htaccess protection against PROXIES

StackOverflow https://stackoverflow.com//questions/23065801

  •  02-01-2020
  •  | 
  •  

Question

I was using this code (recommended by some forums in the net) to block Proxies to my website files, using htaccess file:

RewriteEngine on    
RewriteCond %{HTTP:XROXY_CONNECTION}    !^$ [OR]    
RewriteCond %{HTTP:X-FORWARDED-FOR}     !^$ [OR]    
RewriteCond %{HTTP:FORWARDED-FOR}       !^$ [OR]    
RewriteCond %{HTTP:X-FORWARDED}         !^$ [OR]    
RewriteCond %{HTTP:VIA}                 !^$ [OR]    
RewriteCond %{HTTP:FORWARDED}           !^$ [OR]    
RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]    
RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]    
RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]    
RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]    
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]    
RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$     
RewriteRule ^(.*)$ - [F]

It was working perfect. However, since this year, GOOGLE updated his ANDROID platform with a new feature called: "Data Compression Proxy" (using the option inside the settings of the browser named "Reduce Data Usage"). According to this post Updated in January 2014, I can see it is a new feature for Android Devices: https://developers.google.com/chrome/mobile/docs/data-compression

Now the htaccess code is still blocking proxies which is what I needed, but additionally it is blocking all requests coming from Android Devices using Chrome Mobile. Even when the Android Phone User is connected to the internet via WIFI or Mobile 4G without any Proxy. The proxy setting is set by Google internally on their servers.

Of course, if the user disable that option (which I see was set "on" by default in the phones), they can access to my websites.

I needed to know if there is a WAY to Whitelist GOOGLE android PROXIES inside same code? I mean, A code for referrer coming from Google.com ?

I tried this already but didn't work:

RewriteCond %{HTTP_REFERER} !.google.com. [OR]

I would not want to change the original code to something like blocking per IP's, since Blocking proxies by offenders IP would create a big list on that file, and harder to control and manage it.

Please, let me know. Thanks.

Was it helpful?

Solution

There's a couple of things you can do, you can whitelist all "Android" user agents, or you can whitelist the "VIA" header when it's the compression proxy. When you whitelist, it can't be an "OR"'s condition, it must be satisfied.

A typical request from android chrome through the compression proxy looks something like this:

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Forwarded: for="xxx"
Scheme: http
Via: 1.1 Chrome Compression Proxy
X-Forwarded-For: xxx
Connection: Keep-alive
User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; Nexus 5 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.114 Mobile Safari/537.36

So you can match against the "Linux; Android" part of the user agent or the "Chrome Compression Proxy" in the via:

RewriteEngine on   
RewriteCond %{HTTP_USER_AGENT} !Linux;\ Android\ [234]\.[0-9]

RewriteCond %{HTTP:XROXY_CONNECTION}    !^$ [OR]    
RewriteCond %{HTTP:X-FORWARDED-FOR}     !^$ [OR]    
RewriteCond %{HTTP:FORWARDED-FOR}       !^$ [OR]    
RewriteCond %{HTTP:X-FORWARDED}         !^$ [OR]    
RewriteCond %{HTTP:VIA}                 !^$ [OR]    
RewriteCond %{HTTP:FORWARDED}           !^$ [OR]    
RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]    
RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]    
RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]    
RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]    
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]    
RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$     
RewriteRule ^(.*)$ - [F]

or

RewriteEngine on   
RewriteCond %{HTTP:VIA} !Chrome\ Compression\ Proxy

RewriteCond %{HTTP:XROXY_CONNECTION}    !^$ [OR]    
RewriteCond %{HTTP:X-FORWARDED-FOR}     !^$ [OR]    
RewriteCond %{HTTP:FORWARDED-FOR}       !^$ [OR]    
RewriteCond %{HTTP:X-FORWARDED}         !^$ [OR]    
RewriteCond %{HTTP:VIA}                 !^$ [OR]    
RewriteCond %{HTTP:FORWARDED}           !^$ [OR]    
RewriteCond %{HTTP:USERAGENT_VIA}       !^$ [OR]    
RewriteCond %{HTTP:X_FORWARDED_FOR}     !^$ [OR]    
RewriteCond %{HTTP:PROXY_CONNECTION}    !^$ [OR]    
RewriteCond %{HTTP:XPROXY_CONNECTION}   !^$ [OR]    
RewriteCond %{HTTP:HTTP_PC_REMOTE_ADDR} !^$ [OR]    
RewriteCond %{HTTP:HTTP_CLIENT_IP}      !^$     
RewriteRule ^(.*)$ - [F]
Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top