scrupul0us wrote:

I do some development @ the office from time to time and ive run into an issue where i cant use file_get_contents b/c it returns a unauthorized error... at work we pipe IE/Firefox through the corporate proxy script

how can I tell php it needs todo the same?

Needs to do what?

Here is information:
Chapter 39. Using remote files
http://www.php.net/manual/en/features.remote-files.php

Might be worth reading this

http://uk3.php.net/manual/en/function.stream-context-get-default.php

If it requires authentication then curl may be better. Best person to ask is a nice knowledgable internal network person and get a list of exact requirements( Basic or Digest Authentication ) etc.

Bigger the company less chance you will get anything unless you talk to someone very nice. Some will know but won't tell you as it is deemed not important for you to know. Browsers also make this appear very easy as they are useless without it.

halojoy wrote:

Needs to do what?

if i try to browse the web here at work on a vanilla machine with no proxy address specified i cannot browse the web or the internal network

once i tell the browser where to find the proxy script I am able to browse the web as such

what i need to tell php is that it TOO needs to look through the proxy in order to connect out

based on the link you provided that is not my issue... the server im developing on is on a USB drive... if i bring it home and load the script up everything works fine (im connected through a router at home)... but at workit fails b/c it needs to go through the proxy somehow

The proxy script will be human readable( Javascript). Have you tried opening it?

http://en.wikipedia.org/wiki/Proxy_auto-config

Then you can hard code the bit that looks like the proxy address
( proxy.foo.com:8080 )

into
http://uk3.php.net/manual/en/function.stream-context-get-default.php

Never tried it.. Not very documented. Interesting though.

Here are some examples using PEAR
http://pear.php.net/manual/en/package.http.http-request.proxy-auth.php

im not concerned with it being visible in javascript since the server only runs on localhost and is only accessible from localhost

that being said ill dig into the two links provided and see what i come up with

thanks to you both

here is the specific error BTW:

"[function.file-get-contents.html]: failed to open stream: HTTP request failed! HTTP/1.1 401 Unauthorized"

If you are trying to go straight out through the firewall then that could be the message displayed by it when traffic is trying to go somewhere outside it's whitelist when not coming from the proxy ip. If that is the proxy then it is requesting authentication. Messages are kept generic to keep it hard to reverse engineer.

Trying to work in locked down environment is a pain. Completely at the whim of the Network Admin team, who most like get an enjoyment out of stopping people do stuff. I know one client who throws away any form posts above a certain size which stops people uploading to youtube and stuff. All what gets to the server is nothing, I had to step the client incrementally up the filesizes when I could upload 20MB easily. Not nice when you are writing stuff that relies on large filesize uploading.

The javascript file is just a set of condionals to say when to go direct( the whitelist ) and when to go through the proxy. Java does pac file parsing but I cannot find one for PHP.

 // Case 2: Browser IP: Monash South Africa network
   // Remote Destination: nested if see below
   if (isInNet(myIpAddress(), "168.210.50.0",  "255.255.255.0"  ) ||
       isInNet(myIpAddress(), "130.194.11.95", "255.255.255.255") ||
       isInNet(myIpAddress(), "172.24.64.0",   "255.255.224.0"  )) {

   // Remote Destination: Local Monash South Africa network
   if ( dnsDomainIs(host, ".monash.ac.za")   ||
        dnsDomainIs(host, ".zaf.monash.edu") ||
        isInNet(host, "168.210.50.0",  "255.255.255.0"  ) ||
        isInNet(host, "130.194.11.95", "255.255.255.255") ||
        isInNet(host, "172.24.64.0",   "255.255.224.0"  )) {            
	return "DIRECT";
   }
   // Remote Destination: Not Monash South Africa network
   return "PROXY proxy.zaf.monash.edu:8080";//proxy address.
}

It's just so they don't have to go around updating eveyone if it changes.

If you are doing work related stuff you can ask for the address to be added to the whitelist. Someone might be nice and it makes it very easy, depends on the company. I have an image of the worst admin who kept everything locked down,completely argumentative but put the company database on a share as they didn't know how they worked. Big very important database to the company and it was copied a few times. Most others were technically better but when a job involves mostly disabling people from doing things being a pain in the rear, even ideologically, is a plus.

I'd like to be able to give you an easy way to do it but hacking the ip of the proxy and creating a $context for file_get_contents generated with stream_context_get_default is the simplest. Basic authentication will make it harder, digest pain in the rear.

Really you have to hack your way outside by reverse engineering it. Every network is different, and a lot of things that will make your life hard are just checkboxes to an admin( windows one anyway ).

I warn you some admins might try and get you sacked/complain to your manager for doing it. All to do with the company and any idiocy it may contain.

If you do get through follow up as this stuff as it is pretty useful to know and may turn up in google searches for other people to try.

Sorry I can't be much more help, but I am on the outside and this is an inside job.

theres no way id get any help from the IT people... i work for corp America and the IT helpdesk we call for help doesnt have any more rights on the network than we do, they have to beg for perms from the high ups... pretty weak situation

they flipped sheit when i asked for external access to LDAP so i could develop my internal department software from home (LDAP auth system) and they were blown away that i had any idea what i was doin... they denied my ticket request for the port to be opened

its a bunch of of wankers i tell yas... worst case i just RDP into my home machine and develop remotely... i was hoping for an easy route using php to just giev the proxy addy and my AD login and pass to auth through

Getting the proxy addy is fairly easy. The AD part well there was this thread

http://www.phpbuilder.com/board/showthread.php?t=10346051

I was working on something with and ISA server in a VMWARE session to do some testing on a JAVA thing and I couldn't find an easy way in JAVA back then so I just slap[ed it in an applet and let the browser handle the authentication stuff.

Another tool for stuff I use is fiddler. Excellant thing that may help you with your authentication.

http://www.fiddlertool.com/Fiddler/help/ at the bottom about combining with an upstream proxy. You mighe be able to use fiddler to route your request from php through the windows system and that should handle the authentication. Fingers crossed. If it does work then it's a trick that may work anywhere. You'll still have to do the context bit in the file_get_contents though to route through fiddler. It will also tell you exactly what is happening.

I come from a corporate networking background, if you are not a wanker to start it can make you a wanker at the end. Saying no all the time is not good for someone's well being.

Though I did also experience the division that dealt with external companys systems join our network with a banks by accident. Don't know how long it had been like that as we only picked it up one day by accident playing with packet sniffing. It is so easy to screw up in that field if given any power( in windows/gui environments especially ) that people are paranoid. If you ever watch Little Britain it really is a case of "Computer says no".

I am a really unsure if I could work in that environment again. Really wasn't good for me.

They want to make it hard for as if they made it too easy then all sorts of stuff would go in/out of port 80. If you get out and they find out they may take it as you are beating them, if they are petty they might try and find a way to block you

i just dont get why it should be so hard...

can i just send a header with my AD login and pass?

i guess it just dont understand...

I know the IP of the proxy
I have full access to the contents of the proxy script

I've had instances with software where i had to enter my l/p credentials into the config so it could get out via the proxy... i just dont (Again) understand why that should be so hard todo with PHP

Look at using [man]cURL[/man]. Specifically, look at the manual page for [man]curl_setopt/man, as it mentions allowing you to provide the address of a proxy server and use a given set of credentials for NTLM authentication.

beautiful... i will give it a whack at the office tomorrow

Another solution could be to allow the webserver to bypass the authentication.

This is the approach I've done at a corporate location in the past; transparent authentication was enabled on the network requiring all internet access to be authenticated with a proxy server via NTLM (integrated Windows) authentication before it was allowed out through the firewall. For certain servers, however, I didn't want to go into the services snap-in and start the services (ex. IIS) with a domain account. In the end, I simply allowed certain (reserved) IP's to bypass transparent authentication at the proxy server.

i have no such access to do that nor would my request go answered (see above)

with my company its us always working around "them"

Ah. Guess I had an advantage back at my old high school.. I was one of the elite "them" . :p

heh, hs was a diff ballgame... when you were one of the two kids who knew how to get the windows desktop back in lieu of the novell desktop... that was "elite"

High school was definitely a different ball game for me... having the enterprise admin account password and passwords to the firewalls/routers/etc. :p

u got me beat... lol