Enhanced Proxy Detection with GeoGuard

Enhanced Proxy Detection (EPD) lets you use the GeoGuard service provided by the GeoComply data provider to apply proxy detection and location spoofing protection.

How it works

Set up this behavior to identify requests for your content that have been redirected from an unwanted source via a proxy. You can then allow, deny, or redirect these requests.

Before you begin

You need to have Enhanced Proxy Detection with GeoGuard added to your contract to include the appropriate behaviors in Property Manager. Contact your ​Akamai​ account representative to add this functionality.

Implementation: Best Practices mode (recommended)

Once you've enabled this behavior, you need to set the Configuration Mode. Best Practices is the one ​Akamai​ recommends. Select it to automatically apply the primary categories that GeoGuard identifies as essential for proxy detection.

GeoComply maintains a fixed list of categories for their GeoGuard service. This includes multiple primary, must-have categories for proxy detection. The Enhanced Proxy Detection with GeoGuard behavior leverages these categories to recognize that a request is coming from a proxy.

How Best Practices mode is applied

This mode automatically incorporates all of the GeoGuard service's must-have categories. You define an action to be taken when a request is identified from any of these categories:

  • Allow. This lets the request through, and the action is logged. You can later audit the logs to determine how setting this to a different action may affect your traffic.
  • Deny. This blocks all matching requests.
  • Redirect. This sends these requests to an alternate URL that you define.

📘

A Redirect URL can't exceed 2,000 characters in length. Use an absolute URL and ensure that it doesn’t include the same hostname, to avoid creating a redirect loop.

Allow-listing specific IP addresses

You may have various IP addresses that you want allowed access, even though EPD positively identifies a proxy. This is referred to as allow-listing. If you're encountering this, reach out to your account representative to escalate a false positive result with EPD. They'll work with you to either:

  • Contact GeoComply. The representatives alert them to a false positive result for a specific IP address of CIDR block.
  • Push a metadata feature override. The representatives push a metadata update to override a false positive at the platform level.

Implementation: Advanced mode

Set this as your Configuration Mode if you're looking to customize GeoGuard categories individually to meet your specific needs.

GeoComply maintains a fixed list of categories for their GeoGuard service. This includes multiple, primary ("must-have") categories for proxy detection. The Enhanced Proxy Detection with GeoGuard behavior leverages these categories to recognize that a request is coming from a proxy.

🚧

If using this mode, categories that GeoComply considers must-have should be set to On to ensure basic protection. If you deviate from this, ​Akamai​ can't promise proper proxy detection protection.

How Advanced mode is applied

For the proxy detection categories you enable, you can define an action to be taken when a request is identified from any of these categories:

  • Allow. This lets the request through, and the action is logged. You can later audit the logs to determine how setting this to a different action may affect your traffic.
  • Deny. This blocks all requests from that category.
  • Redirect. This sends requests from that category to an alternate URL that you define.

📘

A Redirect URL can't exceed 2,000 characters in length. Use an absolute URL and ensure that it doesn’t include the same hostname, to avoid creating a redirect loop.

Requests from categories that are left at Off are processed as normal: they're allowed without logging.

Use case example: Set up different Actions for each category

We recommend that you stick with the Best Practices mode for ease of use, and to offer the best overall proxy detection. However, Best Practices require that you use a single action for requests coming from all GeoComply categories. If you need to apply a different action type for the various categories, select Advanced mode and:

  1. Enable them all.
  2. Apply the appropriate action for each.

This way, all GeoComply must-have categories have proxy detection enabled, similar to what’s offered with the Best Practices mode.

Allow-listing specific IP addresses

You may have various IP addresses that you want allowed access, even though EPD positively identifies a proxy. This is referred to as allow-listing. If you're encountering this, reach out to your account team to escalate a false positive result with EPD. They'll work with you to either:

  • Contact GeoComply. Your account team will alert them to a false positive result for a specific IP address or CIDR block.
  • Push a metadata feature override. Your account team will push a metadata update to override a false positive at the platform level.

Forward Header Enrichment

You can also include a header that tells you if a connecting IP address in a request is associated with an anonymous proxy. This can be especially helpful if you need to check the requester before providing access to your content.

It’s implemented in one of two ways, and both methods are supported for use with the Best Practices and Advanced modes for EPD.

Method 1: Enable it directly in the behavior

Here, you add the Enhanced Proxy Detection with GeoGuard behavior to a rule in your property and set Enable Forward Header Enrichment to On. The header is sent along with all requests that meet the match criteria for that rule. For example, if you include the behavior in the Default Rule, that rule applies to all requests. So, the header will be sent along with all requests coming from proxies.

This is the approach you want to take if you have other rules in your configuration that use a behavior to block access. For example, if you're using Content Targeting - Protection with Adaptive Media Delivery, you'd apply EPD as a higher priority (lower in the rule list), to have all Enhanced Proxy Detection settings applied.

Method 2: Add a separate behavior

With this method, you add and enable the Enhanced Proxy Detection with GeoGuard - Forward Header Enrichment behavior to a separate rule. This lets you better control how the header is applied. You add this behavior to a separate rule and use a unique match criteria. Only requests that meet that match criteria will include the header.

This method also requires that you include the Enhanced Proxy Protection with GeoGuard behavior in your property. These points also apply:

  • The behaviors need to exist in different rules. This behavior only applies if you want to use a different match criteria to include the header after a request. If you want the match criteria to be the same for both, just use Method 1.
  • Ensure the Enable Forward Header Enrichment option is disabled.
  • If you’re using other access blocking protections, such as Content Targeting - Protection, you may not want to use Method 1, instead. Otherwise, ensure that both rules you need for this method are higher in priority (lower in the rule list).

About the header

The Akamai-EPD header contains the following information:

Akamai-EPD: <two-letter codes>

The feature leverages GeoGuard's must-have and optional categories to identify and label requests in the header as two-letter codes:

Akamai EPD Two-letter CodeGeoGuard Category

av

is_anonymous_vpn

pp

is_public_proxy

dp

is_smart_dns_proxy

tn

is_tor_exit_node

vc

is_vpn_datacenter

hp

is_hosting_provider

So, for a Smart DNS Proxy running in a public cloud, you'd see:

Akamai-EPD: hp dp