homepage Welcome to WebmasterWorld Guest from 54.204.127.59
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / Apache Web Server
Forum Library, Charter, Moderators: Ocean10000 & incrediBILL & phranque

Apache Web Server Forum

    
Code to "redirect bad domain"
Wondering about code used to redirect bad domain
jasimon9




msg:4546151
 4:04 pm on Feb 16, 2013 (gmt 0)

In a site I maintain, I found some code put in by a programmer no longer on the project nor available. It's purpose is apparently to "redirect bad domains", and as I recall was put in long ago for defensive reasons to deal with an attack. It seems indications in our web logs showed the need for this measure.

In any case, I don't understand if the code is really effective or needed. The essence of the code is to compare PHP server vars, and if $_SERVER['HTTP_HOST'] is not the same as $_SERVER['SERVER_NAME] (plus a variation for the port), then redirect to $_SERVER['REQUEST_URI'].

Here is the actual code:

// Redirect Bad Domain
$protocol = ($_SERVER['HTTPS']) ? $URL_SSL : $URL;
if
(
$_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME']
&& $_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME'] . ':' . $_SERVER['SERVER_PORT']
)
{
GoToPage(rtrim($protocol_host, '/') . $_SERVER['REQUEST_URI']);
}


The two variables $URL and $URL_SSL have the actual URL for our site.

My question is then does this measure make any sense?

 

wilderness




msg:4546195
 6:24 pm on Feb 16, 2013 (gmt 0)

FWIW, this is the Apache Forum, and the lines you've provided are PHP.

jasimon9




msg:4546222
 9:21 pm on Feb 16, 2013 (gmt 0)

I appreciate your response. It just so happens that the apache server variables are accessed via PHP. But it is not a PHP question. It is an apache question. Or rather, an even more generic "bad domain redirection" question.

You might have to understand how the variables are mapped from PHP, but the question could be completely translated to a non-PHP context; its just that that is the context I am approaching it from.

lucy24




msg:4546239
 12:24 am on Feb 17, 2013 (gmt 0)

the question could be completely translated to a non-PHP context

Well, that's the problem innit. You can't do the translating unless you speak php, so that cuts back on the number of people who can answer the question as formulated.

To someone who doesn't speak php, all you get is:

#1 Define variable "protocol" using php syntax which is not intuitively obvious to a non-speaker. (Question marks are evil. No two languages use them the same way. Sometimes the same language will use them for different things in different places.)

:: detour to php dot net, finally arriving at the Ternary Conditional Operator leading to tentative conclusion that the line, in context, doesn't mean anything that one needs to worry about ::

#2 IF the requested host is anyone other than yourself,

#3 THEN redirect to ... uh ... the page they asked for in the first place, only on their own domain instead of yours

See what I mean about needing to speak php? I've got a glimmering of a notion that this has to do with evil robots testing to see if your site can be used as a proxy, but that's as far as it goes.

wilderness




msg:4546247
 1:01 am on Feb 17, 2013 (gmt 0)


// Redirect Bad Domain
$protocol = ($_SERVER['HTTPS']) ? $URL_SSL : $URL;
if
(
$_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME']
&& $_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME'] . ':' . $_SERVER['SERVER_PORT']
)
{
GoToPage(rtrim($protocol_host, '/') . $_SERVER['REQUEST_URI']);


The above code is PHP, despite what you believe.
That it pertains to Apache is irrelevant.

As lucy suggested, you still need to find somebody that speaks PHP.

jasimon9




msg:4548102
 12:09 am on Feb 23, 2013 (gmt 0)

I believe lucy24 may be onto what this code is for: having to do with preventing evil robots looking for a proxy. Because it was originally installed during a period when some kind of attack had occurred.

I see that before people on this forum can understand the question, it needs to be translated into a pure apache question. I will attempt to put it into pseudo code (with simplification of the part about the protocol, as that is not the essence of the cquestion):


if hostname <> servername
and hostname <> servername:port
then redirect to request_uri


In the above, here are the definitions of the variables:

hostname = Contents of the Host: header from the current request, if there is one.

servername = The name of the server host under which the current script is executing

port = The port on the server machine being used by the web server for communication. For default setups, this will be '80'; using SSL, for instance, will change this to whatever your defined secure HTTP port is.

request_uri = The URI which was given in order to access this page; for instance, '/index.html'.

lucy24




msg:4548123
 4:16 am on Feb 23, 2013 (gmt 0)

Did I get this bit backward?
#3 THEN redirect to ... uh ... the page they asked for in the first place, only on their own domain instead of yours

So you really want to do the opposite: If they ask for something that isn't on your domain, grab them by the scruff of the neck and forcibly redirect to the page that is on your domain?

Seems like this would be covered with your vanilla domain-name-canonicalization redirect-- the one that goes

RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$

You can't tell from the Apache wording, but HTTP_HOST includes the port number, if any. (And HTTP_HOST includes "HTTPS_HOST". The protocol itself is a separate condition.)

jasimon9




msg:4549325
 5:04 am on Feb 27, 2013 (gmt 0)

lucy24: yes, I think your latest post expresses the idea properly now.

We don't have that canonical redirect; our sysadmin long ago set that up in our DNS, which we run for ourselves. But it does not handle the case of "anything not our domain", just the usual stuff like missing www hostname.

I don't know the robustness or "quality" of the code I showed in the original post as compared to what would be deemed a best practice; but I do believe from what I was told at the time it was put in place, it was effective in stopping the exploit we were seeing at that time.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Apache Web Server
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved