Neeed to refuse the use of Proxy

steve2 · February 3, 2024, 6:32am

Hi,

I am using Nextcloud with Matomo. I’ve discovered that if somebody connecting to Nextcloud using a proxy ( like a VPN), matomo doesn"t record anything.
Without the use of a VPN, i have a record.

Is there a way to refuse any connections if the user is going through a VPN ?

I saw this configuration

'trusted_proxies' =>
  array (
    0 => '192.168.103.44',
    2 => '127.0.0.1',
    1 => 'localhost',
    11 => '127.0.0.1',
    12 => '::1',
    13 => 'dbe5e509ecaf',
    14 => '172.18.0.6',
15 =>'79.244.33.204',

),

=> but I need the opposite… I want to stop any VPN / Proxy ( and maybe accept some pre- defined )

how can I do that ?

PS: I had a look via Apache ( httpd.conf) , but nothing really is working…

Thanks and regards,

jtr · February 3, 2024, 3:23pm

What do you mean by “connected to Nextcloud” specifically? What type of VPN? Where does the VPN terminate?

ernolf · February 3, 2024, 10:35pm

Blocking connections from VPNs is a technically challenging task and may not be foolproof. VPNs are designed to ensure user privacy and security, and attempting to block VPN connections can be considered unethical.

However, there are some measures you can take to make it more difficult for users connecting through VPNs to access your cloud:

Monitor IP Addresses: Keep an eye on the IP addresses accessing your website and create a list of legitimate IP addresses. The downside is that VPN providers often change their IP addresses.
Blacklist VPN IP Addresses: There are public lists of IP addresses used by VPN providers. You could try blacklisting these IP addresses. Keep in mind that this approach might affect legitimate users (false positives).
Deep Packet Inspection (DPI): DPI (like snort) can be used to analyze traffic and detect VPN connections. This requires advanced knowledge and may raise legal concerns.
Honeypots: Set up honeypots or specific pages that attract VPN users. If a request comes from a suspicious IP address, you can block access.

It’s important to note that many users use VPNs for legitimate reasons and it is impossible to detect every VPn connecton.
I host some VPN servers myself that are used to penetrate “the Great Wall of China” and believe me, they have the very best tools for detecting VPNs and even they can’t prevent it.

Much and good luck,
ernolf

tflidd · February 4, 2024, 12:21am

But it is running on your server, so you should be able to track the ip?

You have do not track features in firefox, that seem to be respected by matomo by default: https://matomo.org/faq/troubleshooting/faq_58/

As far as I understand, there is js code for matomo used on the client side, that could be filtered by a VPN and/or plugins.

I wouldn’t try to force my users a certain way to use the web. Some might have reasons to use a VPN, or they want to block execution of additonal code. If you want a global traffic usage per user or something like that, there might be other less instrusive ways.

steve2 · February 4, 2024, 7:52am

Hi,
In fact, I am using the plugin : Piwik/matomo v 0.12.0
Should I use another way to do it ?

If I connect to the Log, I can see the log… but nothing into matomo

steve2 · February 4, 2024, 7:51pm

Hi Ernolf,
Well… If you see banks, most of them don’t want to use VPN systems… and they refuse you to be connected an your account via VPN. so, it shoud be possible…

Thanks anyway

tflidd · February 5, 2024, 12:04pm

They probably use one or several of the strategies ernolf mentioned in his post.

How do you know that these users have a VPN connection and not only an add blocker (or some privacy extension in their browser that blocks typical statistic js code)?