3

I have a website "www.website.com". Recently I found out that somebody has set up a reverse proxy with an almost identical url "www.website1.com" in front of my website. I'm concerned of those users who came to my website through that reverse proxy. Their username and passwords might be logged when they login.

Is there a way for me to have my web server refuse reverse proxy? For example, I've set up a reverse proxy using squid with the url "www.fakestackoverflow.com" in front of "www.stackoverflow.com". So whenever I type "www.fakestackoverflow.com" in my web browser address bar, I'll be redirected to "www.stackoverflow.com" by the reverse proxy. Then I notice the url in my address bar changed to "www.stackoverflow.com" indicating that I'm no longer going through the reverse proxy. "www.stackoverflow.com" must've detected that I came to the website from another url and then redirected me to the website through the actual url. How do I do something like this in IIS7 running an ASP.NET web application?

I have tried adding in javascript codes in my page detecting window.location and redirecting it appropriately but that will cause translation and google cache services to fail. stackoverflow.com did a good job in "redirecting" and it doesn't cause google translation to fail too.

Twisted Whisper
  • 193
  • 1
  • 6
  • Are you sure website1.com isn't simply a CNAME to website.com? – gekkz Oct 10 '10 at 09:47
  • website1.com is NOT a CNAME to website.com. since website.com belongs to me, i'm pretty sure if i've set up a CNAME for it. – Twisted Whisper Oct 10 '10 at 10:46
  • 1
    the fact that you control dns for website.com doesn't stop someone creating a cname for it in a different zone - e.g. website.hax0rs.com can be setup as a cname for website.com whether the owner of website.com likes it or not. – Rob Moir Oct 10 '10 at 13:02
  • say if someone really did create a CNAME, does it affect my website in any other way than what is already mentioned? – Twisted Whisper Oct 10 '10 at 15:35
  • If someone created a CNAME, IIS would see http://website.hax0rs.com in the HTTP header when users request using the fake host name, so by explicitly binding only to website.com, at least you wouldn't serve the content, and you could even serve different content such as a warning message. – saille Jan 01 '11 at 02:04
  • You could also try something from this website which was the fix for me, also didnt lose any visitors http://alphablog.xyz/your-website-is-being-mirrored-by-someone-else-without-your-knowledge/ – Pavelm89 Sep 04 '17 at 14:06
  • Additional comments are found [here](https://stackoverflow.com/questions/3899292) too. – Twisted Whisper Oct 12 '10 at 06:43

2 Answers2

4

The first solution would be to protect your webpages using HTTPS, and making sure that, on the front page, you warn the users that the URL MUST be https://www.website.com.

If not, they should enter it manually. (That's what many banks to in such cases).

Also, you could firewall the IP of the reverse proxy. You can detect the IP using the amount of traffic, that will be much higher on this specific IP. But be careful to not block enterprises proxies !

Julien Vehent
  • 3,017
  • 19
  • 26
0

The proxy should add one or more proxy headers to the request, which can be detected and the client redirected appropriately. Note that some ISPs may use transparent proxies, which will render your site unvisitable to their customers unless appropriate measures are taken.

Ignacio Vazquez-Abrams
  • 45,939
  • 6
  • 79
  • 84
  • unfortunately reverse proxy can be configured not to reveal anything in the http header that might give the reverse proxy away. – Twisted Whisper Oct 10 '10 at 10:45