Welcome to the new design! Please report any bugs or issues, thanks :)
Web Dev + WordPress + Security

How to Block Proxy Servers via htaccess

Not too long ago, a reader going by the name of bjarbj78 asked about how to block proxy servers from accessing her website. Apparently, bjarbj78 had taken the time to compile a proxy blacklist of over 9,000 domains, only to discover afterwards that the formulated htaccess blacklisting strategy didn’t work as expected. Here is the ineffective htaccess directive that was used:

Deny from proxydomain.com proxydomain2.com

Blacklisting proxy servers by blocking individual domains seems like a futile exercise. Although there are a good number of reliable, consistent proxy domains that could be blocked directly, the vast majority of such sites are constantly changing. It would take a team of professionals working around the clock just to keep up with them all.

As explained in my reply to bjarbj78’s comment, requiring Apache to process over 9,000 htaccess entries for every request could prove disastrous:

The question is, even if you could use htaccess to block over 9,000 domains, would you really want to? If you consider the potential performance hit and excessive load on server resources associated with the perpetual processing of such a monstrous list, it may inspire you to seek a healthier, perhaps more effective alternative..

A better way to block proxy servers

Rather than attempt to block proxy servers by who they are (i.e., via their specified domain identity), it is far more expedient and effective to block proxy servers by what they do. By simply blacklisting the various HTTP protocols employed by proxy servers, it is possible to block virtually all proxy connections. Here is the code that I use for stopping 99% of the proxies that attempt to access certain sites:

# block proxy servers from site access
# https://perishablepress.com/press/2008/04/20/how-to-block-proxy-servers-via-htaccess/

RewriteEngine on
RewriteCond %{HTTP:VIA}                 !^$ [OR]
RewriteCond %{HTTP:FORWARDED}           !^$ [OR]
RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]
RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]
RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]
RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$
RewriteRule ^(.*)$ - [F]

To use this code, copy & paste into your site’s root htaccess file. Upload to your server, and test it’s effectiveness via the proxy service(s) of your choice. It may not be perfect, but compared to blacklisting a million proxy domains, it’s lightweight, concise, and very effective ;)

Jeff Starr
About the Author
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
WP Themes In Depth: Build and sell awesome WordPress themes.

17 responses to “How to Block Proxy Servers via htaccess”

  1. Jeff Starr
    Perishable 2008/04/27 9:07 am

    Hi David, it should be easy to block the anonymous proxy server via htaccess. Add the following code to your root htaccess file:

    # deny domain access
    RewriteEngine on
    RewriteBase /
    RewriteCond %{HTTP_USER_AGENT} anonymous [NC]
    RewriteRule ^.* - [F,L]

    ..of course, this method blocks by targeting the user agent, which may or may not be the same as the domain name. Another way to block a specific proxy is to target the domain itself, as identified via referrer:

    RewriteCond %{HTTP_REFERER} ^http://.*anonymous.*$ [NC]

    This line should replace the RewriteCond line in the previous code. Remember to test thoroughly!

  2. Will this also block Paypal IPN? Untested on my end.. waiting for a payment to come through rather than converting all my ipn stuff to sandbox.

  3. Jeff Starr
    Perishable 2008/05/04 7:23 am

    Thanks for the feedback, Eric — keep us updated on the results..

  4. air force ones 2008/05/22 2:43 am

    Hey Perishable‚ I have a good idea about how to block proxy server. Cause the operation system of most proxy server are Linux but the operation system of most visitor are windows. So If we can block Linux, maybe can block most proxy server.

  5. Jeff Starr
    Perishable 2008/05/25 6:31 am

    Are you kidding? A good number of my visitors are Linux users. I definitely do not want to block them. I appreciate the idea, but think it would be an unwise move. The last thing I want to do is cater specifically to Windows users..

Comments are closed for this post. Something to add? Let me know.
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
Banhammer: Protect your WordPress site against threats.
Playing the long game.
They have weaponized the idiots.
Good software never steals focus from the user. Even during startup.
After 10 years running my own business, I still manage schedules and tasks using old school post-it notes, sometimes simple sometimes very elaborate.
You know those sites, where you're trying to just grab a quick bit of information but the page is shifting all over the place as it loads up 3 million advertisements.
Selling two of my top WordPress domains, wp-zen.com & zen-wp.com $300 for both. Aged 9 years. Drop a line if interested.
Never force your users to type out a password (or any long string of characters) by blocking the paste function. Typing long strings leads to MORE errors than simple copy/paste.