Path-style URL routing + anonymity note#49
Merged
Merged
Conversation
#24 — Path-style routing: - New root .htaccess with mod_rewrite forwarding /http(s):/target/... to index.php with PATH_INFO set - index.php detects PATH_INFO of form /http(s):/target and synthesises $_GET[_proxurl] before the existing dispatch (Apache normalises consecutive slashes, so we accept "http:/X" and restore "http://X") - Dockerfile flips AllowOverride None -> All so the shipped .htaccess actually takes effect inside the container - README documents the three accepted URL forms (query, /index.php/path, bare path), with a note on Apache requirements for the bare form #21 — Anonymity invariant: - The outbound request builder already used a known-safe header whitelist; documented this in a code comment and a new README "Anonymity" section. No behaviour change — PHProxy never forwards X-Forwarded-For, X-Real-IP, Via, or Forwarded to upstream targets Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This was referenced May 27, 2026
Closed
Closed
Closed
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two follow-ups after the #48 revive — closes the rest of the open issue backlog.
#24 — Path-style URL routing
Adds two new ways to specify the target URL on top of the existing
?_proxurl=form:phproxy.example/index.php?_proxurl=<encoded>index.phpphproxy.example/index.php/https://example.com/phproxy.example/https://example.com/Implementation:
.htaccesswith mod_rewrite rule forwarding/http(s):/target/…toindex.php/$1index.phpdetectsPATH_INFOof form/http(s):/targetand synthesises$_GET[_proxurl]before the existing dispatch (Apache normalises consecutive slashes, so we accepthttp:/Xand restorehttp://X)DockerfileflipsAllowOverride None → Allon/var/www/so the shipped.htaccesstakes effect inside the containerREADMEdocuments the three forms and the Apache requirements for the bare-path formOutbound URL rewriting is unchanged — pages still link back via the
?_proxurl=form. The new forms are additive entry points.#21 — Anonymity
Documents an existing invariant rather than changing behaviour. The outbound request builder has always constructed headers from a known-safe whitelist (method, path, Host, User-Agent, Accept, optional Referer, Cookie, Authorization, POST body headers); it never forwards
X-Forwarded-For,X-Real-IP,Via, orForwarded. Added a code comment stating the invariant and a README "Anonymity" section so users (and future maintainers) know what's guaranteed.#39 — Closed
Re-read the issue: body is two Japanese-language URLs (
m.youtube.com,google.co.jp) with no description. Same bucket as #41 / #42 — modern JS/CF-gated sites, fundamental design limitation already documented in #48's README updates. Closing on merge.Test plan
Smoke-tested inside the
php:8.5-apachecontainer (PHP 8.5.6):?_proxurl=query form still works (regression check)/index.php/https://example.com/returns the Example Domain page/https://example.com/(bare path via mod_rewrite) returns the Example Domain page/http://example.com/?foo=barpreserves the query stringedit.phpsettings page unaffected (HTTP 200)php -lcleanerror_reporting(E_ALL)+display_errors=1on the new code paths🤖 Generated with Claude Code