Editing Proxy server (section)

===Monitoring and filtering===
====Content-control software====
{{Further|Content-control software}}
A [[content filtering|content-filtering]] web proxy server provides administrative control over the content that may be relayed in one or both directions through the proxy. It is commonly used in both commercial and non-commercial organizations (especially schools) to ensure that Internet usage conforms to [[acceptable use policy]].

Content filtering proxy servers will often support [[Authentication|user authentication]] to control web access. It also usually produces [[server log|logs]], either to give detailed information about the URLs accessed by specific users or to monitor [[Bandwidth (computing)|bandwidth]] usage statistics. It may also communicate to [[daemon (computing)|daemon]]-based or [[Internet Content Adaptation Protocol|ICAP]]-based antivirus software to provide security against viruses and other [[malware]] by scanning incoming content in real-time before it enters the network.

Many workplaces, schools, and colleges restrict web sites and online services that are accessible and available in their buildings. Governments also censor undesirable content. This is done either with a specialized proxy, called a content filter (both commercial and free products are available), or by using a cache-extension protocol such as ICAP, that allows plug-in extensions to an open caching architecture.

Websites commonly used by students to circumvent filters and access blocked content often include a proxy, from which the user can then access the websites that the filter is trying to block.

Requests may be filtered by several methods, such as a [[Blacklist (Computing)|URL]] or [[DNSBL|DNS blacklists]], URL regex filtering, [[MIME]] filtering, or content keyword filtering. Blacklists are often provided and maintained by web-filtering companies, often grouped into categories (pornography, gambling, shopping, social networks, etc.).

The proxy then fetches the content, assuming the requested URL is acceptable. At this point, a dynamic filter may be applied on the return path. For example, [[JPEG]] files could be blocked based on fleshtone matches, or language filters could dynamically detect unwanted language. If the content is rejected then an HTTP fetch error may be returned to the requester.

Most web filtering companies use an internet-wide crawling robot that assesses the likelihood that content is a certain type. Manual labor is used to correct the resultant database based on complaints or known flaws in the content-matching algorithms.<ref>{{Cite journal |last1=Suchacka |first1=Grażyna |last2=Iwański |first2=Jacek |date=2020-06-07 |title=Identifying legitimate Web users and bots with different traffic profiles — an Information Bottleneck approach |journal=Knowledge-Based Systems |language=en |volume=197 |pages=105875 |doi=10.1016/j.knosys.2020.105875 |s2cid=216514793 |issn=0950-7051|doi-access=free }}</ref>

Some proxies scan outbound content, e.g., for data loss prevention; or scan content for malicious software.

====Filtering of encrypted data====
Web filtering proxies are not able to peer inside secure sockets HTTP transactions, assuming the chain-of-trust of SSL/TLS ([[Transport Layer Security]]) has not been tampered with. The SSL/TLS chain-of-trust relies on trusted root [[Certificate authority|certificate authorities]].

In a workplace setting where the client is managed by the organization, devices may be configured to trust a root certificate whose private key is known to the proxy. In such situations, proxy analysis of the contents of an SSL/TLS transaction becomes possible. The proxy is effectively operating a [[man-in-the-middle attack]], allowed by the client's trust of a root certificate the proxy owns.

====Bypassing filters and censorship====
If the destination server filters content based on the origin of the request, the use of a proxy can circumvent this filter. For example, a server using [[Internet Protocol|IP]]-based [[geolocation]] to restrict its service to a certain country can be accessed using a proxy located in that country to access the service.<ref name="harvard">{{cite web |title=2010 Circumvention Tool Usage Report |url=http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/2010_Circumvention_Tool_Usage_Report.pdf |publisher=The Berkman Center for Internet & Society at Harvard University |date=October 2010 |access-date=15 September 2011 |archive-date=18 January 2012 |archive-url=https://web.archive.org/web/20120118170534/http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/2010_Circumvention_Tool_Usage_Report.pdf |url-status=live }}</ref>{{rp|3}}

Web proxies are the most common means of bypassing government censorship, although no more than 3% of Internet users use any circumvention tools.<ref name="harvard" />{{rp|7}}

Some proxy service providers allow businesses access to their proxy network for rerouting traffic for business intelligence purposes.<ref>{{cite web |title=How to Check if Website is Down or Working Worldwide |url=https://www.hostinger.co.uk/tutorials/website/how-to-check-if-website-is-working-worldwide/ |website=Hostinger |access-date=14 December 2019 |date=19 November 2019 |archive-date=14 December 2019 |archive-url=https://web.archive.org/web/20191214110525/https://www.hostinger.co.uk/tutorials/website/how-to-check-if-website-is-working-worldwide/ |url-status=live }}</ref><!-- google "test your website with a proxy server" to find multiple companies offering this service-->

In some cases, users can circumvent proxies that filter using blacklists by using services designed to proxy information from a non-blacklisted location.<ref name="Bypassing a Filtering Proxy">{{cite web |url=http://sitevana.com/webtech/ |title=Using a Ninjaproxy to get through a filtered proxy. |work=advanced filtering mechanics |publisher=TSNP |access-date=17 September 2011 |archive-url=https://web.archive.org/web/20160309075844/http://sitevana.com/webtech |archive-date=9 March 2016 |url-status=dead }}</ref><!-- Eg. anonymous.org -->

[[File:CPT-Proxy.svg|thumb|upright=1.7|Many organizations block access to popular websites such as Facebook. Users can use proxy servers to circumvent this security. However, by connecting to proxy servers, they might be opening themselves up to danger by passing sensitive information such as personal photos and passwords through the proxy server. This image illustrates a common example: schools blocking websites to students.]]

====Logging and eavesdropping====
Proxies can be installed in order to [[Eavesdropping|eavesdrop]] upon the data-flow between client machines and the web. All content sent or accessed&nbsp;– including passwords submitted and [[HTTP cookie|cookies]] used&nbsp;– can be captured and analyzed by the proxy operator. For this reason, passwords to online services (such as webmail and banking) should always be exchanged over a cryptographically secured connection, such as SSL.

By chaining the proxies which do not reveal data about the original requester, it is possible to obfuscate activities from the eyes of the user's destination. However, more traces will be left on the intermediate hops, which could be used or offered up to trace the user's activities. If the policies and administrators of these other proxies are unknown, the user may fall victim to a false sense of security just because those details are out of sight and mind.
In what is more of an inconvenience than a risk, proxy users may find themselves being blocked from certain Web sites, as numerous forums and Web sites [[IP address blocking|block IP addresses]] from proxies known to have [[Spam (electronic)|spammed]] or [[Troll (Internet)|trolled]] the site. Proxy bouncing can be used to maintain privacy.