Editing Proxy server (section)

==Implementations of proxies==

===Web proxy servers===
Web proxies forward [[Hypertext Transfer Protocol|HTTP]] requests. The request from the client is the same as a [[Hypertext Transfer Protocol#HTTP/1.1 example of request / response transaction|regular HTTP request]] except the full URL is passed, instead of just the path.<ref name="rfc7230.5.3.2">{{cite IETF |title=HTTP/1.1 Message Syntax and Routing |quote=a client MUST send the target URI in absolute-form as the request-target |rfc=7230 |sectionname=absolute-form |section=5.3.2 |page=41 |date=June 2014 |publisher=[[Internet Engineering Task Force|IETF]] |access-date=4 November 2017 }}</ref>

<syntaxhighlight lang="http">
GET https://en.wikipedia.org/wiki/Proxy_server HTTP/1.1
Proxy-Authorization: Basic encoded-credentials
Accept: text/html

</syntaxhighlight>

This request is sent to the proxy server, the proxy makes the request specified and returns the response.
<syntaxhighlight lang="http">
HTTP/1.1 200 OK
Content-Type: text/html; charset UTF-8

</syntaxhighlight>

Some web proxies allow the [[HTTP tunnel#HTTP CONNECT method|HTTP CONNECT]] method to set up forwarding of arbitrary data through the connection; a common policy is to only forward port 443 to allow [[HTTPS]] traffic.

Examples of web proxy servers include [[Apache HTTP Server|Apache]] (with [[mod_proxy]] or [[Traffic Server]]), [[HAProxy]], [[Internet Information Services|IIS]] configured as proxy (e.g., with Application Request Routing), [[Nginx]], [[Privoxy]], [[Squid (software)|Squid]], [[Varnish (software)|Varnish]] (reverse proxy only), [[WinGate]], [[Ziproxy]], Tinyproxy, RabbIT and [[Polipo]].

For clients, the problem of complex or multiple proxy-servers is solved by a client-server [[Proxy auto-config]] protocol (''PAC file'').

===SOCKS proxy===
[[SOCKS]] also forwards arbitrary data after a connection phase, and is similar to HTTP CONNECT in web proxies.

===Transparent proxy===
<!-- was "Intercepting proxy servers" -->
Also known as an '''intercepting proxy''', '''inline proxy''', or '''forced proxy''', a transparent proxy intercepts normal [[OSI model#Layer 7: Application layer|application layer]] communication without requiring any special client configuration. Clients need not be aware of the existence of the proxy. A transparent proxy is normally located between the client and the Internet, with the proxy performing some of the functions of a [[Gateway (computer networking)|gateway]] or [[router (computing)|router]].<ref>{{cite web |url=http://www.ukproxyserver.org/transparent-proxy/ |archive-url=https://web.archive.org/web/20130301235707/http://www.ukproxyserver.org/transparent-proxy/ |url-status=dead |archive-date=1 March 2013 |publisher=ukproxyserver.org |title=Transparent Proxy Definition |date=1 February 2011 |access-date=14 February 2013 }}</ref>

{{IETF RFC|2616}} (Hypertext Transfer Protocol—HTTP/1.1) offers standard definitions:

"A 'transparent proxy' is a proxy that does not modify the request or response beyond what is required for proxy authentication and identification". "A 'non-transparent proxy' is a proxy that modifies the request or response in order to provide some added service to the user agent, such as group annotation services, media type transformation, protocol reduction, or anonymity filtering".

TCP Intercept is a traffic filtering security feature that protects TCP servers from TCP [[SYN flood]] attacks, which are a type of denial-of-service attack. TCP Intercept is available for IP traffic only.

In 2009 a security flaw in the way that transparent proxies operate was published by Robert Auger,<ref>{{cite web |url=http://www.thesecuritypractice.com/the_security_practice/2009/03/socket-capable-browser-plugins-result-in-transparent-proxy-abuse.html |title=Socket Capable Browser Plugins Result in Transparent Proxy Abuse |publisher=The Security Practice |date=9 March 2009 |access-date=14 August 2010 |archive-date=2 February 2010 |archive-url=https://web.archive.org/web/20100202224537/http://www.thesecuritypractice.com/the_security_practice/2009/03/socket-capable-browser-plugins-result-in-transparent-proxy-abuse.html |url-status=live }}</ref> and the Computer Emergency Response Team issued an advisory listing dozens of affected transparent and intercepting proxy servers.<ref>{{cite web|url=http://www.kb.cert.org/vuls/id/435052|title=Vulnerability Note VU#435052|publisher=[[United States Computer Emergency Readiness Team|US CERT]]|date=23 February 2009|access-date=14 August 2010|archive-date=10 July 2010|archive-url=https://web.archive.org/web/20100710185848/http://www.kb.cert.org/vuls/id/435052|url-status=live}}</ref>

====Purpose====
Intercepting proxies are commonly used in businesses to enforce acceptable use policies and to ease administrative overheads since no client browser configuration is required. This second reason, however is mitigated by features such as Active Directory group policy, or [[Dynamic Host Configuration Protocol|DHCP]] and automatic proxy detection.

Intercepting proxies are also commonly used by ISPs in some countries to save upstream bandwidth and improve customer response times by caching. This is more common in countries where bandwidth is more limited (e.g. island nations) or must be paid for.

====Issues====
The diversion or interception of a TCP connection creates several issues. First, the original destination IP and port must somehow be communicated to the proxy. This is not always possible (e.g., where the gateway and proxy reside on different hosts). There is a class of [[Cross-site scripting|cross-site attacks]] that depend on certain behaviors of intercepting proxies that do not check or have access to information about the original (intercepted) destination. This problem may be resolved by using an integrated packet-level and application level appliance or software which is then able to communicate this information between the packet handler and the proxy.

Intercepting also creates problems for [[HTTP]] authentication, especially connection-oriented authentication such as [[NTLM]], as the client browser believes it is talking to a server rather than a proxy. This can cause problems where an intercepting proxy requires authentication, and then the user connects to a site that also requires authentication.

Finally, intercepting connections can cause problems for HTTP caches, as some requests and responses become uncacheable by a shared cache.

====Implementation methods====
In integrated firewall/proxy servers where the router/firewall is on the same host as the proxy, communicating original destination information can be done by any method, for example [[Microsoft Forefront Threat Management Gateway|Microsoft TMG]] or [[WinGate]].

Interception can also be performed using Cisco's [[Web Cache Communication Protocol|WCCP]] (Web Cache Control Protocol). This proprietary protocol resides on the router and is configured from the cache, allowing the cache to determine what ports and traffic is sent to it via transparent redirection from the router. This redirection can occur in one of two ways: [[GRE tunneling]] (OSI Layer 3) or MAC rewrites (OSI Layer 2).

Once traffic reaches the proxy machine itself, interception is commonly performed with NAT (Network Address Translation). Such setups are invisible to the client browser, but leave the proxy visible to the web server and other devices on the internet side of the proxy. Recent Linux and some BSD releases provide TPROXY (transparent proxy) which performs IP-level (OSI Layer 3) transparent interception and spoofing of outbound traffic, hiding the proxy IP address from other network devices.

====Detection====
Several methods may be used to detect the presence of an intercepting proxy server:

* By comparing the client's external IP address to the address seen by an external web server, or sometimes by examining the HTTP headers received by a server. A number of sites have been created to address this issue, by reporting the user's IP address as seen by the site back to the user on a web page. Google also returns the IP address as seen by the page if the user searches for "IP".
* By comparing the results of online IP checkers when accessed using HTTPS vs. HTTP, as most intercepting proxies do not intercept SSL. If there is suspicion of SSL being intercepted, one can examine the certificate associated with any secure web site, the root certificate should indicate whether it was issued for the purpose of intercepting.
* By comparing the sequence of network hops reported by a tool such as [[traceroute]] for a proxied protocol such as HTTP (port 80) with that for a non-proxied protocol such as SMTP (port 25).<ref>{{cite web|url=http://svn.haxx.se/dev/archive-2003-02/0257.shtml|title=Subversion Dev: Transparent Proxy detection (was Re: Introduction_|publisher=Tracetop.sourceforge.net|access-date=16 November 2014|archive-date=16 October 2015|archive-url=https://web.archive.org/web/20151016002253/http://svn.haxx.se/dev/archive-2003-02/0257.shtml|url-status=live}}</ref>
* By attempting to make a connection to an IP address at which there is known to be no server. The proxy will accept the connection and then attempt to proxy it on. When the proxy finds no server to accept the connection, it may return an error message or simply close the connection to the client. This difference in behavior is simple to detect. For example, most web browsers will generate a browser created error page in the case where they cannot connect to an HTTP server but will return a different error in the case where the connection is accepted and then closed.<ref>{{cite book |last=Wessels |first=Duane |year=2004 |title=Squid The Definitive Guide |url=https://archive.org/details/squiddefinitiveg00wess_703 |url-access=limited |publisher=O'Reilly |isbn=978-0-596-00162-9 |pages=[https://archive.org/details/squiddefinitiveg00wess_703/page/n151 130]}}</ref>
* By serving the [[End user|end-user]] specially programmed Adobe Flash SWF applications or Sun Java applets that send HTTP calls back to their server.

===CGI proxy===
A [[Common Gateway Interface|CGI]] web proxy accepts target URLs using a [[Web form]] in the user's browser window, processes the request, and returns the results to the user's browser. Consequently, it can be used on a device or network that does not allow "true" proxy settings to be changed. The first recorded CGI proxy, named "rover" at the time but renamed in 1998 to "CGIProxy",<ref>{{cite web |last1=Marshall |first1=James |title=CGIProxy |url=https://www.jmarshall.com/tools/cgiproxy/ |access-date=12 November 2018 |archive-date=16 November 2018 |archive-url=https://web.archive.org/web/20181116035804/https://www.jmarshall.com/tools/cgiproxy/ |url-status=live }}</ref> was developed by American computer scientist James Marshall in early 1996 for an article in "Unix Review" by Rich Morin.<ref>{{cite web |title=The Limits of Control |url=http://www.cfcl.com/rdm/Pubs/tin/P/199606.shtml |date=June 1996 |access-date=12 November 2018 |archive-date=6 August 2020 |archive-url=https://web.archive.org/web/20200806165208/http://www.cfcl.com/rdm/Pubs/tin/P/199606.shtml |url-status=dead }}</ref>

The majority of CGI proxies are powered by one of CGIProxy (written in the [[Perl]] language), Glype (written in the [[PHP]] language), or PHProxy (written in the PHP language). As of April 2016, CGIProxy has received about two million downloads, Glype has received almost a million downloads,<ref name="archive.fo 2013">{{cite web |title=Glype® Proxy Script |url=https://www.glype.com/ |website=glype.com |archive-date=3 January 2013 |archive-url=https://archive.today/20130103162849/http://www.glype.com/ |url-status=dead |access-date=2019-05-17 }}</ref> whilst PHProxy still receives hundreds of downloads per week.<ref>{{Cite web|url=https://sourceforge.net/projects/poxy/|title=PHProxy|website=SourceForge|access-date=7 April 2016|archive-date=14 March 2016|archive-url=https://web.archive.org/web/20160314150947/https://sourceforge.net/projects/poxy/|url-status=live}}</ref> Despite waning in popularity<ref>{{Cite web|url=https://www.google.com/trends/explore?date=all&q=glype+proxy|title=Google Trends|website=Google Trends}}</ref> due to [[VPN]]s and other privacy methods, {{as of|September 2021|lc=on}} there are still a few hundred CGI proxies online.<ref>{{Cite web|url=https://getproxi.es/proxy-stats/|title=Proxy Stats :: Get Proxi.es|website=getproxi.es|access-date=2021-09-05|archive-date=1 September 2021|archive-url=https://web.archive.org/web/20210901072646/https://getproxi.es/proxy-stats/|url-status=live}}</ref>

Some CGI proxies were set up for purposes such as [[Web Accessibility Initiative|making websites more accessible]] to disabled people, but have since been shut down due to [[Web traffic#Traffic overload|excessive traffic]], usually caused by a [[Slashdot effect|third party advertising the service]] as a means to bypass local filtering. Since many of these users do not care about the collateral damage they are causing, it became necessary for organizations to hide their proxies, disclosing the URLs only to those who take the trouble to contact the organization and demonstrate a genuine need.<ref>{{Cite journal|last=Estrada-Jiménez|first=José|date=March 2017|title=Online advertising: Analysis of privacy threats and protection approaches|journal=Computer Communications|volume=100|pages=32–51|doi=10.1016/j.comcom.2016.12.016|hdl=2117/99742|s2cid=34656772 |hdl-access=free |issn = 0140-3664}}</ref>

===Suffix proxy===
A suffix proxy allows a user to access web content by appending the name of the proxy server to the URL of the requested content (e.g. "en.wikipedia.org.''SuffixProxy.com''"). Suffix proxy servers are easier to use than regular proxy servers, but they do not offer high levels of anonymity, and their primary use is for bypassing web filters. However, this is rarely used due to more advanced web filters.

===Tor onion proxy software===
[[File:Vidalia-0.0.11-svn.png|upright=1.8|thumb|alt=Screenshot of computer program showing computer locations on a world map.|The [[Vidalia project|Vidalia]] Tor-network map]]

[[Tor (network)|Tor]] is a system intended to provide [[internet anonymity|online anonymity]].<ref name="Glater">{{cite news |url=https://www.nytimes.com/2006/01/25/technology/techspecial2/25privacy.html?_r=1 |title=Privacy for People Who Don't Show Their Navels |first=Jonathan |last=Glater |newspaper=The New York Times |date=25 January 2006 |access-date=4 August 2011 |archive-date=29 April 2011 |archive-url=https://web.archive.org/web/20110429194810/http://www.nytimes.com/2006/01/25/technology/techspecial2/25privacy.html?_r=1 |url-status=live }}</ref> Tor client software routes Internet traffic through a worldwide volunteer network of servers for concealing a user's computer location or usage from someone conducting [[Computer surveillance#Network surveillance|network surveillance]] or [[Traffic analysis#In computer security|traffic analysis]]. Using Tor makes tracing Internet activity more difficult,<ref name="Glater" /> and is intended to protect users' personal freedom and their online privacy.

"[[Onion routing]]" refers to the layered nature of the encryption service: The original data are encrypted and re-encrypted multiple times, then sent through successive Tor relays, each one of which decrypts a "layer" of encryption before passing the data on to the next relay and ultimately the destination. This reduces the possibility of the original data being unscrambled or understood in transit.<ref name="torproject">{{cite web | last = The Tor Project | title = Tor: anonymity online | url = https://www.torproject.org/ | access-date = 9 January 2011 | archive-date = 9 April 2010 | archive-url = https://web.archive.org/web/20100409141549/https://www.torproject.org/faq | url-status = live }}</ref>

===I2P anonymous proxy===
The [[I2P|I2P anonymous network]] ('I2P') is a proxy network aiming at [[internet anonymity|online anonymity]]. It implements [[garlic routing]], which is an enhancement of Tor's onion routing. I2P is fully distributed and works by encrypting all communications in various layers and relaying them through a network of routers run by volunteers in various locations. By keeping the source of the information hidden, I2P offers censorship resistance. The goals of I2P are to protect users' personal freedom, privacy, and ability to conduct confidential business.

Each user of I2P runs an I2P router on their computer (node). The I2P router takes care of finding other peers and building anonymizing tunnels through them. I2P provides proxies for all protocols (HTTP, [[IRC]], SOCKS, ...).

===Comparison to network address translators===
The proxy concept refers to a layer-7 application in the [[OSI model|OSI reference model]]. [[Network address translation]] (NAT) is similar to a proxy but operates in layer 3.

In the client configuration of layer-3 NAT, configuring the gateway is sufficient. However, for the client configuration of a layer-7 proxy, the destination of the packets that the client generates must always be the proxy server (layer 7), then the proxy server reads each packet and finds out the true destination.

Because NAT operates at layer 3, it is less resource-intensive than the layer-7 proxy, but also less flexible. As we compare these two technologies, we might encounter a terminology known as 'transparent firewall'. '''Transparent firewall''' means that the proxy uses the layer-7 proxy advantages without the knowledge of the client. The client presumes that the gateway is a NAT in layer 3, and it does not have any idea about the inside of the packet, but through this method, the layer-3 packets are sent to the layer-7 proxy for investigation.{{Citation needed|date=July 2023}}

===DNS proxy===
A [[Domain Name System|DNS]] proxy server takes DNS queries from a (usually local) network and forwards them to an Internet Domain Name Server. It may also cache DNS records.

===Proxifiers===
Some client programs "SOCKS-ify" requests,<ref>{{cite book |last1=Zwicky |first1=Elizabeth D. |last2=Cooper |first2=Simon |last3=Chapman |first3=D. Brent |year=2000 |title=Building Internet Firewalls |edition=2nd |isbn=978-1-56592-871-8 |page=[https://archive.org/details/buildinginternet00zwic/page/235 235] |publisher=O'Reilly |url-access=registration |url=https://archive.org/details/buildinginternet00zwic/page/235 }}</ref> which allows adaptation of any networked software to connect to external networks via certain types of proxy servers (mostly SOCKS).

===Residential proxy (RESIP)===
A residential proxy is an intermediary that uses a real IP address provided by an [[Internet service provider|Internet Service Provider (ISP)]] with physical devices such as [[Mobile phone|mobiles]] and [[Personal computer|computers of end-users]]. Instead of connecting directly to a [[Server (computing)|server]], residential proxy users connect to the target through residential IP addresses. The target then identifies them as organic internet users. It does not let any tracking tool identify the reallocation of the user.<ref>{{Cite web |date=2023-04-17 |title=What Is a Proxy Server and How Does It Work? |url=https://iproyal.com/blog/what-is-a-proxy-server-and-how-does-it-work/ |access-date=2023-07-02 |website=IPRoyal.com |language=en-US}}</ref> Any residential proxy can send any number of concurrent requests, and IP addresses are directly related to a specific region.<ref>{{cite book |last1=Smith |first1=Vincent |title=Go Web Scraping Quick Start Guide: Implement the power of Go to scrape and crawl data from the web |date=2019 |publisher=Packt Publishing Ltd |isbn=978-1-78961-294-3 |url=https://books.google.com/books?id=jQGGDwAAQBAJ&q=Residential+proxy&pg=PA76 |language=en |access-date=19 November 2020 |archive-date=17 January 2023 |archive-url=https://web.archive.org/web/20230117214445/https://books.google.com/books?id=jQGGDwAAQBAJ&q=Residential+proxy&pg=PA76 |url-status=live }}</ref> Unlike regular residential proxies, which hide the user's real IP address behind another IP address, rotating residential proxies, also known as ''backconnect proxies'', conceal the user's real IP address behind a pool of proxies. These proxies switch between themselves at every session or at regular intervals.<ref>{{cite web |last1=Keenan |first1=James |title=What are Residential Proxies? |url=https://smartproxy.com/blog/what-is-a-residential-proxies-network |website=Smartproxy.com |access-date=26 December 2021 |archive-date=26 December 2021 |archive-url=https://web.archive.org/web/20211226203128/https://smartproxy.com/blog/what-is-a-residential-proxies-network |url-status=live }}</ref>

Despite the providers assertion that the proxy hosts are voluntarily participating, numerous proxies are operated on potentially compromised hosts, including [[Internet of things]] devices. Through the process of cross-referencing the hosts, researchers have identified and analyzed logs that have been classified as [[potentially unwanted program]] and exposed a range of unauthorized activities conducted by RESIP hosts. These activities encompassed illegal promotion, fast fluxing, phishing, hosting malware, and more.<ref>{{Cite conference |last1=Mi |first1=Xianghang |last2=Feng |first2=Xuan |last3=Liao |first3=Xiaojing |last4=Liu |first4=Baojun |last5=Wang |first5=XiaoFeng |last6=Qian |first6=Feng |last7=Li |first7=Zhou |last8=Alrwais |first8=Sumayah |last9=Sun |first9=Limin |last10=Liu |first10=Ying |conference=2019 IEEE Symposium on Security and Privacy (SP) |title=Resident Evil: Understanding Residential IP Proxy as a Dark Service |date=May 2019 |url=https://ieeexplore.ieee.org/document/8835239 |pages=1185–1201 |doi=10.1109/SP.2019.00011|isbn=978-1-5386-6660-9 |s2cid=132479013 |doi-access=free }}</ref>