PHP CORS Proxy

[adamziel]

Description

Ships a PHP-based CORS proxy we'll need to integrate git clone via fetch().

Usage

1. Run dev.sh to start a local server, then go to http://127.0.0.1:5263/proxy.php/https://w.org/ and confirm it worked.
2. Request http://127.0.0.1:5263/proxy.php/https://w.org/?test=1 to get the response from https://w.org/?test=1 plus the CORS headers.

Technical Design

Assumptions:

• Run on a separate hostname for increased origin separation, like playground-proxy.wordpress.net. Do not use a subdomain, like proxy.playground.wordpress.net.
• Stream data both ways, don't buffer.
• Don't pass auth headers in either direction.
• Refuse to request private IPs.
• Refuse to process non-GET non-POST non-OPTIONS requests.
• Refuse to process POST request body larger than, say, 100KB.
• Refuse to process responses larger than, say, 100MB.

Follow-up work

• Start a server at playground-proxy.wordpress.net.
• Implement rate limiting (could be at the hosting platform level).

Testing instructions

• Run dev.sh to start a local server, then go to http://127.0.0.1:5263/proxy.php/https://w.org/ and confirm it worked.
• Run test.sh to run PHPUnit tests, confirm they all pass.

See #1467

[adamziel]

I'll go ahead and merge. I'm happy to revisit if you have more feedback @brandonpayton @bgrgicak

[asirota]

Has this proxy been setup in production for public use yet? Doesn't seem so.

[adamziel]

@asirota not yet, @brandonpayton is looking into that. It will first be limited just to .git repositories and then gradually opened up to other URLs if we can find an abuse-proof way of doing that.