Controlling Proxy Access with HTAccess

♦ Posted by Jeff Starr in .htaccess, Security

Updated January 28, 2020 • 15 comments

In my recent article on blocking proxy servers, I explain how to use HTAccess to deny site access to a wide range of proxy servers. The method works great, but some readers want to know how to allow access for specific proxy servers while denying access to as many other proxies as possible.

Fortunately, the solution is as simple as adding a few lines to my original proxy-blocking method. Specifically, we may allow any requests coming from our whitelist of proxy servers by testing Apache’s HTTP_REFERER variable, like so:

RewriteCond %{HTTP_REFERER} !(.*)allowed-proxy-01.domain.tld(.*)
RewriteCond %{HTTP_REFERER} !(.*)allowed-proxy-02.domain.tld(.*)
RewriteCond %{HTTP_REFERER} !(.*)allowed-proxy-03.domain.tld(.*)

Notice the pattern here. Each line matches against the specified proxy server in the referrer variable. Once integrated into the original method, each of the three specified URI’s will be allowed access to your site. Thus, by editing these directives to match the name and number of your whitelisted proxy servers, you can allow access to any list of proxies or other referrers while blocking many of the others.

Integration

To integrate your customized whitelist RewriteConditions with the original proxy-block method, simply place them near the end of the existing conditions, directly above the RewriteRule, like so:

<IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteCond %{HTTP:VIA}                 !^$ [OR]
 RewriteCond %{HTTP:FORWARDED}           !^$ [OR]
 RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]
 RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]
 RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]
 RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]
 RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
 RewriteCond %{HTTP:XROXY_CONNECTION}    !^$ [OR]
 RewriteCond %{HTTP:X-FORWARDED-FOR}     !^$ [OR]
 RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$ [OR]
 RewriteCond %{HTTP:FORWARDED-FOR}       !^$ [OR]
 RewriteCond %{HTTP:X-FORWARDED}         !^$
 RewriteCond %{HTTP_REFERER}             !(.*)allowed-proxy-01.domain.tld(.*)
 RewriteCond %{HTTP_REFERER}             !(.*)allowed-proxy-02.domain.tld(.*)
 RewriteCond %{HTTP_REFERER}             !(.*)allowed-proxy-03.domain.tld(.*)
 RewriteRule ^(.*)$ - [F]
</IfModule>

Just slap that bad boy into your server’s httpd.conf file or the HTAccess file of your choice (generally the root HTAccess file), and you’re golden. Note that not all proxies reveal the information targeted in these directives, but many of them continue to do so. Thus, with this code in place, you will enjoy protection against unwanted proxies while allowing open access to the proxy servers or other referring domains of your choice.

Comprehension

Here at Perishable Press, we’re all about understanding how these types of methods actually work. Comprehension is important, especially when it comes to this type of black-magic Apache voodoo. So let’s enjoy a few explanatory spoonfuls, shall we?

As usual, we first check for the required Apache module, which in this case is the inimitable mod_rewrite. Then, after initializing the rewrite engine, the next twelve lines test different variables for any (non-empty) value. These twelve variables are associated with proxy servers and may contain data if present. The [OR] flags appended to the first eleven of the RewriteConditions cumulatively tells Apache something to the effect of “if any of these variables contain any value whatsoever, then invoke the specified RewriteRule”. And this is where the original proxy-blocking directives end. The rewrite is then applied for any matched cases, and the unwanted proxy visits are subsequently denied.

In this updated method, however, we also want to allow our choice of specific proxy servers. So, by appending the previously discussed whitelist directives to the list of RewriteConditions, we are qualifying the first twelve conditions as follows:

if the client is not being sent via this proxy method OR this proxy method OR this proxy method OR this proxy method OR … this proxy method, AND the referrer is not allowed-proxy-01 AND the referrer is not allowed-proxy-02 AND the referrer is not allowed-proxy-03, then invoke the specified RewriteRule.

And so, if the entire collection of conditions prove true, the specified RewriteRule will be applied and the proxy request will be blocked. Conversely, if the referrer is on the whitelist, they will be granted access — regardless of whether or not any of the previous proxy variables contain values.

Sayanora

That’s it for this fine tutorial. Please let me know if you have any questions, concerns or criticisms regarding this method. Hopefully, the explanation is clear, but if not, please let me know!

About the Author

Jeff Starr = Designer. Developer. Producer. Writer. Editor. Etc.

15 responses to “Controlling Proxy Access with HTAccess”

James 2009/04/12 9:55 am

Another person with T-Mobile is getting a 403, so I’m guessing its anything WAP related. Any way to fix?
Cutman 2009/04/14 2:59 am

Hello,

I use a proxy for both my computers (home and work) and I would like to whitelist both of them. However, I have no idea what my proxy server is. How would I go about finding out what it is?

Thanks in advance
Jeff Starr 2009/04/14 8:47 am • Post Author

@Cutman: Try Google.

« Previous Comments • 12

Comments are closed for this post. Something to add? Let me know.