ProxyTracer: VPN & Proxy Blocker

Customization Plugin
1
:information_source: Summary Detect and block VPN and proxy traffic during user registration, login, and/or globally using the ProxyTracer API.
:hammer_and_wrench: Repository Link https://github.com/ProxyTracer/discourse-proxytracer
:open_book: Install Guide How to install plugins in Discourse

This plugin uses the ProxyTracer API to detect and block VPN and proxy traffic in Discourse.

Features

  • It gives you fine control over blocking VPN and Proxy users during new user registrations, existing user authentication, or globally for all site visitors. If you’re fine with VPN and Proxy users having read access to your forum then you can save on API requests and only enable it for user registration and authentication.
  • It uses caching to store recent IP address evaluations thus saving requests to the API and lowering latency. You can control how long to remember an IP address evaluation in the settings.
  • In the event of an API timeout or network failure, the plugin prioritizes user access to prevent wide-scale lockouts. This behavior can be changed through the options.
  • Built-in support for exact IP and CIDR subnet whitelisting.

Configuration

  1. Procure a standard API key from the ProxyTracer Dashboard.
  2. Navigate to your Discourse administration panel: Admin → Plugins → ProxyTracer to find ProxyTracer’s settings.
  3. Input your API key into the ProxyTracer API Key field.
  4. Enable the protection parameters by toggling Enabled during Signup, Enabled during Login and/or Enabled for All Visitors.
  5. Add any trusted IPs or CIDR ranges to the Whitelisted IPs list.
  6. (Optional) Adjust the API timeout and Redis cache duration limits to suit your server’s specific traffic requirements.
  7. (Optional) Customize the Block Message that appears to blocked users. For instance, you can add instructions for contacting the administration of the site in case they believe that the block isn’t warranted and that they’re not accessing the site through a proxy or VPN.

discourse-proxytracer-settings-screenshot
discourse-proxytracer-settings-screenshot1526×1080 123 KB

Settings

Include a table of settings and setting descriptions

Name Description
API Timeout (ms) How long to wait for the API to respond before timing out.
Cache Duration (hours) How long to remember an IP address before checking the API again.
Fail Open on Error If the API crashes or times out, allow the user to register/login anyway to prevent locking everyone out.
Enabled during Signup Block proxies and VPNs when a new user attempts to register.
Enabled during Login Block proxies and VPNs when an existing user attempts to log in.
Enabled for All Visitors Block proxies and VPNs from accessing or viewing any page on the forum. (Warning: This checks every visitor and heavily utilizes your API quota).
Block Message The exact error message shown to the user when they are blocked.
Whitelisted IPs IP addresses or CIDR ranges (e.g., 192.168.1.0/24) that are strictly allowed to bypass the blocking.

Network Configuration: Cloudflare & Reverse Proxies

:warning: For ProxyTracer to function effectively, the Discourse application must receive the true client IP address.

To ensure correct IP address forwarding you can follow these detailed instructions.

Emergency Access

If you locked yourself out you can regain access by following these simple steps.

If you want to test things then you can signup to ProxyTracer and get some free API credits for testing.

3 likes
2

the credits restart every next month?

3

You’re asking about the free credit during signup? If that’s the case then it’s only a one-time top-up.

4

Does this not defeat the entire point of the plugin? Anybody can use safe mode.

1 like
5

(post deleted by author)

6

It depends. There is a site setting that allows you to disable safe mode, which is helpful for the gated topic component and other components/plugins users shouldn’t easily disable like that (advertising, guest gate, …). But while you are logged out, that would also make using safe mode more difficult for admins. I think they can still enable it using admin-login.

For this plugin, I doubt safe mode helps. Safe mode disables only the front-end part of plugins, and this plugin in 100% Ruby. So I don’t think disabling JavaScript customizations is any help. This fact makes me a little skeptical about the plugin, as does the fact that it includes an about.json file as if it were a theme component. But in the end, everyone is responsible for the code they install on their forum.

1 like
7

You are completely right on this, I can confirm this through my own testing with a freshly spun up Discourse instance. I went ahead and updated the documentation with instructions that actually work which consist of logging into the server and manually disabling the addon:

cd /var/discourse
./launcher enter app
rails c
SiteSetting.proxytracer_enabled = false
exit
exit

I can confirm that safe mode is inaccessible when the “Enabled for All Visitors” setting is enabled and someone tries to access safe mode while connecting using a VPN/proxy.

Indeed, an about.json is redundant for standard plugins, I went ahead and removed it from the repo.

Thanks for all of your feedback @Moin. If you have any other remarks or suggestions feel free to leave them here. The code is fully open source and any contribution is welcome: GitHub - ProxyTracer/discourse-proxytracer.