PHP: Get URL when server is shielded from user

Question

Scenario:

The user clicks a link that leads them to:

http://www.example.com/foo/bar

or they could potentially click on

http://www.demonstration.com/foo/bar

However, example.com and demonstration.com are actually just fronts. They call an API on a private company intranet with its own routing table. So, internally it goes to...

http://ourFancyIntranet.alias.com/webInterface/?1=foo&2=bar

So I have to do my developing to run on alias.com.

Now, here comes the problem...

the $_SERVER[] variable. I have to check how the user got here. HTTP_REFERRER is generally considered untrustworthy. But it's the ONLY $_SERVER variable that reads example.com. The rest report the intranet version of alias.com. I've checked through every server variable for any exceptions. Each is alias.com except for HTTP_REFERRER.

So... are there any alternatives to using $_SERVER to get the client-facing domain, or in this case, should I consider HTTP_REFERRER actually safe since it's our own server sending the final request?

CLARIFICATION: Solution needs to be a PHP solution specifically. Changing middleware is not an option.

Answer 1

If the "front" talks to the API and the API needs to know the actual domain used to contact the front, then the API should take the domain as input somehow. That way you don't have to get second-hand information using the unreliable referer field but instead, you will get reliable data since the front should know on what url it was contacted.