0

Is there any way to stop/block proxy servers to access https based sites ?.

As I have enabled mod_geoip to allow certain countries traffic, to access our critical websites, but still open web proxies are easily searchable by which any attacker try to access the site using the part of the allowed country.

I have googled a lot and found a solution to detect/block requests coming via proxy based on http-x-forwarded-for, (reference URL).

But this work only for HTTP based sites not for https, as on HTTPS x-forwarded-for headers are not coming due to encryption. So I believe is there must be some possible approach to block proxies for https, ?? else mod_geoip is useless for https based websites.

user3485288
  • 3
  • 2
  • 6
    Possible duplicate of [How does a website detect proxy?](https://security.stackexchange.com/questions/100550/how-does-a-website-detect-proxy), [How can a website find my real IP address while I'm behind a proxy?](https://security.stackexchange.com/questions/36420/how-can-a-website-find-my-real-ip-address-while-im-behind-a-proxy) – Steffen Ullrich Feb 21 '18 at 15:21
  • You're trying to block proxies based on optional headers sent by the proxies themselves, I hope you see the obvious problem there. This also isn't going to do anything to stop a vpn. Unless you have a very good reason to do this I would give up, it's generally a fool's errand. – AndrolGenhald Feb 21 '18 at 15:21

1 Answers1

0

What are you trying to protect?

If some vulnerability then use modsecurity to migrate it and use IP black lists like https://github.com/mlsecproject/combine/wiki/Threat-Intelligence-Feeds-Gathered-by-Combine and block Tor exit nodes.

If you want to block just some countries then to use http-x-forwarded-for place the filter under web server or HAProxy that does ssl termination.

Other more complex solution is:

Note: One or two inital requests still won't be blocked but ones it's in black list it's bullet prove if you block it on iptables level.

Example: https://www.shodan.io/host/5.148.154.53

This ip has proxy listening to port 8080 this is an public one. I tested it with one private I have and still you see open ports.

That can be done just by one python script as normal users won't have any open ports for hosted services.

Just take care not to ban google bots, use this guide: https://support.google.com/webmasters/answer/80553?hl=en&vid=0-292822248820-1519233445180

Hrvoje Milković
  • 507
  • 3
  • 6
  • Dear Hrvoje thank you for your feedback, actually I am using mod_geoip to only allow my country ips to access it. But it's useless as I see attacks coming from web proxies based on my country ips. I blocked proxy requests using x-forwared-for as mentioned above only for my HTTP sites but its not working for my HTTPS sites,as x-forwared-for not working in https due to SSL encryption. I want to protect my https sites from proxy servers. I m not using any load balancer or Haproxy as these are stand alone web servers. – user3485288 Feb 21 '18 at 18:06
  • No solution so far ? – user3485288 Feb 23 '18 at 12:21
  • As I said lookup for open ports on the client IPs if there is some open port block it. This can be done on netfilter level, custom nginx/apache module or with nfqueue or on app level with shodan api (faster then doing your self port scan and you don't expose you self with it). – Hrvoje Milković Feb 25 '18 at 12:59
  • I know you want a out of a box solution but there is none :/ – Hrvoje Milković Feb 25 '18 at 13:00
  • Thankyou so much Mr. Hrvoje for great response , can you please guide me how to control on netfilter level ? or apache module name ? please. – user3485288 Feb 28 '18 at 08:04
  • Thank you :) . For netfilter use nfqueue bindings with ipatables like https://github.com/kti/python-netfilterqueue For Apache web server unfortionatly I don't know any modules that would do this, maybe Lua scripting. Just make sure to first pass the packets then validate the IP as request to shodan will slow down your server perfromance so it's needed to do after you sent response to client then potencial ban. – Hrvoje Milković Mar 07 '18 at 12:02