Well, this is what I'm doing, I'm doing a site where I pay for every user visit.
However, is there any way to know if a given IP is a proxy or not, ie is there any way to know if that user is using VPN or not? And if there is, how can I block the user from using proxy?
Thank you.
There is no way to defend itself efficiently and VPN is impossible (as far as I understand), the only way would be to have a list of IPs that is provided by some service, however this is not quite a programming case necessarily, I do not know any kind of service that provides these lists, but the path is probably this.
However some proxies pass data on HTTP, which may help to verify this, I did not find many headers details, as not all are standardized, however this talk in wikipedia tries to give or get some guidance: link , here are some details:
The header "Via" that is used by gateways and proxies to indicate the intermediate protocols and recipients between the user agent and the server about the requests, and between the source server and the client in the responses, use in PHP:
HTTP_VIA Details about Forwarded: link , use in PHP:
HTTP_FORWARDED_FOR HTTP_FORWARDED HTTP_X_FORWARDED_FOR (probably used before HTTP_FORWARDED_FOR , while still experimental) HTTP_X_FORWARDED (probably used before HTTP_FORWARDED_FOR , while still experimental) The X-Cluster-Client-IP: that is apparently required by Zeus web servers:
HTTP_X_CLUSTER_CLIENT_IP As Client-IP: I could not find any information, what I think is that it was used before Forwarded: , use in PHP:
HTTP_CLIENT_IP HTTP_X_CLIENT_IP (variation of HTTP_CLIENT_IP ) In PHP it would look something like:
<?php
function isProxy()
{
$proxyTypes = array(
'HTTP_VIA',
'HTTP_FORWARDED_FOR',
'HTTP_FORWARDED',
'HTTP_X_FORWARDED_FOR',
'HTTP_X_FORWARDED',
'HTTP_X_CLUSTER_CLIENT_IP',
'HTTP_CLIENT_IP',
'HTTP_X_CLIENT_IP'
);
foreach ($proxyType as $proxyTypes) {
if (!empty($proxyType)) {
return true;
}
}
return false;
}
if (isProxy()) {
//Finaliza o script PHP e emite uma mensagem, pode customizar essa if como desejar
die('Você está usando proxy');
}
Web-proxies usually use frames, so it's only possible to check if your page is running within <iframe> or <frame> , so add in the footer of the page:
<script>
function detectLoadInFrame()
{
//O try previne problemas de bloqueios de CORS
try {
if (window.self !== window.top) {
window.top.location = window.location;
}
} catch (e) {
}
}
</script>
</body>
</html>
But note that sometimes web-proxies block Javascript, this causes you to have problems doing the detection, so the interesting thing would be to block some main HTML functionality, such as navbar, or a form, for example:
style.css:
.navbar {
display: none;
}
.navbar.show {
display: block;
}
Your html:
<html>
<head>
<link href="estilo.css" rel="stylesheet" type="text/css">
</head>
<body>
<nav class="navbar">
<a href="...">...</a>
</nav>
<form id="meuform">
<input type="text" disabled>
<select disabled></select>
</form>
<script>
function detectLoadInFrame()
{
//O try previne problemas de bloqueios de CORS
try {
if (window.self !== window.top) {
window.top.location = window.location;
} else {
//Exibe o navbar
document.querySelector(".navbar").className += " show";
//Habilita os campos
var fields = document.querySelectorAll("#meuform [disabled]");
for (var i = fields.length - 1; i >= 0; i--) {
fields[i].disabled = false;
}
}
} catch (e) {
}
}
</script>
</body>
</html>
As far as I know if the user does not send some headers you can not detect, but if the user sends a X-FORWARDED-FOR you can try to filter. But you have to accept that some will pass. For many proxies are anonymous.