proxy adds in essential missing capabilities such as checking HTTP status codes and injecting headers for HTTP Basic Auth. Web Perfomance data can be manually captured by other tools like Firebug or Developers Tools. Using BrowserMob Proxy we can capture perfonace data in HAR format while running automated tests.

He includes the commands you'll need to set up the PHP interface for BrowserMob (PHPBrowserMob) the proxy itself and a sample test and context file that runs some checks against Facebook.

tagged: behat tdd testing functional browsermob proxy performance data

Link:

DZone.com:
Sencha Touch 2 Models - Loading And Saving Model Data Using a Proxy, PHP Example
Aug 31, 2012 @ 11:54:19

On DZone.com there's a new tutorial posted (by Jorge Ramon) about hooking together the models of Sencha's Touch 2 with a PHP backend to make saving data to them simpler via a proxy.

Sencha Touch models have the ability to work with a proxy. This feature allows you to save and retrieve model data from the server, memory or local storage, without depending on a Sencha Touch data store. Let’s try it with a very simple scenario where the server side is a PHP page.

The article includes both the Javascript to create the models (along with its proxy and custom API methods defined) as well as the PHP that powers the backend. The PHP just reads from the "php://input" stream and echoes back out JSON, but it gives you an idea of what to expect to receive. For more information on Sencha Touch, check out their documentation.

tagged: senchatouch2 model backend save proxy tutorial

Link:

Gonzalo Ayuso:
Building a simple API proxy server with PHP
Aug 14, 2012 @ 11:07:56

In some of his work with Backbone.js recently, Gonzalo Ayuso has been frustrated by something that's a wall for many developers wanting to work with outside datasources - the browser restriction that prevents cross-domain requests. His solution? Create a REST proxy to live on his server and pass the requests through.

Nowadays there is a header to allow it: Access-Control-Allow-Origin. The problem is that the remote server must set up this header. For example I was playing with github’s API and github doesn’t have this header. If the server is my server, is pretty straightforward to put this header but obviously I’m not the sysadmin of github, so I cannot do it. What the solution? One possible solution is, for example, create a proxy server at localhost with PHP.

He shares the full code for his project - basically a handler that takes the incoming request and mirrors to out to the public, remote API - request method and all. It uses some of the packages from Symfony (like the http-foundation) and wraps around cURL to handle the requests. The project is available for Composer users as well.

tagged: api proxy server tutorial rest curl wrapper

Link: