PHP - Proxy detection and blocking website access if using proxy server like hidemyass

Question

I want to integrate a good proxy detector script on my site. Therefore, on searching I got this code.

$proxy_headers = array(
                        'HTTP_VIA',
                        'HTTP_X_FORWARDED_FOR',
                        'HTTP_FORWARDED_FOR',
                        'HTTP_X_FORWARDED',
                        'HTTP_FORWARDED',
                        'HTTP_CLIENT_IP',
                        'HTTP_FORWARDED_FOR_IP',
                        'VIA',
                        'X_FORWARDED_FOR',
                        'FORWARDED_FOR',
                        'X_FORWARDED',
                        'FORWARDED',
                        'CLIENT_IP',
                        'FORWARDED_FOR_IP',
                        'HTTP_PROXY_CONNECTION'
                    );
foreach($proxy_headers as $x){
    if (isset($_SERVER[$x])) die("You are using a proxy!");
}

Then I tried accessing my localhost website through ngrok and it blocked me from viewing it returning "You are using a proxy!". I tried with hidemyass and one another proxy detector and I got the same result. This is what I wanted in case of hidemyass type proxy sites. Now my question is that is ngrok also using a proxy server due to which it blocked me from access? And I read someone's comment that HTTP_X_FORWARDED_FOR returns false positive for his internet direct connection. I tried to remove this and wooo, no more detecting proxies on hidemyass or other. Site is accessible via proxies. So, I guess its important. So, my second question is that does HTTP_X_FORWARDED_FOR really returns false positive? Or is it because ngrok is also using proxies that I could not access my site through even I was on my direct connection? Is it completely okay to use HTTP_X_FORWARDED_FOR or not? Any prose or cons you see in this script please tell me.

Answer 1

There is no clear standard to classify users behind VPN or Web Proxy server simply by HTTP headers,

You are also blocking many user who use Web proxy in their legitimate network such as university campus or government agencies who have strict web surfing policy.

Your best chance is to fetch IP address related to AS number and IP range related to them and block the entire ip space in your web server or redirect them to your specific web server.

Another best approach to identify users who are using internet proxy is to use Flash's P2P available in Flash as RTMFP protocol and can be used with https://github.com/randunel/ArcusNode for example (see also https://github.com/OpenRTMFP). So, on the server you should wait a message and record remote IP by flash and then compare this to your IP REMOTE_ADDR and if not equal the user is likely behind a firewall.

I would also suggest to fetch AS number for both IP and if both IP ASN are not same then for sure the user is abusing

if the ASN are equal, then user is behind a ISP that has weird to redirect web traffic through a different.

to get ASN of IP you can exec command:

 whois -h whois.cymru.com "216.90.108.31" |grep -v 'AS      |'|grep -v whois.cymru.com| awk '{print $1}'

Answer 2

Proxy detection is a complicated issue that requires constant attention to get things right. Most proxies / VPNs will not reveal any forwarding headers so you won't be able to catch enough proxy connections with that code.

There are some online services that you might find useful

GetIPIntel.net - provides proxy / VPN detection via API for free. They use machine learning and probability theory techniques to determine a score for an IP address.

Maxmind - Provides proxy / VPN detection via API. It's currently listed as a legacy service.

W I T C H - looks at MSS values that's implemented on server side which can catch OpenVPN connections.