I’m trying to figure out how I could detect whether people logging into my site are behind a proxy or not. I’ve read that you can detect a person’s real IP address through embeddable objects (Flash and Java). However, I haven’t been able to actually find any examples or source for this.
I’m using PHP and I’ve read that looking for $_SERVER['HTTP_X_FORWARDED_FOR'], $_SERVER['HTTP_CLIENT_IP'], etc. would detect most proxies but so far I haven’t been able to by testing with TOR (maybe TOR doesn’t flag those, but I’ve read that anonymous proxies still show HTTP_X_FORWARDED). I’d like to try doing it with a java servlet, if possible. Could anyone point me in the right direction (preferably with examples?) I saw some code on ha.ckers.org but they only showed the client side and not the server side.
Advertisement
Answer
TOR does not supply any server headers such as X_FORWARDED_FOR, so your best bet is to use a list of all known exit nodes. A list can be found at https://torstat.xenobite.eu/.
For other proxies, you can look at server headers. Possible server headers of interest include:
HTTP_VIA HTTP_X_FORWARDED_FOR HTTP_FORWARDED_FOR HTTP_X_FORWARDED HTTP_FORWARDED HTTP_CLIENT_IP HTTP_FORWARDED_FOR_IP VIA X_FORWARDED_FOR FORWARDED_FOR X_FORWARDED FORWARDED CLIENT_IP FORWARDED_FOR_IP HTTP_PROXY_CONNECTION
In PHP, you can get the value of these fields in the $_SERVER[] superglobal.