FWIW, this is the Apache Forum, and the lines you've provided are PHP.

I appreciate your response. It just so happens that the apache server variables are accessed via PHP. But it is not a PHP question. It is an apache question. Or rather, an even more generic "bad domain redirection" question.

You might have to understand how the variables are mapped from PHP, but the question could be completely translated to a non-PHP context; its just that that is the context I am approaching it from.

the question could be completely translated to a non-PHP context

Well, that's the problem innit. You can't do the translating unless you speak php, so that cuts back on the number of people who can answer the question as formulated.

To someone who doesn't speak php, all you get is:

#1 Define variable "protocol" using php syntax which is not intuitively obvious to a non-speaker. (Question marks are evil. No two languages use them the same way. Sometimes the same language will use them for different things in different places.)

:: detour to php dot net, finally arriving at the Ternary Conditional Operator leading to tentative conclusion that the line, in context, doesn't mean anything that one needs to worry about ::

#2 IF the requested host is anyone other than yourself,

#3 THEN redirect to ... uh ... the page they asked for in the first place, only on their own domain instead of yours

See what I mean about needing to speak php? I've got a glimmering of a notion that this has to do with evil robots testing to see if your site can be used as a proxy, but that's as far as it goes.

// Redirect Bad Domain
$protocol = ($_SERVER['HTTPS']) ? $URL_SSL : $URL;
if
(
$_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME']
&& $_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME'] . ':' . $_SERVER['SERVER_PORT']
)
{
GoToPage(rtrim($protocol_host, '/') . $_SERVER['REQUEST_URI']);

The above code is PHP, despite what you believe.
That it pertains to Apache is irrelevant.

As lucy suggested, you still need to find somebody that speaks PHP.

I believe lucy24 may be onto what this code is for: having to do with preventing evil robots looking for a proxy. Because it was originally installed during a period when some kind of attack had occurred.

I see that before people on this forum can understand the question, it needs to be translated into a pure apache question. I will attempt to put it into pseudo code (with simplification of the part about the protocol, as that is not the essence of the cquestion):

if hostname <> servername
and hostname <> servername:port
then redirect to request_uri

In the above, here are the definitions of the variables:

hostname = Contents of the Host: header from the current request, if there is one.

servername = The name of the server host under which the current script is executing

port = The port on the server machine being used by the web server for communication. For default setups, this will be '80'; using SSL, for instance, will change this to whatever your defined secure HTTP port is.

request_uri = The URI which was given in order to access this page; for instance, '/index.html'.

Did I get this bit backward?

#3 THEN redirect to ... uh ... the page they asked for in the first place, only on their own domain instead of yours

So you really want to do the opposite: If they ask for something that isn't on your domain, grab them by the scruff of the neck and forcibly redirect to the page that is on your domain?

Seems like this would be covered with your vanilla domain-name-canonicalization redirect-- the one that goes

RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$

You can't tell from the Apache wording, but HTTP_HOST includes the port number, if any. (And HTTP_HOST includes "HTTPS_HOST". The protocol itself is a separate condition.)

lucy24: yes, I think your latest post expresses the idea properly now.

We don't have that canonical redirect; our sysadmin long ago set that up in our DNS, which we run for ourselves. But it does not handle the case of "anything not our domain", just the usual stuff like missing www hostname.

I don't know the robustness or "quality" of the code I showed in the original post as compared to what would be deemed a best practice; but I do believe from what I was told at the time it was put in place, it was effective in stopping the exploit we were seeing at that time.