A simple way to get around local proxy restrictions

Let's start with the fact that once I needed to go to VKontakte.
At that time I was working in a large company. The local proxy server blocked all requests in the content, of which there were signs of this resource, and not only it. About the existence of anonymizers, I, of course, knew. But having tested the speed and capabilities of such a service, I was extremely upset.
In addition, from the current web device it follows that any node through which the traffic passes can view it, and HTTP traffic is generally transmitted in the open form.
And for this you still have to pay money, having at your disposal an external IP and your own web server.
So the idea was born to create a simple script to redirect traffic and remove filtered (proxy) information.

First, I’ll make a reservation that the web-proxy is based on:
- Apache 2
- php with mod_rewrite, php_curl
Only work with VKontakte and its features is considered.

So, let's begin

In .htaccess you need to add lines:

  RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-l RewriteRule ^(.*)$ /_?url=$1 [QSA] 

This will redirect traffic to a single file.
script_name - do not do index.php, etc.

Next, authorization

If you simply redirect all requests to a single script, authorization will not work. Requests should be sent to 2 domains: vkontakte.ru/login.php and login.vk.com/?act=login

  curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, "email=".$email."&pass=".$pass); curl_setopt($ch, CURLOPT_URL, 'http://vkontakte.ru/login.php'); $body = curl_exec($ch); 

  curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, "email=".$email."&pass=".$pass); curl_setopt($ch, CURLOPT_URL, 'http://login.vk.com/?act=login'); $body = curl_exec($ch); 

')

Subdomains

I did not see a domain greater than 3rd level in the VC, so I did not do a full parsing of the domain.

  $subdomain = explode(".",$_SERVER['SERVER_NAME']); if (count($subdomain) > $cnt_server) $sub = $subdomain[0]."."; else $sub = ""; 

All (*) subdomains also need to be added to DNS and VirtualHost .

Querying, GET and POST

Queries are also not so simple - they can be double arrays . In particular, this refers to the search. Therefore, this also needs to be taken into account. I did not notice more nesting.
I did it like this:

  $gl = $_GET; $first_get = true; $flink = false; foreach($gl as $key_get => $value_get){ if(!$flink){ $flink = true; continue; } if(is_array($gl[$key_get])){ foreach($gl[$key_get] as $dbkey_get => $dbvalue_get){ $link .= ($first_get?"?":"&").$key_get."[".$dbkey_get."]".(!empty($dbvalue_get) ? "=".urlencode($dbvalue_get) : ""); $first_get = false; } } else { $link .= ($first_get?"?":"&").$key_get.(!empty($value_get) ? "=".urlencode($value_get) : ""); $first_get = false; } } 

POST requests are similar.

Filtration

Nothing supernatural does not apply, regular regular expressions and string functions to remove filtered traffic and replace links.

Also do not forget that VC works with Windows-1251 encoding.
And JavaScript can be transmitted with compressed gzip , which is corrected by the cURL library:

  curl_setopt($ch, CURLOPT_ENCODING , 'gzip'); 

moreover, this parameter works correctly with uncompressed js scripts.

Finally

I want to say that this script was used and successfully.
Bypassing the filtering proxy server, i.e. the robot is easy, but no one has canceled the admins, and their deception is another matter entirely.
Obviously, the main traffic falls on the image. And for this, i.e. so that there was no suspicion of large traffic from a single IP, it was planned to write a distributed system to load them, but this did not happen.

PS This implementation allows you to play audio and video content, while some analogues do not support this feature. Games, unfortunately, are not supported.

PPS Honestly, after switching to VK on https authorization (I don’t know when it happened), I didn’t check the script, or rather the authorization work.