How can a website find my real IP address while I'm behind a proxy?
There are several ways:
- Proxy headers, such as
X-Forwarded-ForandX-Client-IP, can be added by non-transparent proxies. - Active proxy checking can be used - the target server attempts to connect to the client IP on common proxy ports (e.g. 8080) and flags it as a proxy if it finds such a service running.
- Servers can check if the request is coming from an IP that is a known proxy. WhatsMyIP probably has a big list of these, including common ones like HideMyAss.
- Web client software (e.g. Java applets or Flash apps) might be able to read browser settings, or directly connect to a web service on the target system (bypassing the proxy) to verify that the IPs match.
- Mobile app software can identify the client IP. Example: PhoneGap plugin
Beyond what Polynomial said, another common practice is to have the browser view the site with and without HTTPS, and see if the connections come from the same IP.
Many transparent (e.g. caching) proxies will allow SSL traffic to pass by without proxying, since proxying an SSL connection requires spoofing certificates, and this causes a whole bucket of other problems.
In this case, the SSL address is the "real" one, and the non-SSL address is the address of the proxy.
It may be possible for web-servers/websites to find the real IP while behind a proxy. Generally HTTP proxy servers, upon receiving a request from a client/user, append a new field (X-Forwarded-For) in the HTTP header and subsequently forward the request to the web-server. This X-Forwarded-For field has the client's IP address. Hence, by analyzing this field, a website can figure out the real IP address.
However, the proxy servers provide different levels of anonymity. If a highly anonymous proxy is used (also known as elite proxy), then it might not be possible for the website to find the real IP address, as these elite proxies don't usually include such headers. Another option is using Ultrasurf if you want to hide real IP address.
Check this post for details on x-forwarded-for header and a simple demo python script that shows how a web-server can detect the use of a proxy server: X-Forwarded-For