Proxy Fundamentals Study Notes networking vpn

What is a Proxy?

A proxy is an application-level middleman, an agent that makes requests for you. In networking, a proxy receives requests from a client and forwards them to the target server, then returns the server’s responses to the client. It stands between client and server and therefore can see (and possibly modify) the requests that pass through it

1. Forward Proxies

A forward proxy sits in front of clients. Clients send requests to the proxy, which then forwards them to the destination server.

Client → Forward Proxy → Destination Server

2. Reverse Proxies

A reverse proxy sits in front of servers. Clients think they are talking to the server, but the proxy handles incoming requests first.

Client → Reverse Proxy → Actual Server

X-Forwarded-For

The X-Forwarded-For (XFF) header is a de-facto standard HTTP header used to identify the originating IP address of a client connecting to a web server through a proxy server, load balancer, or Content Delivery Network (CDN). It is essential for logging, traffic analysis, and geolocation when the server only sees the proxy’s IP.

Usually contains the original client IP. Example:

X-Forwarded-For: 5.157.248.142

If this exists, the website can see your real IP.

Via

The Via header is an HTTP/SIP header added by proxies and gateways to track the path of a request or response, identify protocol capabilities of intermediate nodes, and prevent request loops. It acts as a routing trail, ensuring responses travel back through the same proxies that handled the original request.

Indicates traffic passed through a proxy. Example:

Via: squid/3.5.27

The 3 Proxy Levels

Proxy Types (from anonymity perspective) These are forward proxies classified by how much they hide the client:

1. Transparent Proxy

NOT anonymity.

  • Reveals your real IP via headers
  • Mainly used for caching/filtering

2. Anonymous Proxy

Hides your IP but admits proxy usage. Moderate anonymity.

3. Elite Proxy

Tries to look like a normal client. Hides your IP and does not identify itself as a proxy. Harder for websites to detect.

It may not know a proxy exists at all. Highest anonymity level.

Proxy Judges

A Proxy Judge is a script that is hosted online that outputs visitor’s information that was sent to that server. The main purpose of such script is to check and validate proxy servers. The way most proxy checkers test and validate proxies, is by making a proxy connect to a proxy judge and parsing its output to determine what kind of information that particular proxy reveals, and then derive its level of anonymity, performance metrics, and other features from that information.

Used to test:

  • whether proxy leaks IP
  • whether proxy adds headers
  • anonymity level

The judge prints all received headers.

SOCKS (SOCKet Secure)

A general-purpose proxy protocol that forwards TCP and (with SOCKS5) UDP traffic. It doesn’t understand application protocols like HTTP, SMTP, it just forwards byte streams. Because it is protocol-agnostic, it can proxy SSH, FTP, game traffic, DNS (if forwarded) etc, if the client supports routing that traffic through SOCKS.

SOCKS is a specific protocol used to talk to a proxy server.

Your browser first talks to the SOCKS server. Then the SOCKS server creates that connection and relays data back and forth.

SOCKS is useful because it forwards:

  • TCP
  • UDP
  • arbitrary traffic

Meaning tools like:

  • nmap
  • curl
  • browsers
  • exploitation tools
  • RDP
  • SMB

can all be tunneled through it.

Proxychains

Proxychains is a UNIX tool that forces any TCP connection from an application to flow through user-defined proxies (HTTP, SOCKS4/5), such as Tor, allowing for improved anonymity, bypassed firewalls, and proxified networking. It is widely used for network pivoting and masking traffic.

Applications normally do NOT know how to use SOCKS automatically. proxychains forces applications through a proxy.

Example:

proxychains nmap 10.10.10.5

Flow:

nmap
 │
 ▼
proxychains
 │
 ▼
SOCKS proxy
 │
 ▼
Internal target

proxychains.conf

socks5 192.168.67.78 1080 lamer secret

Meaning:

  • use SOCKS5
  • proxy IP = 192.168.67.78
  • port = 1080
  • username = lamer
  • password = secret

Another:

socks4 192.168.11.49 1080

SOCKS4 proxy without authentication.

Chaining Proxies

Sometimes one compromised machine is not enough.

Attacker
   │
   ▼
Compromised Host A
   │
   ▼
Compromised Host B
   │
   ▼
Final Internal Network

You can chain SOCKS proxies:

This is called proxy chaining

proxychains can do this automatically.

SOCKS v4 vs v5

SOCKS4

  • Supports only TCP.
  • Uses IPv4 addresses (no domain names built into the protocol).
  • No authentication or only very basic.
  • Simple CONNECT semantics.

SOCKS5

  • Supports TCP and UDP (UDP via the UDP ASSOCIATE command).
  • Supports IPv4, IPv6, and domain names.
  • Supports multiple authentication methods (including username/password).
  • More flexible and widely used today.

DNS and SOCKS

SOCKS5 can carry domain names in the request. If the client sends a domain name, the proxy performs DNS resolution and the final DNS query is performed by the proxy (so the destination DNS lookup is hidden from the client’s network).

Some SOCKS clients instead resolve domain names locally and send proxy an IP. That means DNS happens on your client and leaks to your ISP.

HTTP Proxy

HTTPS Proxy