[RESOLVED] Retrieve Calling Domain

SurgeProto

I'm working on a piece of code the is run on a server and can be called as an XML feed for domains that are licensed to use it. So basically, lets say I'm on mydomain.com and want to use the feed. Using curl, I would do something like this:

$url = "http://www.myhostingdomain.com/surgeproto/feeds/xml/feed.xml";

$options = array(
    CURLOPT_RETURNTRANSFER => true,     // return web page
    CURLOPT_HEADER         => false,    // don't return headers
    CURLOPT_FOLLOWLOCATION => true,     // follow redirects
    CURLOPT_ENCODING       => "",       // handle all encodings
    CURLOPT_USERAGENT      => "spider", // who am i
    CURLOPT_AUTOREFERER    => true,     // set referer on redirect
    CURLOPT_CONNECTTIMEOUT => 120,      // timeout on connect
    CURLOPT_TIMEOUT        => 120,      // timeout on response
    CURLOPT_MAXREDIRS      => 10,       // stop after 10 redirects
);

$ch = curl_init( $url );
curl_setopt_array( $ch, $options );
$content = curl_exec( $ch );
$err     = curl_errno( $ch );
$errmsg  = curl_error( $ch );
$header  = curl_getinfo( $ch );
curl_close( $ch );

echo $content;

The feed.xml is actually a PHP file that I'm simply mod rewriting so I can use the XML extension. Inside the feed.php file, I'm using $_SERVER['HTTP_REFERER']; to grab the calling domain, in this case "mydomain.com" which isn't working. I'm guessing this is because it's not a referer, but I wasn't sure which alternative to use.

Also, since I'm using mod_rewrite, I'm wondering if the rewrite rule, defined below, could be causing me to lose the referer somehow:

RewriteRule ^([0-9a-zA-Z_-]+)/feeds/xml/feed.xml$											/feeds/xml/feed\.php?username=$1 [NC]

I'd also like to make sure there's no way for curl or any other tool to "fake" the calling URL. Any help on this would be greatly appreciated!

bradgrafelman

There's no real way to get "mydomain.com" from the feed.php script, because it's never sent anywhere. The only information you can get is the webserver's IP, e.g. in $_SERVER['REMOTE_ADDR']. You could then attempt to "guess" the host using [man]gethostbyaddr/man, but it's very possible that the hostname returned will be that of your provider (especially if using shared hosting).

SurgeProto wrote:
I'd also like to make sure there's no way for curl or any other tool to "fake" the calling URL.

Not sure what you mean here. Whatever URI they request is what will be applied in the rewrite rules and/or passed to your PHP scripts.

SurgeProto

Hi bradgrafelman,

Thanks for the quick response! I just meant that I didn't want curl to fake the mydomain.com, the calling domain. However, since there's no way to grab that, in this case it doesn't apply. I may need to just do an IP lookup on each domain, but since one IP could technically host multiple domains that could be potentially problematic. Thanks for the insight!

bradgrafelman

Is this a script you're going to distribute to other users/servers? If so, one common approach to identify valid users of your service is to provide them with a unique, hard-to-guess key to your API (e.g. a very long string of hex characters). You could then store this randomly generated key in your database along with any other information you want to keep about that key, such as to which domain it was issued.

Otherwise, you're right - the only real data that is automatically available is the requesting server's (or gateway's) IP address, and doing a reverse DNS lookup has many potential pitfalls.