Show PHP server2server connections in Fiddler (part 2)

 

 

This is the second part of my original article “Show IIS PHP server2server connections in Fiddler”. Here I will be talking about the PHP’s CURL extension.

However there are differences in this scenario:

We are not using IIS – we are using Zend Server on my local MacOS machine (Zend’s custom LAMP stack with extra goodies). However standard PHP installation should be the same. If you are using docker there will be differences with your network stack (the IP address below should be different) but you probably already know that.

We are not using Fiddler on Windows – we are using Charles on MacOS. However this is irrelevant because both Charles and Fiddler are very, very similar. I prefer Fiddler but since I am on a Mac – I am using Charles. Both proxies listen on port 8888 and show you the contents of the http requests that go through.

As mentioned in part 1 there is no universal way to tell PHP “use this proxy server for everything”. There is no universal proxy setting in php.ini. For the curl component we can set these runtime options:

curl_setopt($ch, CURLOPT_PROXY, '127.0.0.1');
curl_setopt($ch, CURLOPT_PROXYPORT, 8888);

This will work fine with plain http but. But it would give you SSL handshake failures for HTTPS. This is expected as the http proxies use their own Certificate Authorities (CAs) to cheat the system that the certificate they present is valid. However on MacOS libcurl and php-curl don’t use the system CAs so we need to tell them to use the CA root certificate we want.

To get the Charles CA root certificate, click Help > SSL proxying > Save Charles root certificate. Save the new pem file somewhere on your system. After this we set the .pem file as the CURLOPT_CAINFO option:

curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, '1L');
curl_setopt($ch, CURLOPT_SSL_VERIFYSTATUS, 0);
curl_setopt($ch, CURLOPT_CAINFO,'/usr/local/zend/bin/charles.pem');

This should show you the server2server connections in Fiddler/Charles. Use this on dev environments only.

PS: Obviously there is no way to intercept pinned SSL sockets.