I have a website "www.website.com". Recently I found out that somebody has set up a reverse proxy with an almost identical url "www.website1.com" in front of my website. I'm concerned of those users who came to my website through that reverse proxy. Their username and passwords might be logged when they login.
Is there a way for me to have my web server refuse reverse proxy? For example, I've set up a reverse proxy using squid with the url "www.fakestackoverflow.com" in front of "www.stackoverflow.com". So whenever I type "www.fakestackoverflow.com" in my web browser address bar, I'll be redirected to "www.stackoverflow.com" by the reverse proxy. Then I notice the url in my address bar changed to "www.stackoverflow.com" indicating that I'm no longer going through the reverse proxy. "www.stackoverflow.com" must've detected that I came to the website from another url and then redirected me to the website through the actual url. How do I do something like this in IIS7 running an ASP.NET web application?
I have tried adding in javascript codes in my page detecting window.location and redirecting it appropriately but that will cause translation and google cache services to fail. stackoverflow.com did a good job in "redirecting" and it doesn't cause google translation to fail too.
Best Answer
The first solution would be to protect your webpages using HTTPS, and making sure that, on the front page, you warn the users that the URL MUST be https://www.website.com.
If not, they should enter it manually. (That's what many banks to in such cases).
Also, you could firewall the IP of the reverse proxy. You can detect the IP using the amount of traffic, that will be much higher on this specific IP. But be careful to not block enterprises proxies !