Detect Users Accessing Your Site Via a Proxy

The are many reasons why someone might want to detect if users are accessing their site via a proxy. For one, all spammers use proxies. Proxies can also be used to cheat voting systems, create multiple accounts when only one account is allowed or make it appear like the user is browsing from a different country. On the other hand, there are also legitimate uses for proxies. For example, many ISPs route all their traffic though a proxy.

Today I’ll discuss several techniques you can use to detect if your site is being accessed through a proxy.

Checking HTTP Headers

Transparent and low-anonymity proxies add certain HTTP headers to each HTTP request. Checking for the presence of these headers is the simplest way to detect a proxy. Example PHP code fragment :

$proxy_headers = array(   
	'HTTP_VIA',   
	'HTTP_X_FORWARDED_FOR',   
	'HTTP_FORWARDED_FOR',   
	'HTTP_X_FORWARDED',   
	'HTTP_FORWARDED',   
	'HTTP_CLIENT_IP',   
	'HTTP_FORWARDED_FOR_IP',   
	'VIA',   
	'X_FORWARDED_FOR',   
	'FORWARDED_FOR',   
	'X_FORWARDED',   
	'FORWARDED',   
	'CLIENT_IP',   
	'FORWARDED_FOR_IP',   
	'HTTP_PROXY_CONNECTION'   
        );
foreach($proxy_headers as $x){
	if (isset($_SERVER[$x])) die("You are using a proxy!");
}

Some have suggested that comparing the remote port ($_SERVER[‘REMOTE_PORT’]) to common proxy ports could also be used for proxy detection. I haven’t tested this, but it seems unlikely. As far as I know, servers listen for inbound connections on one set of ports and perform outbound connections from different port numbers (often randomly selected). So if the proxy server is running (waiting for inbound connections) on port 8080, it would use a different port number for retrieving your page (this being an outbound connection).

Highly anonymous proxies don’t add the abovementioned headers and can’t be detected with this technique.

Port scan

Another way to detect a proxy is to scan commonly used proxy ports on the client’s IP. If any of the ports are open, that host is probably a proxy. Here’s a primitive port scanner :

$ports = array(8080,80,81,1080,6588,8000,3128,553,554,4480);
foreach($ports as $port) {
    if (@fsockopen($_SERVER['REMOTE_ADDR'], $port, $errno, $errstr, 30)) {
        die("You are using a proxy!");
    }
}

Keep in mind that legitimate users may view port scanning as highly suspicious. If you decide to do this, make sure you save the results somewhere so you don’t need to do it again for that user. Store the IP status (proxy or not) in a database, or at least set a cookie.

Open Proxy Blacklists

There are many sites that maintain blacklists of open proxies and open SMTP relays. The Wikipedia entry on DNSBL goes into some detail on this and also lists several such blacklists (e.g. SORBS and DSBL).

You can query these blacklists using the DNS protocol. For example, if you want to check the IP address 1.2.3.4 on DSBL.org, do a DNS lookup for 4.3.2.1.list.dsbl.org. If the lookup succeeds, the IP was found in the list. The exact hostnames vary by blacklist provider. To perform a DNS lookup in PHP, use the gethostbyname() function.

Here’s a more complete example with source code – blacklist lookups in PHP.

In conclusion

There are other tricks I didn’t mention above, like using cookies or Java applets, but they are less reliable and rely on client-side features. That might be fine if you just want to ensure your human visitors aren’t skewing poll results (or something) by using proxies, but client-side techniques wouldn’t work against most automated spam bots and other malware.

Overall, there is no way to be 100% sure whether someone is using a proxy server to access your site, but the methods described in this post can help you identify a large percentage of proxy connections.

Ah, I forgot to mention the various CGI proxies that are marketed as “MySpace/Facebook/whatever unblockers”. Well, if they’re not in one of the blacklists, you’ll need to write a script (JavaSript) that checks if the domain name of the current page matches your site’s domain name. If it doesn’t, use some advanced framebreaker JavaScript to get your site out of their frames. Google it.

However, be aware that using a frame breaker would also make your website break out of Google Image Search frames and so on. Also, CGI proxies process you HTML code and can remove your frame breaking script – that’s why I said it needs to be advanced.

Good luck :)

Related posts :

17 Responses to “Detect Users Accessing Your Site Via a Proxy”

  1. dsfds says:

    interesting article

  2. White Shadow says:

    Well thank you, Mr. Spammer :P

  3. Alex says:

    i was thinking… if the user is under a shared connection? what to do
    to avoid showing “you are under proxy!” or this does let the users pass
    through a shared connection? (like that: USER>>SERVER>>ROUTER>>INTERNET)
    also, how to detect if the user is under a common proxy, like a proxy
    from work? different from a malicious/free/open proxy? thanks.

  4. White Shadow says:

    Blacklists could help with that – I’m pretty sure normal company proxies don’t get blacklisted, but malicious proxies do/should. I think other heuristics I mentioned in this post (e.g. checking headers) can’t be used to make this distinction.

  5. n* says:

    it’s just another way to detect proxy

  6. Hater says:

    Beside the suggested methods you can also detect proxy ip at http://checkbrowser.info

  7. hey just passed by consedince while for some articles :) anyway nice blog Will check it out Later on ,hope you accept me as a follower. thanks ^^

  8. For that past three months, I’ve been waiting for that DVD edition on the Frasier series. I’m even now fourth in line at my local library to receive these so I was incredibly excited to learn that I can Cant Filter Me.. My plan was to watch the DVDs within the train whilst commuting to and from perform so I’m hoping I have World wide web access through the tunnels and stations on my route. My wife laughs about my obsession with this, but she is hooked on particular Television exhibits herself. I’m wondering if I should tell her that she can watch her exhibits online also.

  9. It’s so lucky for me to find your blog! So shocking and great! Just one suggestion: It will be better and easier to follow.

  10. I know that node-http-proxy exists but, writing a basic http proxy in node should be a 2 line idiom

  11. […] a privacy policy? Do I even need a warning? I'm also going to block proxies as another deterrent. (I.E. checking HTTP headers and a quick portscan via this tutorial, I'm worried the portscan may load my web server down. (What I'd LOVE to do is have a cookie set […]

  12. Rick says:

    Awesome tutorial! One of the few I’ve done with no problems. Thanks so much =)

  13. Abel says:

    Please, remember that proxies may be used from people that try to use the Internet from countries where Freedom is unknown

  14. John says:

    I know this is an old post, but there is a website that deals with proxy detection – http://www.proxigen.org

  15. Jackpot 6000 says:

    I have been browsing online more than 3 hours today, yet I never found any interesting article like yours.
    It is pretty worth enough for me. In my opinion,
    if all web owners and bloggers made good content as you did, the internet will be much
    more useful than ever before.

  16. I beloved as much as you will obtain carried out right here. The comic strip is attractive, your authored subject matter stylish. nonetheless, you command get bought an edginess over that you would like be delivering the following. in poor health for sure come further formerly again since precisely the similar just about very ceaselessly inside case you defend this hike.

Leave a Reply