October 2008 Archives

PHP + libcurl for a filtering reverse-proxy application

By Bill on October 30, 2008 11:20 AM | 2 Comments | No TrackBacks

Long time, no blog. We're steadily making progress toward upgrading CallManager 4.1.3 to Unified Communications Manager 6.1.2. Date is set for December 20, and many efforts within the VoIP team right now are focused on getting the cluster ready for that date.

One outstanding issue has been how to offer CCMUser, the Communications Manager user settings page, to the Penn State VoIP community. We want to use PSU Access Accounts--ideally, WebAccess--to login. CUCM offers LDAP and Active Directory user integration, but neither option will work correctly in the PSU environment. We don't have access to the code of the CCMUser web site to hack at that, either.

Using Apache, WebAccess, and PHP with the libcurl module, I wrote an authentication, authorization and filtering reverse-proxy wrapper. It's not elegant, but it sure works! I can't post the code, for obvious security considerations, but here are the basic steps the script follows when a user comes along to access CCMUser:

  • Hello, you must be new here. Go authenticate with WebAccess and come back with a valid user ID.
  • Set up a PHP session to store information that needs to be maintained for the CCMUser site.
  • Check the session for stored cookies from CCMUser. If there are no cookies stored, the user hasn't been authorized there yet. Using the WebAccess user ID, in the background, take the necessary steps to authorize with CCMUser and store the resulting session cookies in the PHP session.
  • If authorization is successful, start reverse-proxying the CCMUser site via the PHP script and libcurl to the user, beginning with the CCMUser home page.
  • Filter URLs and other information as it passes through the proxy so that the user continues to interact with the site only through the confines of the proxy script.
  • A custom Logout button replaces the CCMUser logout that destroys both the backend session with CCMUser and the PHP session with the user, then redirects to the WebAccess logout.

With this fairly simple script, the user gets the experience of single-sign-on and full functionality of the CCMUser site; we get the security of hiding CCMUser behind a firewall so that only the proxy server interacts with it; and it appears to the user as if he is directly using CCMUser.

« September 2008 | Main Index | Archives | November 2008 »

Search


March 2009

Sun Mon Tue Wed Thu Fri Sat
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        

Recent Posts

Recent Comments

  • Bill: Are you using the 8.4.x firmware on your 7961? The read more
  • Peter: Do you know how to get the line text to read more
  • Chris: any chance you could email me the config you used read more
  • Bill: ITS has a soft phone project underway. It is being read more
  • Richard Rauscher: Does anyone at PSU use a soft phone? Can someone read more
  • Chris Kauffman: Blog away this week. I will be reading for certain. read more
  • Bill: Instead of the anonymous bind, # Make an anonyous bind read more
  • marsup: Hello, i would like to know how can i use read more
  • Bill: Phil Coolick at Driftwood might have done that analysis or read more
  • Richard Rauscher: Has anyone done an analysis to determine the cost of read more

Tag Cloud

Archives

Contact Me


AIM: TNS BillS

View William Simon's profile on LinkedIn

Donate

Make a gift
Like this blog? Support education and research at Penn State by donating any amount to an area of your choice.

Subscribe

Blogroll

VoIP News

Disclaimer

We are Penn State, but I am not. Opinions expressed on this blog are those of the author and do not represent the opinions of The Pennsylvania State University or any division therein, including but not limited to the author's workgroup, department, administrative unit, or campus. Technologies and ideas discussed on this blog do not describe a production service unless noted.