1

People can use Nginx to proxy_pass to my domain and on the browser, the contents are mines, but on address bar it's their domains.

How to detect when the requests are thru' proxy_pass and deny those?

For example, when I purposely proxy_pass to google.com, I get 404 error.

server {
  listen 80;
  server_name test.com;

  location / {
    proxy_pass https://google.com;
  }
}

Seems that it's not possible to prevent this, for example those people make the proxy behave just like a normal browser. However, how to prevent if they just use a simple Nginx proxy_pass?

Dee
  • 125
  • 1
  • 6
  • 3
    Depending on the knowledge and energy of the one trying to proxy your site, you cannot prevent this. I would recommend to use JavaScript in combination with Subresource Integrity within your site to avoid this. So you can make a script checking the used domain names in your external references such as CSS, JS and media files. – Jens Bradler Jan 24 '20 at 11:10
  • yeah can't prevent this, for example those people make the proxy behave just like a normal browser. However, how to prevent if they just use a normal Nginx proxy_pass? – Dee Jan 24 '20 at 18:22
  • @JensBradler i edited the question, how to prevent if it's just a simple proxy_pass – Dee Jan 24 '20 at 18:24
  • 1
    The given answer by Danila Vershinin is a cool approach but excludes some clients. Additionally it doesn't protects you if it's more than a simple Nginx proxy_pass we are talking about. Take a look into https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity – Jens Bradler Jan 30 '20 at 08:41

1 Answers1

1

Theoretically, you can, but not without a lot of effort.

Supposedly, you are running an HTTP/2 capable website.

Detecting proxy_pass to your website can build upon the fact that these connections will always originate over HTTP/1.x and never via HTTP/2.

Then you can match that up with browser capabilities.

So, essentially, if you see an HTTP/2 capable browser connecting to your website over an older HTTP/1.x protocol, you can safely assume that it is over NGINX's proxy_pass or some other proxy (other than NGINX).

So while this could work, you'd cut off all clients who just browse through a proxy of some kind...

That is the passive approach.

The active approach is simply checking for a number of connections from the same IP address. You'd be checking the logs (e.g. Fail2ban or other log scanners) for many connections from the same IP address, having different user agents (or none).

An IP address with a lot of varying user agents/access is likely to be a proxy of some kind.

Finally, you can do RDNS check/whois queries to see whether a request is coming from a known hosting provider.

Danila Vershinin
  • 5,286
  • 5
  • 17
  • 21