tags:

views:

999

answers:

5
+1  Q: 

Detecting whether a user is behind a proxy

Hello all,

I'm trying to figure out how I could detect whether people logging into my site are behind a proxy or not. I've read that you can detect a person's real IP address through embeddable objects (Flash and Java). However, I haven't been able to actually find any examples or source for this.

I'm using PHP and I've read that looking for $_SERVER['HTTP_X_FORWARDED_FOR'], $_SERVER['HTTP_CLIENT_IP'], etc. would detect most proxies but so far I haven't been able to by testing with TOR (maybe TOR doesn't flag those, but I've read that anonymous proxies still show HTTP_X_FORWARDED). I'd like to try doing it with a java servlet, if possible. Could anyone point me in the right direction (preferably with examples?) I saw some code on ha.ckers.org but they only showed the client side and not the server side.

+1  A: 

If it's an option you can try using https. The user IP then should be visible to you. However don't know about office users behind SSL proxies.

merkuro  2009-06-16 11:54:19
+1  A: 

Neither Java Applets or Flash is supposed to leak the client IP. I know that older versions of Flash had a security flaw that made it possible. Most probably that is patched by now.

I've never used TOR but from what I read it seems to be implemented as a kind of VPN and thus the browser will not be aware of it at all.

Why do you need to know if the user is behind a proxy?

Jonas Elfström  2009-06-16 12:01:46
Oh, I had noticed the issue with Flash was changed after Flash 9.0 so you're right. I'm wanting to keep people from using proxies on a game that I've made so when I ban spammers they can't create new accounts with a proxy. I know it wouldn't be fool proof, but I'd like to just make it a little more difficult.
ravun  2009-06-16 13:04:24
+1  A: 

By looking for the following header fields you should some proxys.

VIA
FORWARDED
USERAGENT_VIA
X_FORWARDED_FOR
PROXY_CONNECTION
XPROXY_CONNECTION
HTTP_PC_REMOTE_ADDR
HTTP_CLIENT_IP

As for blocking TOR you are best of blocking the TOR exit nodes with iptables.

And if you really must be sure you could try some "semi-malicious" things like embedding some flash or java in your page which sends you back the real client ip. But that has only limited scope as you might just get the local ip if he is in e.g. a LAN you get something like 192.168.1.x

jitter  2009-06-16 12:03:02
I've heard about those headers, but trying to access them from the $_SERVER superglobal in PHP doesn't seem to help. I've yet to see those indexes in the $_SERVER superglobal, but I've only used TOR so maybe that's different. As far as I know, TOR is an anonymous proxy and still should flag X_FORWARDED_FOR but nothing showed up in testing.
ravun  2009-06-16 13:06:01
Oh great. The exact same answer with my headers replicated with a HTTP_ prepended gets accepted an mine gets a down vote??
jitter  2009-06-16 17:07:38
+3  A: 

TOR does not supply any server headers such as X_FORWARDED_FOR, so your best bet is to use a list of all known exit nodes. A list can be found at https://torstat.xenobite.eu/.

For other proxies, you can look at server headers. Possible server headers of interest include: 

HTTP_VIA 
HTTP_X_FORWARDED_FOR
HTTP_FORWARDED_FOR 
HTTP_X_FORWARDED
HTTP_FORWARDED 
HTTP_CLIENT_IP
HTTP_FORWARDED_FOR_IP 
VIA
X_FORWARDED_FOR 
FORWARDED_FOR
X_FORWARDED FORWARDED
CLIENT_IP
FORWARDED_FOR_IP
HTTP_PROXY_CONNECTION

In PHP, you can get the value of these fields in the $_SERVER[] superglobal.

Andrew Austin  2009-06-16 13:53:04
Ah, ok. Thanks for that list and other info.
ravun  2009-06-16 13:59:05
A: 

If I could ask: why do you want to detect proxy users? Outside of some possible differences in their connection usage (a network footprint, if you will), it really won't matter.

benc  2009-06-27 05:56:31

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases