PHP + libcurl for a filtering reverse-proxy application

Long time, no blog. We’re steadily making progress toward upgrading CallManager 4.1.3 to Unified Communications Manager 6.1.2. Date is set for December 20, and many efforts within the VoIP team right now are focused on getting the cluster ready for that date.

One outstanding issue has been how to offer CCMUser, the Communications Manager user settings page, to the Penn State VoIP community. We want to use PSU Access Accounts–ideally, WebAccess–to login. CUCM offers LDAP and Active Directory user integration, but neither option will work correctly in the PSU environment. We don’t have access to the code of the CCMUser web site to hack at that, either.

Using Apache, WebAccess, and PHP with the libcurl module, I wrote an authentication, authorization and filtering reverse-proxy wrapper. It’s not elegant, but it sure works! I can’t post the code, for obvious security considerations, but here are the basic steps the script follows when a user comes along to access CCMUser:

  • Hello, you must be new here. Go authenticate with WebAccess and come back with a valid user ID.
  • Set up a PHP session to store information that needs to be maintained for the CCMUser site.
  • Check the session for stored cookies from CCMUser. If there are no cookies stored, the user hasn’t been authorized there yet. Using the WebAccess user ID, in the background, take the necessary steps to authorize with CCMUser and store the resulting session cookies in the PHP session.
  • If authorization is successful, start reverse-proxying the CCMUser site via the PHP script and libcurl to the user, beginning with the CCMUser home page.
  • Filter URLs and other information as it passes through the proxy so that the user continues to interact with the site only through the confines of the proxy script.
  • A custom Logout button replaces the CCMUser logout that destroys both the backend session with CCMUser and the PHP session with the user, then redirects to the WebAccess logout.

With this fairly simple script, the user gets the experience of single-sign-on and full functionality of the CCMUser site; we get the security of hiding CCMUser behind a firewall so that only the proxy server interacts with it; and it appears to the user as if he is directly using CCMUser.