$_SERVER['HTTP_HOST'] AND $_SERVER['SERVER_NAME'] Detection Issue

Mihai Galan asked
php security proxy
via

I have one website that generates a good traffic and i have found that some websites are cloaking my website as proxies and i have problem on how to detect them with PHP so i can block them.

First of all when i access this proxy website and i do echo $_SERVER['HTTP_HOST'] or echo $_SERVER['SERVER_NAME'] the result is right. It shows me the name of the website that is cloaking my website.

But when i do

if($_SERVER['HTTP_HOST'] == "proxysite.com" || $_SERVER['SERVER_NAME'] == "proxysite.com"){
 echo "you got it";
}

the result is null

If do

if($_SERVER['HTTP_HOST'] == "mywebsite.com" || $_SERVER['SERVER_NAME'] == "mywebsite.com"){
     echo "you got it";
    }

then the result is “you got it”

I don’t know much about virtual or real ip and SERVER_NAME or HTTP_HOST but this looks like a security issue for me and comes right from google.

All my users that search for my website on google find this proxy website and they login on my website trough this one because it is also managing cookies and everything. I can’t believe it. This type of hack is so easy and a very stupid security issue for 2017. As far as i know these websites may got all my users login info that goes trough them. I have searched all the internet for a solution and that was javascript. I did that but now they got smart they filter and remove all javascript codes.

So the only option for me is $_SERVER[‘HTTP_HOST’] or $_SERVER[‘SERVER_NAME’] witch are not detected right.

I run PHP 7.1 on NGINX

Any solution please?

myWebsite.com HEADERS

[USER] => www-data
[HOME] => /var/www
[HTTP_CF_CONNECTING_IP] => 3a02:3f0e:5260:664:75fb:bb5a:f2a6:1ea3
[HTTP_COOKIE] => __cfduid=d7711ced6c319ac0aa615de5f64160b561509570260;
[HTTP_ACCEPT_LANGUAGE] => en-US,en;q=0.8,it;q=0.6,ro;q=0.4
[HTTP_ACCEPT] => text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
[HTTP_UPGRADE_INSECURE_REQUESTS] => 1
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
[HTTP_CF_VISITOR] => {"scheme":"https"}
[HTTP_X_FORWARDED_PROTO] => https
[HTTP_CF_RAY] => 3b8d9bf459da7ea0-BUD
[HTTP_X_FORWARDED_FOR] => 3a02:2f0e:3260:664:75fb:bb5a:f2a6:1ea3
[HTTP_CF_IPCOUNTRY] => RO
[HTTP_ACCEPT_ENCODING] => gzip
[HTTP_CONNECTION] => Keep-Alive
[HTTP_HOST] => mywebsite.com
[REDIRECT_STATUS] => 200
[SERVER_NAME] => mywebsite.com
[SERVER_PORT] => 80
[SERVER_ADDR] => ******hiden.ip
[REMOTE_PORT] => 34741
[REMOTE_ADDR] => ****hiden.ip
[SERVER_SOFTWARE] => nginx/1.13.6
[GATEWAY_INTERFACE] => CGI/1.1
[REQUEST_SCHEME] => http
[SERVER_PROTOCOL] => HTTP/1.1
[DOCUMENT_ROOT] => /var/www
[DOCUMENT_URI] => /index.php
[REQUEST_URI] => /
[SCRIPT_NAME] => /index.php
[CONTENT_LENGTH] => 
[CONTENT_TYPE] => 
[REQUEST_METHOD] => GET
[QUERY_STRING] => 
[SCRIPT_FILENAME] => /var/www/index.php
[FCGI_ROLE] => RESPONDER
[PHP_SELF] => /index.php
[REQUEST_TIME_FLOAT] => 1509882770.658
[REQUEST_TIME] => 1509882770

proxyWbsite.com HEADERS

[USER] => www-data
[HOME] => /var/www
[HTTP_CF_CONNECTING_IP] => 3a01:3f8:171:2a4c:0:0:0:2
[HTTP_COOKIE] => __cfduid=dcad0dcc3004b494316f306212dc195911509878400;
[HTTP_REFERER] => 
[HTTP_ACCEPT] => */*
[HTTP_USER_AGENT] => Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
[HTTP_CF_VISITOR] => {"scheme":"https"}
[HTTP_X_FORWARDED_PROTO] => https
[HTTP_CF_RAY] => 3b8f5486a8196349-FRA
[HTTP_X_FORWARDED_FOR] => 2a01:4f8:171:3a4c:0:0:0:2
[HTTP_CF_IPCOUNTRY] => DE
[HTTP_ACCEPT_ENCODING] => gzip
[HTTP_CONNECTION] => Keep-Alive
[HTTP_HOST] => proxywebsite.com
[REDIRECT_STATUS] => 200
[SERVER_NAME] => proxywebsite.com
[SERVER_PORT] => 80
[SERVER_ADDR] => ***hidden.ip
[REMOTE_PORT] => 14485
[REMOTE_ADDR] => ***hidden.ip
[SERVER_SOFTWARE] => nginx/1.13.6
[GATEWAY_INTERFACE] => CGI/1.1
[REQUEST_SCHEME] => http
[SERVER_PROTOCOL] => HTTP/1.1
[DOCUMENT_ROOT] => /var/www
[DOCUMENT_URI] => /index.php
[REQUEST_URI] => /
[SCRIPT_NAME] => /index.php
[CONTENT_LENGTH] => 
[CONTENT_TYPE] => 
[REQUEST_METHOD] => GET
[QUERY_STRING] => 
[SCRIPT_FILENAME] => /var/www/index.php
[FCGI_ROLE] => RESPONDER
[PHP_SELF] => /index.php
[REQUEST_TIME_FLOAT] => 1509879844.936
[REQUEST_TIME] => 1509879844


Answer
via

If they truly are proxying your site, you need to determine the IP address of the server they’re using and block them. If you block them from reaching your site, they can’t act as a proxy.

So you should be looking at Apache, Nginx, or whatever web server you’re running, inspect the log files, and look for tons of requests that come from the same IP, research this until you feel confident that it’s them who is making those requests.

Then block them at the firewall level, or by using a service such as CloudFlare. Note that using a service like CloudFlare would help you avoid this sort of trouble to begin with, because they will be capable of monitoring inhuman amounts of traffic for you. Their service is free. https://www.cloudflare.com/security/

Share This
Posted in: