Forum Topic: Denying and allowing proxy addresses

Forum: .htaccess Forum : Security • Posted by pagettypol • Updated:

Hello,

I am stuck on a particular problem involving proxy servers. I have a client based in across the world who we have built a website for only them to see. They have sent through a list of 50 ip addresses and ranges of proxy servers for them to view the website through, which we’ve added to our htaccess file. I currently have it set up like:

Order Deny, Allow
Deny from all
Allow from 123.456.789.5/75
.....etc

This works for the most part as far as we can tell – people are emailing in giving us the thumbs up that they can see the site.

However, one particular set of ranges in a country are having trouble seeing the site and are getting a 403 forbidden code (which we would expect if they were not permitted). We’re pretty sure that the ip addresses are right and have double checked with their IT team.

I’m looking at using this code from the htaccess book instead:

<IfModule mod_rewrite.c>
	RewriteCond %{HTTP:VIA} !^$ [OR]
	RewriteCond %{HTTP:FORWARDED} !^$ [OR]
	RewriteCond %{HTTP:FORWARDED-FOR} !^$ [OR]
	RewriteCond %{HTTP:X-FORWARDED} !^$ [OR]
	RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
	RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
	RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
	RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
	RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$ [OR]
	RewriteCond %{HTTP:USERAGENT_VIA} !^$
	RewriteCond %{HTTP_REFERER} !(.*)proxy-service.com(.*)
	RewriteCond %{HTTP_REFERER} !(.*)another-proxy.com(.*)
	RewriteCond %{HTTP_REFERER} !(.*)proxy.service.com(.*)
	RewriteRule .* - [F]
</IfModule>

with the IP ranges replacing the proxy-service.com so:

<IfModule mod_rewrite.c>
	RewriteCond %{HTTP:VIA} !^$ [OR]
	RewriteCond %{HTTP:FORWARDED} !^$ [OR]
	RewriteCond %{HTTP:FORWARDED-FOR} !^$ [OR]
	RewriteCond %{HTTP:X-FORWARDED} !^$ [OR]
	RewriteCond %{HTTP:X_FORWARDED_FOR} !^$ [OR]
	RewriteCond %{HTTP:PROXY_CONNECTION} !^$ [OR]
	RewriteCond %{HTTP:XPROXY_CONNECTION} !^$ [OR]
	RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]
	RewriteCond %{HTTP:HTTP_CLIENT_IP} !^$ [OR]
	RewriteCond %{HTTP:USERAGENT_VIA} !^$
	RewriteCond %{HTTP_REFERER} !(.*)123.456.789.1/50(.*)
	RewriteCond %{HTTP_REFERER} !(.*)123.123.123.62/80(.*)
	RewriteCond %{HTTP_REFERER} !(.*)123.456.123.10/100(.*)
	RewriteRule .* - [F]
</IfModule>

Would this be the more correct way of letting those proxies through?

Thanks.

3 Replies to “Denying and allowing proxy addresses”

Posted by Jeff Starr

As written, that code will block *most* proxies and the specified IPs. Essentially it says, “if the request is not from a proxy AND not from any of these IPs, then allow it through..” More info:

https://perishablepress.com/controlling-proxy-access-with-htaccess/

It is very difficult to allow only certain proxy servers unless they have a static IP, in which case it is better to simply add the proxy IPs to the whitelist (e.g., Allow from..).

That said, it may be better to require a login in order to view the site. That way, only those with proper credentials can access, and from any location. You can find more info in chapter 7.4.

Posted by pagettypol •

Thanks for replying so quickly Jeff.

Is my best be then to use the Order Deny, Allow method eg:

Order Deny, Allow
Deny from all
Allow from 123.456.789.5/75

I understand that all these proxy IPs are static, it’s just this particular set is getting the forbidden 403 error. I’m just trying to work out if I’ve overlooked anything.

Unfrotunately they don’t want a login for the site.

Posted by Jeff Starr

One thing I would recommend is inspecting the server log. There you can see exactly which IPs are getting the 403 error, and which URLs they are trying to access when triggering the error. Of course, if the IPs are dynamic, it will be much more difficult to deny/allow via .htaccess.