Advertisements

Block access to your website via proxies using .htaccess

If you’re a webmaster, you may want to block access to your site via proxies. While you could do this by blocking the proxy domains individually, there are thousands upon thousands of proxies and more popping up all the time. Rather than block them individually, you can easily block the HTTP headers that [properly behaving] proxies use.

Originally appearing at Perishable Press, the following code segment gets added to your .htaccess file:

RewriteEngine on
RewriteCond %{HTTP:VIA}                 !^$ [OR]
RewriteCond %{HTTP:FORWARDED}           !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$
RewriteRule ^(.*)$ - [F]

This sends visitors a “403 Forbidden” message. Period.

An interesting update to this finds that most anonymous proxies aren’t sending the headers that this filtering acts upon. You can test this by visiting a site that shows browser HTTP headers, such as HTTP Header Viewer: list browser headers, using a proxy. If you don’t see any of the headers mentioned above, then this code isn’t going to filter for you. Unfortunately the proxies have realized that people aren’t going to use them if they can be easily blocked, and the proxies are getting smarter. That makes blocking them all the more difficult.

If you have a method for blocking proxy access to your site, or anything else to share on this subject, please feel free to share it in the comments below!

Advertisements