BelleNottelling
commented
6 years ago There's a whitelist function built into it. Look near the top of the php file
Closed bw7432 closed 6 years ago
BelleNottelling
commented
6 years ago There's a whitelist function built into it. Look near the top of the php file
joshdick
commented
6 years ago @BenNottelling, @bw7432 is asking about whitelisting clients that can access the proxy, rather than about the whitelist of domains that are allowed to be loaded through the proxy, which is what's currently built into miniProxy.
I don't want to add this feature to miniProxy for general use, but it should be easy to get working for your use case. The simplest way is to whitelist by IP address rather than hostname.
Right above //Extract and sanitize the requested URL, handling cases where forms have been rewritten to point to the proxy. in the current proxy code, add this:
if ($_SERVER['REMOTE_ADDR'] !== "[your server's IP here]") {
die("Access is disallowed by the server administrator.");
}If the script is running behind a reverse proxy, you may need to use $_SERVER['HTTP_X_FORWARDED_FOR'] in place of $_SERVER['REMOTE_ADDR'].
I believe this solves the issue so I'm going to close it, but feel free to keep the conversation going here.
bw7432
commented
6 years ago Thanks @joshdick, would it be too difficult to whitelist the client by domain name instead of ip? I'm using an app running on Heroku with a dynamic ip to proxy a remote api that uses static whitelisting of IPs. Whitelisting the client by ip would defeat the purpose. So I suppose I could put the proxy behind some base64 encoded string in a path, and I don't think anyone would find it, but I'd like to whitelist it by domain name. Thanks for your help!
BelleNottelling
commented
6 years ago @bw7432 there is a way to get the IP of a domain in PHP. I'm not sure what it is though
joshdick
commented
6 years ago @bw7432 I can’t give a specific answer because I don’t know what information is available to miniProxy by the time the incoming request makes it through Heroku’s infrastructure. Try placing the following script wherever you host miniProxy, then access it from your server:
<?php
var_dump($_SERVER);
?>If any of the values that you see are the domain you want to whitelist, use the corresponding key from $_SERVER in the snippet above, in place of REMOTE_ADDR.
If not, I’m not sure what else to try.
Hi, Is there a way to whitelist certain domain names that are making requests through the proxy? In my case, a server will be making http calls through the proxy (as opposed to doing it in the browser.) I'd like restrict it to only proxy requests originating from a specific domain name. I would really appreciate any help you can give me.