Proxy server

src: www.thesecuritybuddy.com

In computer networks, proxy servers are servers (computer systems or applications) that act as intermediaries for requests from clients looking for resources from other servers. The client connects to the proxy server, requesting some services, such as files, connections, web pages, or other resources available from different servers and the proxy server evaluates the request as a way to simplify and control its complexity. Proxies are created to add structure and encapsulation to a distributed system. Currently, most proxies are web proxies , facilitating access to content on the World Wide Web, providing anonymity and can be used to bypass blocking of IP addresses.

Video Proxy server

Jenis server proxy

The proxy server can reside on the user's local computer, or at various points between the user's computer and the destination server on the Internet.

• Proxy servers that forward unmodified requests and responses are usually referred to as gateways or sometimes tunneling proxy .
• Proxy forwards is a proxy facing the Internet used to extract from multiple sources (in most cases anywhere on the Internet).
• Inverted proxies are usually the inward-facing proxies used as front ends to control and protect access to servers on a private network. A reverse proxy generally also performs tasks such as load balancing, authentication, decryption or caching.

Open proxy

An open proxy is a forwarding proxy server that can be accessed by Internet users. Gordon Lyon estimates there are "hundreds of thousands" of open proxies on the Internet. An anonymous open proxy allows users to hide their IP addresses while browsing the Web or using other Internet services. However, there are different levels of anonymity, as well as a number of methods of 'tricking' the client into revealing itself regardless of the proxy being used.

Inverted proxy

Reverse Proxy (or replacement) is a visible proxy server for the client to become a regular server. Reversing the proxy forwards the request to one or more regular servers that handle the request. The response from the proxy server is returned as if it came directly from the original server, leaving the client without the knowledge of the origin server. Inverted proxies are installed in one or more web server environments. All traffic coming from the Internet and with the goal of one of the neighboring web servers passes the proxy server. The use of "reverse" comes from its "forward proxy" counterpart because the reverse proxy sits closer to the web server and serves only a limited set of websites. There are several reasons to install a reverse proxy server:

• SSL encryption/acceleration: when a secure website is created, Secure Sockets Layer (SSL) encryption is often not done by the web server itself, but by a reverse proxy equipped with SSL acceleration hardware. Further, the host can provide one "SSL proxy" to provide SSL encryption for a host of arbitrary hosts; removing the need for a separate SSL Server Certificate for each host, with the disadvantage that all residents behind the SSL proxy must share a common DNS name or IP address for SSL connections. This problem can be partially solved by using the SubjectAltName feature of the X.509 certificate.
• Load balancing: The reverse proxy can distribute the load to multiple web servers, each web server serving its own application area. In such cases, a reverse proxy may need to rewrite the URL on every webpage (translation of URLs known externally to internal locations).
• Serves/caches static content: A reverse proxy can release a web server by storing static content such as images and other static graphic content.
• Compression: a proxy server can optimize and compress content to speed up loading time.
• Eat a spoon: reduce the use of resources caused by slow clients on the web server by storing the content that the web server sends and slowly "spoon the spoon" onto the client. This is especially useful for dynamically generated pages.
• Security: The proxy server is an additional layer of defense and can protect against some OS and Web Server-specific attacks. However, it does not provide any protection from attacks on the web app or the service itself, which is generally regarded as a greater threat.
• Extranet publishing: reversed proxy servers facing the Internet can be used to communicate with an internal firewall server to an organization, providing extranet access to multiple functions while maintaining the server behind a firewall. If used in this way, security measures should be taken into consideration to protect the rest of your infrastructure if this server is compromised, because its web application is struck from the Internet.

Maps Proxy server

Using

Monitor and filter

Content-control software

The content proxy web content filtering server provides administrative control over content that may be delivered in one or both directions through a proxy. These are typically used in commercial and non-commercial organizations (especially schools) to ensure that Internet usage conforms to acceptable usage policies.

Content filtering proxies often support user authentication to control web access. It also usually generates logs, either to provide detailed information about URLs accessed by a particular user, or to monitor bandwidth usage statistics. It can also communicate to daemon and/or ICAP-based antivirus software to provide security against viruses and other malware by scanning incoming content in real time before logging into the network.

Many workplaces, schools and colleges restrict online websites and services that are accessible and available in their buildings. The government also censors unwanted content. This is done either with special proxies, called content filters (both commercial and free products available), or by using a cache-expansion protocol such as ICAP, which allows plug-in extensions to an open caching architecture.

Websites normally used by students to avoid filters and access blocked content often include proxies, from which users can access websites blocked by filters.

Requests can be filtered by multiple methods, such as blacklisted URL or DNS blacklist, regular regex filtering, MIME filtering, or content keyword filtering. Some products have been known to use content analysis techniques to look for traits common to certain types of content providers. Blacklists are often provided and managed by web-filtering companies, often grouped into categories (pornography, gambling, shopping, social networking, etc.).

Assuming the requested URL is acceptable, the content is then fetched by the proxy. At this point a dynamic filter can be applied to the return path. For example, JPEG files can be blocked based on fleshtone matches, or language filters can dynamically detect unwanted languages. If the content is rejected then HTTP fetching errors can be returned to the requester.

Most web filtering companies use broad internet crawling robots that assess the likelihood that a content is of a certain type. The resulting database is then corrected by manual workers based on known complaints or errors in content matching algorithms.

Some proxies scan outbound content, for example, for data loss prevention; or scan content for malicious software.

Filtering encrypted data

Web filtering proxies can not be snooped into secure socket HTTP transactions, assuming the SSL/TLS (Transport Layer Security) trust chain has not been tampered with.

The SSL/TLS trust chain depends on the authority of a trusted root certificate. In workplace settings where the client is managed by the organization, trust can be given to the root certificate whose private key is known by the proxy. As a result, the root certificate generated by the proxy is installed to the CA browser list by the IT staff.

In such situations, proxy analysis of the content of SSL/TLS transactions becomes possible. The proxy effectively operates a man-in-the-middle attack, permitted by the client's trust of the proxy-owned root certificate.

Skip filters and censors

If the destination server filters content based on the origin of the request, the use of the proxy can avoid this filter. For example, the server uses IP-based geolocation to restrict its services to certain countries accessible using a proxy located in the country to access the service.

Web proxy is the most common way of passing government censorship, though no more than 3% of Internet users use any avoiding tools.

In some cases, users may avoid filtering proxies using blacklists using services designed for proxy information from non-blacklisted locations.

Recording and eavesdropping

Proxies can be installed to eavesdrop the data stream between client and web machines. All submitted or accessed content - including passwords sent and cookies used - can be captured and analyzed by the proxy operator. For this reason, passwords for online services (such as webmail and banking) should always be exchanged via cryptographically secure connections, such as SSL. By chaining proxies that do not reveal data about the original applicant, it is possible to obscure the activities of the user's destination eye. However, more traces will be left in the mid jump, which can be used or offered to track user activity. If the policies and administrators of these other proxies are unknown, the user may become the victim of a false sense of security simply because the detail is invisible and unthinkable. In what is more of an inconvenience than a risk, proxy users may find themselves blocked from certain websites, as many forums and websites block IP addresses from proxies that are known to have spammed or trolled the site. Bouncing proxies can be used to maintain privacy.

Improving performance

The proxy caching server accelerates service requests by retrieving content stored from previous requests made by the same client or even other clients. Caching proxies keeps local copies of frequently requested resources, enabling large organizations to significantly reduce their upstream bandwidth usage and costs, while significantly improving performance. Most ISPs and large businesses have proxy caching. Proxy caching is the first proxy server type. Web proxy is usually used to store web pages from a web server. Badly implemented cache cache can cause problems, such as the inability to use user authentication.

Proxies designed to reduce the problem or degradation associated with a particular link are Performance Enhancing Proxy (PEPs). This is typically used to improve TCP performance with high round-trip times or high packet losses (such as wireless or cellular phone networks); or highly asymmetric links featuring very different upload and upload levels. PEP can make network usage more efficient, for example by combining TCP ACK (acknowledgments) or compressing data sent on the application layer.

Another important use of proxy servers is to reduce hardware costs. Organizations may have multiple systems on the same network or under the control of a single server, which prohibits the possibility of individual connections to the Internet for each system. In such cases, an individual system can connect to one proxy server, and a proxy server connected to the primary server.

Translation

Proxy translation is the proxy server used to localize the website experience for different markets. Traffic from a global audience is channeled through a translation proxy to the source website. When a visitor crawls a proxy site, the request returns to the source site where the page is rendered. The original language content in responses is replaced by translated content when passed back through the proxy. Translations used in a translation proxy can be machine translation, human translation, or a combination of machines and human translations. Different translation proxy implementation has different capabilities. Some allow further customization of source sites for local audiences such as excluding source content or replacing source content with native local content.

Accessing services anonymously

An anonymous proxy server (sometimes called a web proxy) generally tries to anonymize web browsing. There are different types of anonymizers. The destination server (the server that eventually meets the web request) receives a request from an anonymous proxy server, and thus does not receive information about the end user's address. The request is not anonymous to the anonymous proxy server, but there is a trust level between the proxy server and the user. Many proxy servers are funded through advanced ad links to users.

Access controls : Some proxy servers impose login conditions. In large organizations, authorized users must sign in to gain access to the web. Thus the organization can track usage for individuals. Some anonymous proxy servers may forward data packets with header rows like HTTP_VIA, HTTP_X_FORWARDED_FOR, or HTTP_FORWARDED, which can reveal the client's IP address. Another anonymous proxy server, known as an elite proxy or high anonymity, makes it appear that the proxy server is the client. A website can still suspect a proxy is in use if a client sends a package that includes cookies from previous visits that do not use anonymous high proxy servers. Clearing cookies, and possibly cache, will solve this problem.

QA targeted ads

Advertisers use a proxy server to validate, check, and guarantee the quality of geo-targeted ads. Geo-targeted ad servers check the source IP addresses of requests and use geo-IP databases to determine the geographic source of the request. Using a proxy server that is physically located within a particular country or city gives advertisers the ability to test geo-targeted ads.

Security

Proxies can maintain the internal network structure of company secrets by using network address translation, which can help internal network security. This makes requests from machines and users on an anonymous local network. Proxies can also be combined with firewalls.

An improperly configured proxy can provide access to a network separate from the Internet.

Cross-domain resources

Proxy allows websites to make web requests for externally hosted resources (e.g. pictures, music files, etc.) When cross-domain restrictions prohibit websites from connecting directly to outside domains. Proxies also allow browsers to make web requests for externally hosted content on behalf of websites when cross-domain restrictions (in place to protect websites from people such as data theft) prohibit browsers from accessing outside domains directly.

Secondary market broker

Not to be confused with the secondary market, secondary market brokers use web proxy servers to purchase large stocks of limited products such as shoes or limited tickets.

src: www.learnabhi.com

Implementation proxy

Web proxy server

The web proxy is continuing HTTP requests. Requests from clients are the same as regular HTTP requests unless the full URL is passed, not just the path.

This request is sent to the proxy server, the proxy generates the specified request and returns the response.

Some web proxies allow the HTTP CONNECT method to manage arbitrary data forwarding over connections; the general policy is to simply pass port 443 to allow HTTPS traffic.

Examples of web proxy servers include Apache (with mod_proxy or Traffic Server), HAProxy, IIS configured as proxies (for example, with Application Request Routing), Nginx, Privoxy, Squid, Varnish (reverse proxy only), WinGate, Ziproxy, Tinyproxy, RabbIT4 and Polipo.

SOCKS proxy

SOCKS also passes random data after the connection phase, and is similar to HTTP CONNECT in the web proxy.

Transparent proxy

Also known as the intercepting proxy , inline proxy , or forced proxy , the transparent proxy intercepts normal communication on the network layer without requiring any special client configuration. The client does not need to be aware of the existence of the proxy. Transparent proxies are usually located between the client and the Internet, with the proxy performing some gateway function or router.

RFC 2616 (Hypertext Transfer Protocol - HTTP/1.1) offers standard definition:

"A 'transparent proxy' is a proxy that does not modify requests or responses beyond what is required for authentication and proxy identification". "A 'transparent proxy' is a proxy that modifies requests or responses to provide some additional services to user agents, such as group annotation services, media type transformations, protocol reductions, or unnamed filtering".

TCP Intercept is a traffic filtering security feature that protects TCP servers from TCP SYN flood attacks, which are a type of denial-of-service attack. TCP Intercept is only available for IP traffic.

In 2009, a security gap in the way transparent proxy operations were published by Robert Auger, and the Computer Emergency Response Team issued an advisory list of dozens of transparent and intercepted proxy servers.

Destination

Intercepting proxies are typically used in businesses to enforce acceptable usage policies, and to ease administrative costs, as no client browser configuration is required. But the second reason is mitigated by features such as Active Directory group policies, or DHCP and automatic proxy detection.

Intercepting proxies are also commonly used by ISPs in some countries to save upstream bandwidth and increase customer response time by caching. This is more common in countries where bandwidth is more limited (eg island nations) or should be paid.

Problems

TCP connections/interception creates some issues. First of all the original destination IP and port must somehow be communicated to the proxy. This is not always possible (e.g., where gates and proxies reside on different hosts). There is a cross-site attack class that relies on certain behaviors from intercepting proxies that do not check or have access to information about the original destination (which was intercepted). This problem can be solved by using packaged-level device and application level tools or software that can then communicate this information between packet and proxy handlers.

Intercepting also creates problems for HTTP authentication, especially connection-oriented authentication like NTLM, because the client browser believes it's talking to the server rather than the proxy. This can cause problems when proxy intercepting requires authentication, then users connect to sites that also require authentication.

Finally, tapped connections can cause problems for HTTP cache, as some requests and responses become un-cache by shared cache.

Implementation method

In an integrated firewall/proxy server where the router/firewall resides on the same host as the proxy, communicating the original destination information can be done by any method, such as Microsoft TMG or WinGate.

Interception can also be done using Cisco WCCP (Web Cache Control Protocol). This proprietary protocol resides on the router and is configured from the cache, enabling the cache to determine which ports and traffic are sent to it through the transparent redirection of the router. This redirect can occur in one of two ways: GRE Tunneling (OSI Layer 3) or MAC rewrites (OSI Layer 2).

Once the traffic reaches the proxy machine itself interception is usually done with NAT (Network Address Translation). Such settings are invisible to the client browser, but allow the proxy to be visible to web servers and other devices on the proxy internet side. The latest Linux and some BSD releases provide TPROXY (transparent proxy) that performs IP-level transparent interception (OSI Layer 3) and spoofing outbound traffic, hiding proxy IP addresses from other network devices.

Detect

There are several methods that can often be used to detect the presence of an intercepted proxy server:

• By comparing the client's external IP address to the address viewed by the external web server, or sometimes by checking the HTTP headers received by the server. A number of sites have been created to address this issue, by reporting the user's IP address as seen by the site back to the user on the web page. Google also returns the IP address as seen by the page if the user searches for "IP".
• By comparing the results of online IP checks when accessed using https vs http, as most proxies that cut out do not intercept SSL. If there is suspicion about SSL being tapped, one can check the certificate associated with any secure website, the root certificate should indicate whether the certificate was issued for intercept purpose.
• By comparing the network hop sequences reported by a tool such as traceroute for proxy protocols such as http (port 80) with it for nonproksied protocols such as SMTP (port 25).
• By trying to establish a connection to an IP address that is known to be no server. The proxy will accept the connection and then try to proclaim it. When the proxy does not find the server to accept the connection, it can return an error message or simply close the connection to the client. Differences in this behavior are easily detected. For example, most web browsers will generate error pages created by browsers in cases where they can not connect to the HTTP server but will return a different error in cases where the connection is received and then closed.
• By serving end users of specially programmed Adobe Flash SWF applications or Sun Java applets that send HTTP calls back to their servers.

CGI proxy

CGI web proxies accept target URLs using Web forms in the user's browser window, processing requests, and returning the results to the user's browser. As a result, it can be used on a device or network that does not allow "true" proxy settings to be changed. The first recorded CGI proxy was developed by American computer scientist Richard Windmann on June 6, 1999.

The majority of CGI proxies are supported by Glype or PHProxy, both written in PHP. Starting April 2016, Glype has received nearly a million downloads, while PHProxy still receives hundreds of downloads per week. Despite its declining popularity due to VPN and other privacy methods, there are still several thousand CGI proxies online.

Some CGI proxies are formed for purposes such as making websites more accessible to disabled people, but have been closed due to excessive traffic, typically caused by third parties advertising services as a means of bypassing local filtering. Because many of these users are not concerned with the additional damage they cause, organizations need to hide their proxies, revealing URLs only to those who struggle to contact the organization and point out actual needs.

Suffix proxy

The suffix proposal allows users to access web content by adding a proxy server name to the requested content URL (eg "En.wikipedia.org. "). The proxy server suffix is ​​easier to use than a regular proxy server but they do not offer a high degree of anonymity and their primary use is to bypass web filters. However, this is rarely used because of the more sophisticated web filters.

Torque processing software

Tor (short for Router Onion ) is a system intended to enable online anonymity. Tor client software directs Internet traffic through a global server volunteer network to hide the location or user usage of someone who does network monitoring or traffic analysis. Using Tor makes it more difficult to track Internet activity, including "website traffic, online posting, instant messaging and other forms of communication", back to the user. It is meant to protect personal freedom, privacy, and the ability of users to do business secrets by keeping their internet activity monitored.

"Onion routing" refers to the layered nature of the encryption service: The original data is encrypted and re-encrypted multiple times, then sent through successive Tor rails, each decrypting the encryption layer before passing the data to the next relay and finally the destination. This reduces the chances of the original data being random or understood in transit.

Tor clients are free software, and there is no additional cost to use the network.

I2P anonymous proxy

Anonymous network I2P ('I2P') is a proxy network aimed at online anonymity. It implements garlic routing, which is an increase in Tor onion routing. I2P is fully distributed and works by encrypting all communications in different layers and delivering it through a network of routers run by volunteers at various locations. By keeping the source of information hidden, I2P offers sensor resistance. The purpose of I2P is to protect personal freedom, privacy, and the ability of users to do confidential business.

Each I2P user runs an I2P router on their computer (node). Route I2P handles the search of other peers and builds anonymous tunnels through them. I2P provides proxy for all protocols (HTTP, IRC, SOCKS,...).

The software is free and open source, and the network is free to use.

Proxy vs. NAT

Most of the time 'proxy' refers to the application layer-7 on the OSI reference model. However, another way to proxy is through layer-3 and known as Network Address Translation (NAT). The difference between these two proxy technologies is the layers in which they operate, and the procedure for configuring proxy clients and proxy servers.

In the client configuration of layer-3 proxy (NAT), configuring the gateway is sufficient. However, for the client configuration of the proxy layer-7, the client's destination packet should always be a proxy server (layer-7), then the proxy server reads each packet and finds the actual destination.

Because NAT operates on layer-3, it's less resource intensive than the 7-layer proxy, but also less flexible. When we compare these two technologies, we may find terminology known as 'transparent firewalls'. Transparent firewall means that the layer 3 proxy uses the benefit of layer-7 proxy without the client's knowledge. The client assumes that the gateway is NAT on layer-3, and has no idea about the inside of the packet, but through this method the layer-3 packet is sent to the 7-layer proxy for investigation.

DNS proxy

The DNS proxy server takes DNS requests from the network (usually local) and forward them to the Internet Domain Name Server. It can also cache DNS records.

src: i.ytimg.com

See also

Overview and discussion

• Web server software comparison
• Darknet
• SMTP proxy
• Web accelerator discussing host-based HTTP acceleration
• Web cache

Proxifiers

There is a "SOCKS-ify" client program, which allows adaptation of network software to connect to external networks through some types of proxy servers (mostly SOCKS).

Multiple topics

• Firewall application
• Captive portal
• Distribute the Checksum Clearinghouse
• Internet privacy
• Proxy list
• TELL an alternative firewall traversal protocol supported by many applications

src: cdn1.techadvisor.co.uk

References

src: i.ytimg.com

External links

• Software and proxy scripts in Curlie (based on DMOZ)
• Free web-based proxy service in Curlie (based on DMOZ)
• Free http proxy server in Curlie (based on DMOZ)

Source of the article : Wikipedia