How can I protect myself from proxy servers?

Asked

Viewed 302 times

0

Well here’s the thing, I’m making a site where I pay for every visit to the user that he gets.

However, is there any way to know if a given IP is a proxy or not, that is, is there any way to know if that user is using VPN or not? And if there is, how can I block the user from using proxy?

Thank you.

  • This might help you: https://medium.com/@Valdikss/Detecting-vpn-and-its-Configuration-and-proxy-users-on-the-server-side-1bcc59742413#. rmi42s248

2 answers

4


There is no way to defend yourself efficiently and VPN is impossible (as far as I understand), the only way would be to have a list of Ips that is provided by some service, however this is not quite a case of programming necessarily, I don’t know any kind of service that provides these lists, but the way is probably this.

However some proxies pass data on HTTP, which may help to check this, I did not find many details of headers, as not all are standardized, however this chat on wikipedia tries to give or get some guidance: https://en.wikipedia.org/wiki/Talk%3AX-Forwarded-For, follows some details:

The header "Via" which is used by gateways and proxies to indicate the intermediate protocols and recipients between the "user agent" and the server about the requests, and between the source server and the client in the responses, use in PHP:

  • HTTP_VIA

Details about Forwarded: https://tools.ietf.org/html/rfc7239#Section-5.2, use in PHP:

  • HTTP_FORWARDED_FOR
  • HTTP_FORWARDED
  • HTTP_X_FORWARDED_FOR (was probably used before the HTTP_FORWARDED_FOR, when it was still experimental)
  • HTTP_X_FORWARDED (was probably used before the HTTP_FORWARDED_FOR, when it was still experimental)

The X-Cluster-Client-IP: which apparently is required by the Zeus web servers:

  • HTTP_X_CLUSTER_CLIENT_IP

The Client-IP: I couldn’t find any information, what it seems to me is that it was used before the Forwarded:, use in PHP:

  • HTTP_CLIENT_IP
  • HTTP_X_CLIENT_IP (variation of HTTP_CLIENT_IP)

Detecting if you are using a proxy that passes header(s)

In PHP it would look something like:

<?php
function isProxy()
{
    $proxyTypes = array(
        'HTTP_VIA',
        'HTTP_FORWARDED_FOR',
        'HTTP_FORWARDED',
        'HTTP_X_FORWARDED_FOR',
        'HTTP_X_FORWARDED',
        'HTTP_X_CLUSTER_CLIENT_IP',
        'HTTP_CLIENT_IP',
        'HTTP_X_CLIENT_IP'
    );

    foreach ($proxyType as $proxyTypes) {
          if (!empty($proxyType)) {
              return true;
          }
    }

    return false;
}

if (isProxy()) {
    //Finaliza o script PHP e emite uma mensagem, pode customizar essa if como desejar
    die('Você está usando proxy');
}

Detecting if you are using a web-proxy:

Web-proxies usually use frames, so it is possible to only check if your page is running inside a <iframe> or <frame>, add so in page footer:

<script>
function detectLoadInFrame()
{
    //O try previne problemas de bloqueios de CORS
    try {
        if (window.self !== window.top) {
              window.top.location = window.location;
        }
    } catch (e) {
    }
}
</script>
</body>
</html>

But note that sometimes web-proxies block Javascript, this causes problems when making the detection, so the interesting thing would be to block some main HTML functionality, such as navbar, or a form, for example:

css style.:

.navbar {
    display: none;
}

.navbar.show {
    display: block;
}

Your html:

<html>
    <head>
        <link href="estilo.css" rel="stylesheet" type="text/css">
    </head>
    <body>
        <nav class="navbar">
           <a href="...">...</a>
        </nav>

        <form id="meuform">
           <input type="text" disabled>
           <select disabled></select>
        </form>

        <script>
        function detectLoadInFrame()
        {
            //O try previne problemas de bloqueios de CORS
            try {
                if (window.self !== window.top) {
                      window.top.location = window.location;
                } else {
                    //Exibe o navbar
                    document.querySelector(".navbar").className += " show";

                    //Habilita os campos
                    var fields = document.querySelectorAll("#meuform [disabled]");

                        for (var i = fields.length - 1; i >= 0; i--) {
                            fields[i].disabled = false;
                        }
                }
            } catch (e) {
            }
        }
        </script>
    </body>
</html>
  • This will be the most effective way to prevent a proxy or a vpn?

  • 1

    @Gonçalo I think did not understand at the beginning of the answer, I said: There is no way to defend yourself efficiently and VPN is impossible. In other words, it is only for proxy, it is only efficient if the proxy passes the data, otherwise it is also impossible, I am editing the answer for more details ;)

  • Dude, it’s impossible, 4chan can find out when someone is using VPN, now it’s really hard.

  • @Raphaelcaldas I don’t know how they do, but I suppose VPN services use gateway paths, which could be checked at the machine/equipment level, but at the level of web-directed programming language I don’t think it’s possible

  • @Gonçalo edited, including the introduction of the answer, I hope it helps, if I find any service of the type inform you.

  • Thanks, I’ll try it! If you can prevent proxys is better, in addition, I will do other systems in PHP, to create a "sequence" of time, and if the sequence is very similar, the user is blocked. Always prevents!

  • I tried with a hidemyass proxy and PHP did not work, did not show the proxy message...

  • @Gonçalo hidemyass is not Proxy is Webproxy, they are two different things, that’s why I added an example with webproxy where I wrote "Detecting if you’re using a web-proxy". Webproxies do not send headers and not all proxies will send headers as well. However these are the most efficient ways I’ve found (I’ve used both on some customers' website).

  • Tell me something, in the second case of Webproxy, the only alternative is Use JS? is that in case I am using a PHP file.

  • @Gonçalo Sim normal proxies that send headers the solution is PHP, already webproxies the solution is only with javascript, or combine both and will have a reasonable solution ;)

Show 5 more comments

-1

As far as I know if the user does not send some headers vc have no way to detect, however if the user sends a X-FORWARDED-FOR ai Voce can try to filter. But Voce has to accept that some will pass.For many proxies are Anonimos.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.