Forum Topic: Proxy block with features?

Forum: .htaccess Forum : Security • Posted by Helio • Updated:

After some reading I conclude there are numerous types of proxies that are harmless and indispensable, such as "transparent" proxies (not confused with anonymous proxies).

We may block proxies by what they do but to what extent can the existing proxy-block allow requests from friendlier proxies?

Can one expect to amend it in order to accept requests from such types of proxies?

3 Replies to “Proxy block with features?”

Jeff Starr
Posted by Jeff Starr

Yes, blocking based on bot behavior, or "what they do" is the key. But then once you start looking at behavior you'll see there is no clear distinction between different types of proxies and the types of requests they're making.

For example, people use dark/anonymous proxies all the time for legit surfing. Conversely, transparent proxies are commonly used for evil purposes. Regardless of the type of proxy (or lack of one), the behavior remains consistent: you want to block bad requests and allow good requests.

For anyone getting into the art and science of blocking proxy servers, .htaccess is a good place to start, but ultimately a scripting language such as PHP is required to make the finer distinctions between different types of proxy behavior.

I hope this helps in some way, let me know if I can elaborate on anything, glad to do so :)

Posted by Helio •

Why block bad requests if legit requests can pass through any number of routing locations which assign numerous unique IP addresses to it and effectively mask the origin IP?

It is possible that common rerouting may trigger the proxy block because an other IP address is assigned to the request as a consequence of its passing through that route, and that that signifies a "transparent" proxy.

The concern is that ligit requests will get blocked due to transparent routing.

Jeff Starr
Posted by Jeff Starr

Why block bad requests if legit requests can pass through any number of routing locations which assign numerous unique IP addresses to it and effectively mask the origin IP?

Blocking bad behavior (i.e., bad URL requests) should be as IP-neutral as possible. IPs, User Agents, Referrers, etc. can all be spoofed, so we should not rely on such data. Instead, and as discussed, focus on the URL request, aka "behavior", for protection. So IP should have nothing to do with it, unless you're being stalked or have some other specific threat.

It is possible that common rerouting may trigger the proxy block because an other IP address is assigned to the request as a consequence of its passing through that route, and that that signifies a ?transparent? proxy.

False positives are inevitable with any type of blacklisting or traffic filtering. The trick is studying the data and lots of testing. If you're in a situation where absolutely no false positives should happen, then it will be very difficult to block any sort of proxy (or other questionable) traffic. And vice-versa.

The concern is that ligit requests will get blocked due to transparent routing.

See previous response. Yes absolutely that is the entire crux of this security method. The key is to find balance and "tune" your security to match your traffic. Unfortunately when it comes to blacklisting proxy traffic, dialing it in will require something more flexible than .htaccess (e.g. PHP or other scripting language).