Block access to your website via proxies using .htaccess

If you’re a webmaster, you may want to block access to your site via proxies. While you could do this by blocking the proxy domains individually, there are thousands upon thousands of proxies and more popping up all the time. Rather than block them individually, you can easily block the HTTP headers that [properly behaving] proxies use.

Originally appearing at Perishable Press, the following code segment gets added to your .htaccess file:

RewriteEngine on
RewriteCond %{HTTP:VIA}                 !^$ [OR]
RewriteCond %{HTTP:FORWARDED}           !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$
RewriteRule ^(.*)$ - [F]

This sends visitors a “403 Forbidden” message. Period.

An interesting update to this finds that most anonymous proxies aren’t sending the headers that this filtering acts upon. You can test this by visiting a site that shows browser HTTP headers, such as HTTP Header Viewer: list browser headers, using a proxy. If you don’t see any of the headers mentioned above, then this code isn’t going to filter for you. Unfortunately the proxies have realized that people aren’t going to use them if they can be easily blocked, and the proxies are getting smarter. That makes blocking them all the more difficult.

If you have a method for blocking proxy access to your site, or anything else to share on this subject, please feel free to share it in the comments below!


  1. #1 by NMI on April 19, 2011 - 7:36 am

    Again, another great awesome tip from ya.

  2. #2 by anon on April 19, 2011 - 6:10 pm

    does not work as advertised. no 403s at all.

    Does not work. Period.

    Although you can get 400s when you mess with htaccess and dont know what you’re doing!

    • #3 by Mike on April 19, 2011 - 6:16 pm

      I believe the issue with some proxies not being blocked is because they’re not sending the proper HTTP headers which trigger the filtering. I have updated the article with information regarding this. Feel free to test your proxy’s headers against the filtering rules using the link in the article.

  3. #4 by NMI on April 19, 2011 - 6:10 pm

    Thanks for the update

  4. #5 by burp on April 19, 2011 - 8:11 pm

    this place is cool.