Understanding why proxy don't deny access with file_get_contents in PHP

Question

I have a proxy with a lot of restrictions, like: can't access youtube, facebook and a lot of anothers websites, these are company policies.

But testing a code in PHP i discovered that i can access any site using this:

<!doctype html>  
<html lang="en">  
    <head>  
        <meta charset="utf-8">  
        <title>Web Proxy</title> 
    </head> 
    <body> 
        <div style="text-align:center;"> 
            <form method="GET" action="<?=$_SERVER['REQUEST_URI']?>"> 
                <input type="url" name="url" placeholder="Type URL of site"/><input type="submit" Value="Load url" /> 
            </form> 
        </div> 
        <hr/> 
        <?php 
            $url = $_GET['url']; 
            if (!empty($url)) 
            { 
                // check we're only getting files served by a website (i.e. not ../../../passwords.txt from this server etc.)  
                if(preg_match('/^https?:/i', $url))   
                {  
                    $contents = file_get_contents($url);  
                    if($contents === FALSE)  
                    {  
                        echo "<h2>Sorry <pre>{$url}</pre> cannot be read</h2>\n";  
                    }  
                    //display contents of url  
                    else   
                    { ?>  
                        <?=$contents?>  
                        <script>for (var i=0; i<document.links.length; i++) document.links[i].href="<?=$_SERVER['PHP_SELF']?>?url="+document.links[i].href;</script>  
                    <?php }  
                }  
                else  
                {  
                    echo "<h2><pre>$url</pre> is an invalid URL</h2>\n";  
                }  
            }  
        ?>  
    </body>  
</html>  

I just wanna understand how this code can process any site ignoring the proxy policies ? I can access everything without restrictions. Someone can explain me the concept "behind the scenes" ?

Answer 1

PHP is a server-side scripting language.

So, unlike HTML/CSS/JS which get executed by your browser, PHP will be interpreted by the server first and then only the results after the script has run will be sent to your computer/browser.

That means the file_get_contents will be executing on the server that your PHP script is on. If the server that that PHP file is hosted on is not also behind your company proxies then the proxies will not effect it.

Effectively, this means that the server will first download the webpage you are trying to access and then put the results into the script's page. Your browser/computer will never actually access the $url page, only the server will.

Example: Youtube.com

• Normally: Proxy sees your computer/browser try to access Youtube.com and does not let you access
• Loaded through PHP on separate server: Server hosting script somewhere outside of company downloads youtube.com, server sends you the data via script's page. Your browser/computer never accesses youtube.com only external server does, proxy does not see youtube.com

edit: So if an HTML frame/iframe were used instead of PHP then the proxy would still deny access as HTML is not a server-side scripting language. HTML tells your browser what to do, PHP tells the server what to do before letting your computer/browser access it. When HTML is used to load the page the PROXY sees the load URL request, when PHP is used the PROXY sees only the PHP page URL