9

I try to access to the web with curl in a php script :

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "https://www.google.fr");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

$result = curl_exec($ch);
if (curl_errno($ch)) {
    echo 'Error:' . curl_error($ch);
}

curl_close ($ch);

It returns :

Failed to connect to www.google.fr port 443: Connection refused

That's normal, I'm behind a proxy, which require my Windows credentials (NTLM) to allow internet trafic.

In MS Powershell, this works :

$request = New-Object System.Net.WebCLient
$request.UseDefaultCredentials = $true
$request.Proxy.Credentials = $request.Credentials
$request.DownloadFile($url, $path)

Using the "DefaultCredentials" (= Windows Credentials) and send them to the proxy allows me to access to the web. But I don't now how it works.

If I navigate using Firefox, Firefox always add a Proxy-Authorization header, with value : Negociate blablablablababalazdlad...

I want to transpose the .NET useDefaultCredentials solution to cURL, I tried : 

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "https://www.google.fr");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_NTLM );
curl_setopt($ch, CURLOPT_PROXYAUTH, CURLAUTH_NTLM );

$result = curl_exec($ch);
if (curl_errno($ch)) {
    echo 'Error:' . curl_error($ch);
}

curl_close ($ch);

Without success

Alsatian
  • 3,086
  • 4
  • 25
  • 40

2 Answers2

2

curl can do this if it was built with "SSPI" support enabled. You can normally run curl -V on a prompt to check that. or php -i or invoke phpinfo(); from within PHP itself.

With SSPI

You set the CURLOPT_PROXYUSERPWD option to a blank user/passwd (in addition to the other options) just to trigger authentication, but it will then get the default credentials for you:

curl_setopt($ch, CURLOPT_PROXYUSERPWD, ":" );

The full code would then look something like this below. Note also that CURLOPT_HTTPAUTH is for authentication to the remote server, not the proxy. And I figure it unlikely you actually want HTTP auth with google...

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "https://www.google.fr");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_PROXY, "http://proxyhost.example.com:8080/");
curl_setopt($ch, CURLOPT_PROXYAUTH, CURLAUTH_NTLM );
curl_setopt($ch, CURLOPT_PROXYUSERPWD, ":" );

$result = curl_exec($ch);
if (curl_errno($ch)) {
    echo 'Error:' . curl_error($ch);
}

curl_close ($ch);

Without SSPI

Then curl can't figure out the default credentials but instead you must set the user name and password with the CURLOPT_PROXYUSERPWD option, like this:

curl_setopt($ch, CURLOPT_PROXYUSERPWD, "clark%20kent:superman");
Daniel Stenberg
  • 54,736
  • 17
  • 146
  • 222
  • My `phpinfo();` says SSPI: Yes, and I already tried ":" as USERPWD on both PROXY and HTTP. I always get the same error Connection refused – Alsatian Aug 25 '17 at 09:28
  • Then you forgot to point out the proxy (`CURLOPT_PROXY`) so it tries to access the remote server directly. curl can't figure that out itself... – Daniel Stenberg Aug 25 '17 at 09:31
  • How can I find the proxy URL ? If I use firebug to show the content of a succeed request I only se a "Proxy-Authorization" header with value "Negociate %big_key%" – Alsatian Aug 25 '17 at 10:20
  • That header is used in a header sent to the proxy. I presume Firebug can tell you which host/machine that receives that header. That is the proxy. – Daniel Stenberg Aug 25 '17 at 12:00
  • I am till searching a way to find out the proxy name. Nothing in firebux, nothing in IE developper tools. – Alsatian Aug 29 '17 at 07:07
2

I try to access to the web with curl in a php script : https://www.google.fr

The problem is that google content is served over ssl i.e https: I've modified your code to allow https connection:

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, "https://www.google.fr");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt( $ch, CURLOPT_SSL_VERIFYHOST, FALSE );
curl_setopt( $ch, CURLOPT_SSL_VERIFYPEER, FALSE );
curl_setopt( $ch, CURLOPT_USERAGENT,"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)");

$result = curl_exec($ch);
if (curl_errno($ch)) {
    echo 'Error:' . curl_error($ch);
}

curl_close ($ch);

print_r( $result );

Using HTTP NTLM Authentication | CURLAUTH_NTLM

HTTP NTLM authentication. A proprietary protocol invented and used by Microsoft. It uses a challenge-response and hash concept similar to Digest, to prevent the password from being eavesdropped.

You need to build libcurl with either OpenSSL, GnuTLS or NSS support for this option to work, or build libcurl on Windows with SSPI support.

Let's put this into a simple function.

function Auth($username, $password, $endpoint)
{
    $username = ( isset( $username ) && !empty($username) ) ? trim( $username ) : '';
    $password = ( isset( $password ) && !empty($password) ) ? trim( $password ) : '';
    $proxy_address = "local.domain.com:1024";


    $ch = curl_init();

    if($ch)
        {
            curl_setopt($ch, CURLOPT_URL, $endpoint );  
            /* make use of proxy */
            curl_setopt(curl, CURLOPT_PROXY, $proxy_address );
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

            /* Allow ANY Auth */
            curl_setopt(curl,CURLOPT_PROXYAUTH, CURLAUTH_ANY );

            /* Set credentials or leave empty to prompt */
            curl_setopt(curl,CURLOPT_PROXYUSERPWD, "$username:$password" );

            $result = curl_exec($ch);

            if (curl_errno($ch)) {
                echo 'Error:' . curl_error($ch);
            }   

            curl_close($ch);
        }
}

Usage: Auth("username", "yourPassWord", "http://local.domain.com:1080/");

Let others know if this helps you

Prince Adeyemi
  • 724
  • 6
  • 12
  • Thank you for your answer. No it doesn't change anything. And I already tested it with http / 80 website, I have the same problem. – Alsatian Aug 29 '17 at 07:18
  • @Alsatian I just tested the above code it works like charm. What error are you getting if any ? You can test the same code here http://www.vegasnewspaper.com/stack/test.php – Prince Adeyemi Aug 29 '17 at 07:48
  • You didn't understand the question, it's about using windows credentials to authentificate on a proxy. – Alsatian Aug 29 '17 at 14:58