2

I have 2 web servers, Server A & Server B. Both running PHP5 + Apache + Ubuntu environment.

Server A sends a request via cURL in PHP to Server B. I would like to get the source server domain of the request. As far as I know, $_SERVER['REMOTE_ADDR'] can get the IP of the source server (Server A). If I want to get the domain of Server A, how can I get it?

p.s. Server A hosts multiple domains, thus reverse IP resolve does not work in this case.

Here are the codes :

$data = array('user' => $user, 'pass' => $pass);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'http://ServerB/handler.php');
curl_setopt($ch, CURLOPT_PORT, 80);
curl_setopt($ch, CURLOPT_VERBOSE, 0); 
curl_setopt($ch, CURLOPT_HEADER, 0); 
curl_setopt($ch, CURLOPT_POST, 1); 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
curl_setopt($ch, CURLOPT_POSTFIELDS, $data); 

$ans_xml = curl_exec($ch);
Raptor
  • 53,206
  • 45
  • 230
  • 366
  • 2
    You could add it as a http header maybe? Or as one of the data fields? I don't think regular HTTP requests add the domain to the headers. – Pelshoff Aug 17 '11 at 11:19

2 Answers2

2
<?  
$data = array('user' => $user, 'pass' => $pass, 'appid' => 'pukeko');
$domain = $_SERVER["SERVER_NAME"]; // user the super global $_SERVER["SERVER_NAME"] or set it  manually to, ex: http://www.myserver.com 

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'http://ServerB/handler.php');
curl_setopt($ch, CURLOPT_PORT, 80);
curl_setopt($ch, CURLOPT_VERBOSE, 0); 
curl_setopt($ch, CURLOPT_HEADER, 0); 
curl_setopt($ch, CURLOPT_POST, 1); 
curl_setopt($ch, CURLOPT_REFERER, $domain); // USE CURLOPT_REFERER to set the referer 
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); 
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 
curl_setopt($ch, CURLOPT_POSTFIELDS, $data); 

$ans_xml = curl_exec($ch);
?> 

<?
// ServerB - http://ServerB/handler.php
$referer = $_SERVER['HTTP_REFERER'];  // http://www.myserver.com 
?>

The super global $_SERVER["SERVER_NAME"] will only work if you call scriptA via apache, ex: "wget http://serverA/scritptA.php"

UPDATE:

You can also send $domain = $_SERVER["SERVER_NAME"] in your post data:

$domain = $_SERVER["SERVER_NAME"]
$data = array('user' => $user, 'pass' => $pass, 'appid' => 'pukeko', 'icomefrom' => $domain);

and in http://ServerB/handler.php get it with:

$icomefrom = $_POST['icomefrom'];

This way you don't have to worry with fake referers.

Pedro Lobito
  • 94,083
  • 31
  • 258
  • 268
  • that's perfect ! but how to prevent someone is forging the same request ? – Raptor Aug 18 '11 at 06:35
  • Can you password protect the folder where he script is located ? – Pedro Lobito Aug 18 '11 at 13:51
  • Sure it can, but you didn't mention any problem with that in your question, also, I've asked you if you could password protect the folder where the script is located but you didn't answer, so, I'm not sure how I can help you more. – Pedro Lobito Aug 19 '11 at 08:09
  • I've updated the answer so you don't have to worry with fake referers, check it out. – Pedro Lobito Aug 19 '11 at 08:15
  • read the updated answer, but people can also make the same requests using the parameters. – Raptor Aug 21 '11 at 07:28
1

As stats Pelshoff in his comment above, you should use custom HTTP header:

Custom HTTP headers : naming conventions

Community
  • 1
  • 1
avetisk
  • 11,651
  • 4
  • 24
  • 37