How to prevent Web sites from being accessed by malicious reverse proxy (anti-site mirroring) _php Tips

Source: Internet
Author: User
What is a reverse proxy?

First, the concept of forward agent:

The forward agent, the legendary agent, works like a springboard. To put it simply, I'm a user, I can't access a website, but I can access a proxy server. This proxy server, he can access that I can not visit the site, so I first connected to the proxy server, told him I need that can not access the content of the site, proxy server to fetch back, and then return to me. From the point of view of the website, only when the proxy server to pick up the content of a record, sometimes do not know is the user's request, but also hides the user's data, depending on the agent does not tell the site.

The conclusion is that the forward proxy is a server between the client and the original server (Origin server), in order to get content from the original server, the client sends a request to the agent and specifies the target (the original server), and then the agent forwards the request to the original server and returns the contents to the client. The client must make some special settings to use the forward proxy.

So what about the concept of reverse proxies?

For example, the user visits Http:// this page, but actually does not exist this page, he is secretly from another server to take back, and then spit to the user as their content.

But users do not know, this is normal, users are generally very stupid. The this domain name corresponds to the server that sets up the reverse proxy function.

The conclusion is that the reverse proxy is just the opposite, and for the client it is like the original server, and the client does not need to make any special settings. The client sends a normal request to the contents of the reverse proxy's namespace (name-space), and then the reverse proxy determines where (the original server) forwards the request and returns the obtained content to the client as if it were its own.

the harm of malicious reverse proxy

What is the harm of web site being malicious reverse proxy? Here are a few examples:

• First of all will occupy server resources, Web site open speed is affected.
Second, other people through the agent to steal your website data, users and not so intelligent search engine, the equivalent of a site with you, so it is likely that your site will be into the search engine sandbox, or even down the right.
• If the malicious agent of the page, but also hung your affiliate ads (such as AdSense), which is very dangerous, if someone clicked on the above ads, it is easy to be AdSense seal.
• There are many dangers, readers can be their own brain repair ...

JS-Level Solutions

Copy Code code as follows:

<script type= "Text/javascript" >
if (document.domain!= ' ' && document.domain!= ' ') {
window.location.href= '';

The script is simple, if the URL in the address bar is not and any one, then the address bar to This code also avoids the use of reverse proxy technology to "forge" a website that is exactly the same as yourself.

Digression: How to prevent web sites from being embedded in IFRAME. Some people use the IFRAME to make a frame, embed our website, the visitor comes to browse, as if is browsing his own website, so how to solve? The following methods can be broken:

Copy Code code as follows:

<script type= "Text/javascript" >
if (top.location!= self.location) top.location=self.location;

PHP-Level Solutions

The JS-level solution can make the malicious proxy page bounce back, but it's not very friendly to search engines. The following is a server-side (PHP) solution, the code is relatively simple, do not say more.

Copy Code code as follows:

$proxy _rs = $this-> proxy_filter ();
if ($proxy _rs!= ' ' | | | $proxy _rs!= ' ')
echo ' Illegal reverse proxy access ';
Header (' location:');

Public Function Proxy_filter ()
$svrUrl = ' http://'. $_server[' server_name '].$_server["php_self"];
if (!empty ($_server["query_string"]))
$svrUrl. = "?". $_server["Query_string"];

return $SVRURL;
return $_server[' server_name '];

Htaccess-Level Solutions

. htaccess

Copy Code code as follows:

Rewriteengine on
Php_value Auto_append_file proxy.php


Copy Code code as follows:

$f = getenv ("Http_x_forwarded_for");
$server = getenv ("Http_host");
if (($f!= "") && ($server!= "") && ($server!= "")) {
Echo ' This server prohibits malicious reverse proxy! ';

This is due to the particularity of my website, has not been tested, but this method is commonly used on the Internet.

Apache httpd.conf-Level solutions
This Apache how to forbid I haven't figured out, Nginx can, but I use Apache, if you know, please tell me next ~

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.