Welcome to WebmasterWorld Guest from 54.227.125.200

Forum Moderators: Ocean10000 & incrediBILL & phranque

Message Too Old, No Replies

Code to "redirect bad domain"

Wondering about code used to redirect bad domain

     

jasimon9

4:04 pm on Feb 16, 2013 (gmt 0)

5+ Year Member



In a site I maintain, I found some code put in by a programmer no longer on the project nor available. It's purpose is apparently to "redirect bad domains", and as I recall was put in long ago for defensive reasons to deal with an attack. It seems indications in our web logs showed the need for this measure.

In any case, I don't understand if the code is really effective or needed. The essence of the code is to compare PHP server vars, and if $_SERVER['HTTP_HOST'] is not the same as $_SERVER['SERVER_NAME] (plus a variation for the port), then redirect to $_SERVER['REQUEST_URI'].

Here is the actual code:

// Redirect Bad Domain
$protocol = ($_SERVER['HTTPS']) ? $URL_SSL : $URL;
if
(
$_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME']
&& $_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME'] . ':' . $_SERVER['SERVER_PORT']
)
{
GoToPage(rtrim($protocol_host, '/') . $_SERVER['REQUEST_URI']);
}


The two variables $URL and $URL_SSL have the actual URL for our site.

My question is then does this measure make any sense?

wilderness

6:24 pm on Feb 16, 2013 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



FWIW, this is the Apache Forum, and the lines you've provided are PHP.

jasimon9

9:21 pm on Feb 16, 2013 (gmt 0)

5+ Year Member



I appreciate your response. It just so happens that the apache server variables are accessed via PHP. But it is not a PHP question. It is an apache question. Or rather, an even more generic "bad domain redirection" question.

You might have to understand how the variables are mapped from PHP, but the question could be completely translated to a non-PHP context; its just that that is the context I am approaching it from.

lucy24

12:24 am on Feb 17, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



the question could be completely translated to a non-PHP context

Well, that's the problem innit. You can't do the translating unless you speak php, so that cuts back on the number of people who can answer the question as formulated.

To someone who doesn't speak php, all you get is:

#1 Define variable "protocol" using php syntax which is not intuitively obvious to a non-speaker. (Question marks are evil. No two languages use them the same way. Sometimes the same language will use them for different things in different places.)

:: detour to php dot net, finally arriving at the Ternary Conditional Operator leading to tentative conclusion that the line, in context, doesn't mean anything that one needs to worry about ::

#2 IF the requested host is anyone other than yourself,

#3 THEN redirect to ... uh ... the page they asked for in the first place, only on their own domain instead of yours

See what I mean about needing to speak php? I've got a glimmering of a notion that this has to do with evil robots testing to see if your site can be used as a proxy, but that's as far as it goes.

wilderness

1:01 am on Feb 17, 2013 (gmt 0)

WebmasterWorld Senior Member wilderness is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month




// Redirect Bad Domain
$protocol = ($_SERVER['HTTPS']) ? $URL_SSL : $URL;
if
(
$_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME']
&& $_SERVER['HTTP_HOST'] != $_SERVER['SERVER_NAME'] . ':' . $_SERVER['SERVER_PORT']
)
{
GoToPage(rtrim($protocol_host, '/') . $_SERVER['REQUEST_URI']);


The above code is PHP, despite what you believe.
That it pertains to Apache is irrelevant.

As lucy suggested, you still need to find somebody that speaks PHP.

jasimon9

12:09 am on Feb 23, 2013 (gmt 0)

5+ Year Member



I believe lucy24 may be onto what this code is for: having to do with preventing evil robots looking for a proxy. Because it was originally installed during a period when some kind of attack had occurred.

I see that before people on this forum can understand the question, it needs to be translated into a pure apache question. I will attempt to put it into pseudo code (with simplification of the part about the protocol, as that is not the essence of the cquestion):


if hostname <> servername
and hostname <> servername:port
then redirect to request_uri


In the above, here are the definitions of the variables:

hostname = Contents of the Host: header from the current request, if there is one.

servername = The name of the server host under which the current script is executing

port = The port on the server machine being used by the web server for communication. For default setups, this will be '80'; using SSL, for instance, will change this to whatever your defined secure HTTP port is.

request_uri = The URI which was given in order to access this page; for instance, '/index.html'.

lucy24

4:16 am on Feb 23, 2013 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



Did I get this bit backward?
#3 THEN redirect to ... uh ... the page they asked for in the first place, only on their own domain instead of yours

So you really want to do the opposite: If they ask for something that isn't on your domain, grab them by the scruff of the neck and forcibly redirect to the page that is on your domain?

Seems like this would be covered with your vanilla domain-name-canonicalization redirect-- the one that goes

RewriteCond %{HTTP_HOST} !^(www\.example\.com)?$

You can't tell from the Apache wording, but HTTP_HOST includes the port number, if any. (And HTTP_HOST includes "HTTPS_HOST". The protocol itself is a separate condition.)

jasimon9

5:04 am on Feb 27, 2013 (gmt 0)

5+ Year Member



lucy24: yes, I think your latest post expresses the idea properly now.

We don't have that canonical redirect; our sysadmin long ago set that up in our DNS, which we run for ourselves. But it does not handle the case of "anything not our domain", just the usual stuff like missing www hostname.

I don't know the robustness or "quality" of the code I showed in the original post as compared to what would be deemed a best practice; but I do believe from what I was told at the time it was put in place, it was effective in stopping the exploit we were seeing at that time.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month