A proxy server is an intermediary that forwards application traffic on behalf of a client, applying local policies or transformations before relaying requests and responses. The HTTP specification defines a proxy as a client-chosen message-forwarding agent and distinguishes it from a gateway (often called a reverse proxy) that acts outwardly as an origin server while forwarding requests to internal servers, enabling services such as shared caching, security controls, and protocol translation IETF RFC 9110. (
rfc-editor.org)
Roles and topologies
- –Forward proxy: selected by a client (for example, a browser) to access external resources. It can enforce acceptable‑use policies, authenticate users, and provide privacy by masking client addresses
IETF RFC 9110;
NIST CSRC Glossary. (
datatracker.ietf.org)
- –Gateway or reverse proxy: deployed in front of application servers to appear as the service endpoint while distributing, filtering, or caching requests to upstreams. Typical functions include request routing, TLS termination, and load balancing
NGINX documentation;
Apache Traffic Server docs. (
varnish-cache.org)
- –Interception ("transparent") proxy: traffic is redirected to a proxy without explicit client configuration. Standards literature cautions that "transparent" is ambiguous; the caching community uses "interception proxy" to describe zero‑configuration redirection
Protocols and methods
HTTP proxies operate at the application layer. Requests may be forwarded directly or tunneled. The CONNECT method asks a proxy to establish a TCP tunnel to a target host and then blindly relay bytes in both directions—commonly used to carry Transport Layer Security (TLS) sessions end‑to‑end through a proxy IETF RFC 7231. HTTP/2 introduces an “extended CONNECT” for bootstrapping WebSockets on a single HTTP/2 stream
IETF RFC 8441. Earlier specifications also described CONNECT in the context of upgrading to TLS within HTTP/1.1
IETF RFC 2817. (
rfc-editor.org)
SOCKS is a general‑purpose proxy protocol independent of application semantics. Version 5 supports IPv6, UDP relaying, and multiple authentication methods (including username/password) and is conventionally assigned TCP/UDP port 1080 by IANA RFC 1928;
RFC 1929;
IANA Service Names and Port Numbers. (
rfc-editor.org)
Discovery and configuration
User agents can be configured explicitly with a proxy host/port or use automatic discovery. A Proxy Auto‑Configuration file (PAC) defines a JavaScript function, FindProxyForURL(url, host), that returns instructions such as DIRECT or PROXY host:port for each request MDN Web Docs. Environments often distribute PAC files via the Web Proxy Auto‑Discovery Protocol (WPAD) using DHCP option 252 and/or DNS conventions (typically wpad.dat), enabling "Auto‑detect" in browsers
Cisco: WPAD. (
developer.mozilla.org)
Caching and hierarchies
HTTP defines shared and private caches and the directives that control cacheability and freshness (for example, public, no-store, s-maxage, proxy-revalidate). Shared caches are often deployed as intermediaries to reduce latency and bandwidth IETF RFC 9111. Cache hierarchies can be built among proxies using parent/sibling relationships and cache discovery protocols; widely used software such as Squid documents parent/sibling topologies and configuration for hierarchical forwarding
Squid wiki. Intercepting (transparent) caches can be deployed by redirecting traffic at the network layer, as described in IETF caching taxonomy
RFC 3040. (
rfc-editor.org)
Identification and forwarding headers
Intermediaries are expected to add a Via header field so downstream recipients can see the chain of intermediaries and protocol versions IETF RFC 9110. For conveying client connection information across proxies, a standardized Forwarded header exists, with parameters such as for, by, host, and proto, alongside privacy cautions
IETF RFC 7239. Many deployments also use the de‑facto X‑Forwarded‑For request header to record the originating client IP, with guidance to trust only values added by known, controlled proxies
MDN Web Docs. (
datatracker.ietf.org)
Authentication and access control
Proxies can require client authentication. When credentials are missing or invalid, the proxy returns 407 Proxy Authentication Required and a Proxy‑Authenticate challenge; the client retries with Proxy‑Authorization as specified by HTTP authentication semantics IETF RFC 9110;
MDN: 407. In proxy chains, credentials are scoped to the next outbound hop unless administratively propagated within a domain
IETF RFC 9110. (
rfc-editor.org)
Security and privacy considerations
A forward proxy can provide policy enforcement and address hiding, but it also becomes a point of traffic concentration and logging, with associated privacy implications NIST CSRC Glossary. Reverse proxies increase resilience and performance but do not, by themselves, eliminate application‑layer vulnerabilities; they must be combined with secure application design and controls. Deployments that decrypt TLS at the proxy ("TLS inspection") replace end‑to‑end encryption with two TLS sessions; studies and industry analyses note risks including weaker ciphers on one leg, certificate‑handling pitfalls, and expanded attack surface on the interception device
TLS Proxies: Friend or Foe?;
Secureworks
IETF RFC 8446. For strong anonymity, systems like [Tor (network)] route traffic across multiple relays rather than a single proxy, altering the trust model
Tor Project Support. (
csrc.nist.gov)
Implementations and software
Common open‑source and commercial implementations include Squid (forward proxy and cache), Apache Traffic Server (caching forward/reverse proxy and HTTP load balancer), and NGINX (reverse proxy, content cache, and load balancer). Documentation describes typical reverse‑proxy flows, caching behavior, and configuration primitives such as mapping rules or proxy_pass Squid docs;
Apache Traffic Server docs;
NGINX docs. Squid commonly listens on port 3128 by default, though administrators often choose other ports; SOCKS defaults to 1080 per IANA
Squid docs;
IANA registry. (
squid-cache.org)
Relation to other technologies
- –Reverse proxy and API gateways consolidate TLS termination, routing, and observability in front of services
- –Web cache intermediaries store reusable responses to reduce latency and bandwidth
- –SOCKS proxies operate below application semantics and can relay TCP and UDP for diverse protocols