Welcome to the new design! Please report any bugs or issues, thanks :)
Web Dev + WordPress + Security

Controlling Proxy Access with HTAccess

In my recent article on blocking proxy servers, I explain how to use HTAccess to deny site access to a wide range of proxy servers. The method works great, but some readers want to know how to allow access for specific proxy servers while denying access to as many other proxies as possible.

Fortunately, the solution is as simple as adding a few lines to my original proxy-blocking method. Specifically, we may allow any requests coming from our whitelist of proxy servers by testing Apache’s HTTP_REFERER variable, like so:

RewriteCond %{HTTP_REFERER} !(.*)allowed-proxy-01.domain.tld(.*)
RewriteCond %{HTTP_REFERER} !(.*)allowed-proxy-02.domain.tld(.*)
RewriteCond %{HTTP_REFERER} !(.*)allowed-proxy-03.domain.tld(.*)

Notice the pattern here. Each line matches against the specified proxy server in the referrer variable. Once integrated into the original method, each of the three specified URI’s will be allowed access to your site. Thus, by editing these directives to match the name and number of your whitelisted proxy servers, you can allow access to any list of proxies or other referrers while blocking many of the others.


To integrate your customized whitelist RewriteConditions with the original proxy-block method, simply place them near the end of the existing conditions, directly above the RewriteRule, like so:

<IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteCond %{HTTP:VIA}                 !^$ [OR]
 RewriteCond %{HTTP:FORWARDED}           !^$ [OR]
 RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]
 RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]
 RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]
 RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]
 RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
 RewriteCond %{HTTP:XROXY_CONNECTION}    !^$ [OR]
 RewriteCond %{HTTP:X-FORWARDED-FOR}     !^$ [OR]
 RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$ [OR]
 RewriteCond %{HTTP:FORWARDED-FOR}       !^$ [OR]
 RewriteCond %{HTTP:X-FORWARDED}         !^$
 RewriteCond %{HTTP_REFERER}             !(.*)allowed-proxy-01.domain.tld(.*)
 RewriteCond %{HTTP_REFERER}             !(.*)allowed-proxy-02.domain.tld(.*)
 RewriteCond %{HTTP_REFERER}             !(.*)allowed-proxy-03.domain.tld(.*)
 RewriteRule ^(.*)$ - [F]

Just slap that bad boy into your server’s httpd.conf file or the HTAccess file of your choice (generally the root HTAccess file), and you’re golden. Note that not all proxies reveal the information targeted in these directives, but many of them continue to do so. Thus, with this code in place, you will enjoy protection against unwanted proxies while allowing open access to the proxy servers or other referring domains of your choice.


Here at Perishable Press, we’re all about understanding how these types of methods actually work. Comprehension is important, especially when it comes to this type of black-magic Apache voodoo. So let’s enjoy a few explanatory spoonfuls, shall we?

As usual, we first check for the required Apache module, which in this case is the inimitable mod_rewrite. Then, after initializing the rewrite engine, the next twelve lines test different variables for any (non-empty) value. These twelve variables are associated with proxy servers and may contain data if present. The [OR] flags appended to the first eleven of the RewriteConditions cumulatively tells Apache something to the effect of “if any of these variables contain any value whatsoever, then invoke the specified RewriteRule”. And this is where the original proxy-blocking directives end. The rewrite is then applied for any matched cases, and the unwanted proxy visits are subsequently denied.

In this updated method, however, we also want to allow our choice of specific proxy servers. So, by appending the previously discussed whitelist directives to the list of RewriteConditions, we are qualifying the first twelve conditions as follows:

if the client is not being sent via this proxy method OR this proxy method OR this proxy method OR this proxy method OR … this proxy method, AND the referrer is not allowed-proxy-01 AND the referrer is not allowed-proxy-02 AND the referrer is not allowed-proxy-03, then invoke the specified RewriteRule.

And so, if the entire collection of conditions prove true, the specified RewriteRule will be applied and the proxy request will be blocked. Conversely, if the referrer is on the whitelist, they will be granted access — regardless of whether or not any of the previous proxy variables contain values.


That’s it for this fine tutorial. Please let me know if you have any questions, concerns or criticisms regarding this method. Hopefully, the explanation is clear, but if not, please let me know!

Jeff Starr
About the Author
Jeff Starr = Web Developer. Book Author. Secretly Important.
USP Pro: Unlimited front-end forms for user-submitted posts and more.

15 responses to “Controlling Proxy Access with HTAccess”

  1. Another person with T-Mobile is getting a 403, so I’m guessing its anything WAP related. Any way to fix?

  2. Hello,

    I use a proxy for both my computers (home and work) and I would like to whitelist both of them. However, I have no idea what my proxy server is. How would I go about finding out what it is?

    Thanks in advance

  3. Jeff Starr
    Jeff Starr 2009/04/14 8:47 am

    @Cutman: Try Google.

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
WP Themes In Depth: Build and sell awesome WordPress themes.
Super useful post about making custom avatars in WordPress.
Making good progress on the new bookstore subdomain here at Perishable Press. Aiming for launch early Summer :)
Playing the long game.
They have weaponized the idiots.
Good software never steals focus from the user. Even during startup.
After 10 years running my own business, I still manage schedules and tasks using old school post-it notes, sometimes simple sometimes very elaborate.
You know those sites, where you're trying to just grab a quick bit of information but the page is shifting all over the place as it loads up 3 million advertisements.