A proxy judge is a server-side script or service designed to inspect the HTTP headers sent by a client through a proxy, revealing the client's original IP address and identifying details about the proxy to determine its anonymity level.
What is a Proxy Judge?
A proxy judge operates as an intermediary diagnostic tool. When a client connects to a proxy judge through a proxy server, the judge analyzes the HTTP request headers presented by the proxy. This analysis identifies specific headers that may disclose the client's true IP address or indicate the presence and type of proxy server being used. The primary function is to verify if a proxy successfully masks the client's identity and to what extent.
How Proxy Judges Work
The process of a proxy judge works as follows:
- Client Request: A client configures its system or application to route its web traffic through a designated proxy server.
- Proxy Forwarding: The proxy server receives the client's request and forwards it to the target web server, which in this case is the proxy judge.
- Header Inspection: The proxy judge server, upon receiving the request, accesses server variables and HTTP headers. These headers contain metadata about the connection path.
- Anonymity Assessment: The judge then parses these headers for specific fields that typically reveal client information or proxy identification. Based on the presence, absence, or modification of these headers, the judge classifies the proxy's anonymity level.
- Reporting: The judge returns a report to the client, detailing the detected IP addresses and header information, along with an assessment of the proxy's anonymity.
Key headers of interest to a proxy judge include REMOTE_ADDR, HTTP_X_FORWARDED_FOR, HTTP_VIA, HTTP_PROXY_CONNECTION, HTTP_FORWARDED, and others that can betray the original client's IP or the proxy's existence.
Levels of Proxy Anonymity
Proxy judges categorize proxies into distinct anonymity levels based on the information they transmit.
Elite Proxy (Highly Anonymous)
An elite proxy provides the highest level of anonymity. It does not transmit any headers that reveal the client's original IP address, nor does it identify itself as a proxy. To the target server (proxy judge), the connection appears to originate directly from the proxy server's IP address, making the client indistinguishable from a direct connection.
- Characteristics:
REMOTE_ADDR: Shows the proxy's IP.HTTP_X_FORWARDED_FOR: Absent.HTTP_VIA: Absent.HTTP_PROXY_CONNECTION: Absent or modified.
- Detection: Difficult to distinguish from a direct connection without advanced fingerprinting.
Anonymous Proxy
An anonymous proxy hides the client's original IP address but reveals its own presence as a proxy server. This means the target server knows a proxy is being used, but the identity of the original client remains concealed.
- Characteristics:
REMOTE_ADDR: Shows the proxy's IP.HTTP_X_FORWARDED_FOR: Absent.HTTP_VIA: Present (e.g.,1.1 proxy.example.com).HTTP_PROXY_CONNECTION: May be present.
- Detection: The presence of
HTTP_VIAor similar headers indicates proxy usage.
Transparent Proxy (Non-Anonymous)
A transparent proxy, also known as a non-anonymous or forwarding proxy, does not attempt to conceal the client's original IP address. It forwards the client's IP to the target server, typically in headers like X-Forwarded-For. The target server is fully aware of both the proxy's presence and the original client's IP.
- Characteristics:
REMOTE_ADDR: Shows the proxy's IP.HTTP_X_FORWARDED_FOR: Present, containing the client's original IP.HTTP_VIA: Often present.HTTP_PROXY_CONNECTION: May be present.
- Detection: The presence of
HTTP_X_FORWARDED_FORwith the client's IP is definitive.
Distorting Proxy
A distorting proxy is a variant that attempts to mislead the target server by transmitting a false or random IP address in the X-Forwarded-For header. While it hides the true client IP, it still identifies itself as a proxy and the provided X-Forwarded-For is not the real client IP. This can sometimes be categorized as a type of anonymous proxy, but its explicit falsification distinguishes it.
- Characteristics:
REMOTE_ADDR: Shows the proxy's IP.HTTP_X_FORWARDED_FOR: Present, but contains a false/random IP.HTTP_VIA: Often present.
- Detection: The presence of
HTTP_X_FORWARDED_FORwith an IP that doesn't match theREMOTE_ADDRof the previous hop (if multiple proxies are chained) or a clearly invalid IP.
Key HTTP Headers for Anonymity Detection
A proxy judge's analysis relies on inspecting specific HTTP headers and server variables:
REMOTE_ADDR: This server variable directly indicates the IP address of the client that connected to the proxy judge server. If a proxy is used, this will typically be the proxy's IP.HTTP_X_FORWARDED_FOR: A de-facto standard header used by proxies to identify the original client's IP address. It can contain a comma-separated list of IPs if multiple proxies are chained.HTTP_VIA: This header is added by a proxy server to indicate that the request has passed through it. It often includes the proxy's protocol and hostname/IP.HTTP_PROXY_CONNECTION: A non-standard header sometimes used by proxies, indicating connection details specific to the proxy.HTTP_FORWARDED: A standardized header (RFC 7239) that is a more robust alternative toX-Forwarded-ForandVia. It can convey client, proxy, and host information.HTTP_CLIENT_IP: A less common, non-standard header that might contain the client's IP.
Practical Use of a Proxy Judge
To use a proxy judge effectively, configure your client to route traffic through the proxy you intend to test, then direct a request to a proxy judge service.
Example: Using curl with a Proxy
To test a proxy at proxy.example.com on port 8080 with curl:
curl -x http://proxy.example.com:8080 http://proxyjudge.com
Replace http://proxyjudge.com with the URL of an actual proxy judge service. The output will be the judge's report.
Example: A Simple Proxy Judge Script (PHP)
A basic PHP script can serve as a proxy judge:
<?php
header('Content-Type: text/plain');
echo "--- Proxy Judge Report ---\n";
echo "Your IP (REMOTE_ADDR): " . $_SERVER['REMOTE_ADDR'] . "\n";
echo "--------------------------\n";
$headers_to_check = [
'HTTP_X_FORWARDED_FOR',
'HTTP_VIA',
'HTTP_PROXY_CONNECTION',
'HTTP_FORWARDED',
'HTTP_CLIENT_IP'
];
foreach ($headers_to_check as $header) {
if (isset($_SERVER[$header])) {
echo $header . ": " . $_SERVER[$header] . "\n";
} else {
echo $header . ": Not Present\n";
}
}
echo "--------------------------\n";
// Basic Anonymity Level Guess
$anonymity_level = "Elite Proxy"; // Default assumption
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
$anonymity_level = "Transparent Proxy";
// Check if X-Forwarded-For is clearly false
$xf_ip = trim(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])[0]);
if ($xf_ip !== $_SERVER['REMOTE_ADDR'] && !filter_var($xf_ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE)) {
// This is a simplistic check; more robust validation needed for true "distorting"
// For a simple judge, if XFF exists, it's not Elite/Anonymous in the purest sense.
}
} elseif (isset($_SERVER['HTTP_VIA']) || isset($_SERVER['HTTP_PROXY_CONNECTION'])) {
$anonymity_level = "Anonymous Proxy";
}
echo "Estimated Anonymity Level: " . $anonymity_level . "\n";
?>
This script will output the detected IP and relevant headers, providing a basic assessment.
Interpreting Proxy Judge Results
The presence or absence of specific headers directly correlates with the proxy's anonymity level.
| Header | Elite Proxy | Anonymous Proxy | Transparent Proxy | Distorting Proxy |
|---|---|---|---|---|
REMOTE_ADDR |
Proxy IP | Proxy IP | Proxy IP | Proxy IP |
HTTP_X_FORWARDED_FOR |
Absent | Absent | Original Client IP | False/Random IP |
HTTP_VIA |
Absent | Present | Often Present | Often Present |
HTTP_PROXY_CONNECTION |
Absent | May be Present | May be Present | May be Present |
HTTP_FORWARDED |
Absent | May be Present | May contain Client IP | May contain False IP |
| Anonymity Score | Highest | Medium | Lowest | Low (detectable) |
Limitations of Proxy Judges
While useful, proxy judges have limitations:
- HTTP Header Focus: They primarily analyze standard HTTP headers. They may not detect leaks occurring at other layers or through different protocols (e.g., WebRTC IP leaks, DNS leaks).
- Browser Fingerprinting: Proxy judges do not assess browser fingerprinting aspects (e.g., user agent, screen resolution, installed fonts, Canvas API data) that can also uniquely identify a user.
- Evolving Techniques: Advanced detection methods go beyond simple header checks, employing JavaScript, Flash, or other browser-side technologies to bypass proxy anonymity.
- Proxy Chain Complexity: In complex proxy chains, accurately determining the original client's IP can be challenging if intermediate proxies modify or strip headers inconsistently.
- SSL/TLS Interception: For HTTPS traffic, if the proxy does not perform SSL/TLS interception, the judge can only see the outer TLS connection, not the inner HTTP headers, making detection difficult without specific proxy configurations.
Best Practices for Proxy Anonymity
To maintain effective proxy anonymity:
- Regular Verification: Periodically test your proxies using multiple proxy judge services, as some judges may detect different aspects.
- Understand Proxy Types: Select the appropriate proxy type (e.g., SOCKS5 for broader traffic, HTTP/HTTPS for web) based on your anonymity requirements.
- Combine with Other Checks: Supplement proxy judge results with WebRTC leak tests, DNS leak tests, and browser fingerprinting tools to ensure comprehensive anonymity.
- Secure Configuration: Ensure your applications and operating system are correctly configured to route all relevant traffic through the proxy, preventing direct connections or leaks.
- HTTPS Usage: Prioritize HTTPS connections. While a proxy judge can't see inside the encrypted tunnel, HTTPS encrypts your data from the proxy to the destination, providing an additional layer of security.