Squid transparent proxy server. Transparent proxy server

A transparent proxy, also known as an intercepting proxy or a force proxy, is a server that intercepts outgoing information on a network before it reaches the Internet, without any configuration on the client computer. Unlike explicit proxies, which require configuration based on software, transparent proxies only require server configuration, which means they can be used on a network without the end user's knowledge. These servers are often used to optimize load balance or filter content. Many schools and workplaces use this proxy server.
Like an explicit proxy, a transparent proxy can improve network performance through a process known as caching. Data is stored locally on the first request, allowing subsequent requests to be processed much faster. In a network using a transparent proxy, all requests from client computers go through a single host, so the host can store most of the frequently requested data locally, saving the need to transfer data over the Internet. When executed a large number of web requests - for example on many school or business networks - caching can save a lot of time and bandwidth.

A transparent proxy can also be used to filter or block certain web content from accessing the network. The network administrator can set a list of websites that the proxy server will filter before they can be accessed end users. For example, an employer may wish to prohibit employees from viewing sports websites while working. At correct configuration With a transparent proxy, attempting to check yesterday's sports scores will result in a page error for the employee, preventing him or her from wasting hours of work on a non-work related website. Although this filtering method will often be sufficient to prevent users from accidentally accessing inappropriate content, experienced users may find ways to bypass the filtering process due to limitations in this technology.

Transparent proxies are useful for many educational and commercial applications computer networks. A transparent proxy server does not require configuration on each client computer, so network administrators They are often used as a time-saver for individual settings systems. Although a transparent proxy provides the same caching and filtering benefits as most explicit proxies, it does not offer any Internet Protocol (IP) address masking functionality. Therefore, a transparent proxy is not suitable for many online security purposes often associated with web proxies.

DMITRY REPIN

Transparent proxy. To be or not to be?

The entire text of this article is solely the personal opinion of the author and does not pretend to be a collection of axioms. All research and conclusions described in the article should also be viewed through the prism of the author’s subjectivity, because, as the ancient sages said, “Errare humanum est.” Also, the author is not responsible for any actions (and their consequences) performed by the reader after reading this article.

Lyrical digression

Job system administrator is inextricably linked with programming. Only having knowledge of software development can help in solving software problems, because analysis is part of the solution. A specialist must have a clear understanding of the internal mechanisms of the system, and this comes only with experience in writing and, more importantly, modifying software.

Systems of the UNIX-like family are the greatest source of knowledge for self-education and a testing ground for experimentation. The open source code of the system and application software, low-level access to settings and their flexibility... - all this allows you to delve deeper into the principles of operation computer systems and networks. In addition, this allows you to create all sorts of non-standard configurations of familiar software. What is it for? First of all, in order to expand the capabilities of the system. The second argument in favor of such “surgical interventions” in software is the presence various errors in software development.

This article is devoted to the problems of transparent proxying using the example of the popular Squid server. The OS used was stable FreeBSD version 4.7.

General principles of transparent proxying

When the proxy server operates in Trans-parent mode, users' web access to the Internet does not require setting up a browser to interact with the proxy at each workstation, and the users themselves may not even be aware of the existence of the proxy server. In this mode, administrators and technicians receive fewer questions and complaints from users about setting up custom software.

Technically, this mode is implemented as follows. WITH using firewall all connections to specific port(in the case of HTTP – port 80) external servers are redirected to local port proxy server (usually 3128).

According to standard HTTP protocol 1.1 (RFC2616) each client request must contain a “Host” header, which indicates the address of the receiving server of the request. It is with the help of this header that the proxy server determines the recipient and connects to him. As for other popular protocols (FTP, HTTPS, etc.), they simply do not provide such a possibility. On this “cheerful note” you can start describing the problems.

Authorization on the proxy server allows you to record work and limit Internet access for users local network, using their names (logins) regardless of what computer the user is on and what address he has this computer. Otherwise, the administrator has the ability to control the work of employees based only on IP addresses, which allows users to bypass restrictions. Thus, authorization on the proxy server is a necessary element of the local network infrastructure. And now about the sad thing: authorization on a “transparent” proxy server is almost impossible. However, such a statement clearly contradicts the standards.

Let's turn to the primary source - the description of the HTTP protocol - document RFC2616. According to the standard, an HTTP client, when receiving a server status response with code 407 (Proxy Authentication Required), is required to send authorization data to the server. To illustrate the work and for testing, the author wrote a small http server in Perl, which produced the necessary statuses and headers, and also wrote a log of requests and responses.

As a result of the server’s operation, the client will receive data in 4 stages:

1. The client requests a document, and the server reports the need for Proxy authorization.
2. The client requests the document again, but with proxy authorization data.
3. To check the functionality of the system, the server also asks for authorization for the Web - a model of the situation when a user accesses a protected document on a remote server through a proxy with authorization.
4. The client obediently logs in “double” – on the proxy server and the web server.

We used as test clients Mozilla browsers FireBird 0.6.1, Microsoft Internet Explorer 6.0.2800.1106 and Opera 6.05.

Test server code:

#!/usr/bin/perl -w

use strict;

use Socket;

# A socket is created, bound to all addresses (for convenience) on port 8080 and listening is turned on.

socket(SERVER,PF_INET,SOCK_STREAM,getprotobyname("tcp"));

setsockopt(SERVER,SOL_SOCKET,SO_REUSEADDR,1);

bind(SERVER,sockaddr_in(8080,INADDR_ANY));

listen(SERVER,SOMAXCONN);

$|=1;

my $CR="?15?12";

# Accept incoming connections

while (1)(

# Receive a client, determine its address/port/host and display it on the screen (for debugging)

My $paddr = accept(CLIENT,SERVER);

My ($ip,$port,$name) = remote($paddr);

Print "Connection from $ip:$port ($name) ";

# Read the entire request from the client into one variable

My$DATA;

While()(

Chomp;

$_=~s/ //g;

Last unless $_;

$DATA.=$_." ";

# Log the request to a log file

Log($DATA);

# Now simple check check for the presence of the necessary headers in the request, sending the appropriate response to the client

# and writing responses to a log file.

If($DATA !~/Proxy-Authorization/)(

Log(Response407());

Print CLIENT Response407();

)elsif($DATA !~/?12Authorization/)(

Log(Response401());

Print CLIENT Response401();

)else(

Log(Response200());

Print CLIENT Response200();

Print "Connection closed.";

Close CLIENT;

# Closing the current connection

# Closing a server socket

close SERVER;

# For convenience, composing server responses is included in separate functions

sub Response401(

Return "HTTP/1.1 401 Unauthorized$CR".

"Mime-Version: 1.0$CR".

"Content-Length: 20$CR".

"WWW-Authenticate: Basic realm=" --== Protected web-Area ==--"$CR".

"Connection: close$CR$CR

sub Response407(

Return "HTTP/1.1 407 Proxy Authentication Required$CR".

"Server: squid/2.5.STABLE3$CR".

"Mime-Version: 1.0$CR".

"Content-Type: text/html$CR".

"Content-Length: 20$CR".

"Proxy-Authenticate: NTLM$CR".

"Proxy-Authenticate: Basic realm="<-- 407 Protected Proxy-->"$CR".

"Connection: close$CR$CR

sub Response200(

Return "HTTP/1.1 200 OK$CR".

"Server: squid/2.5.STABLE3$CR".

"Mime-Version: 1.0$CR".

"Content-Type: text/html$CR".

"Content-Length: 19$CR."

"Connection: close$CR$CR

# Function for determining the client's address, port and hostname

sub remote(

My $rem = shift;

Return undef unless $rem;

My ($port,$ip) = sockaddr_in($rem);

Return (inet_ntoa($ip),$port,gethostbyaddr($ip,AF_INET));

# Function for writing to a log file

sub Log(

Open(F,">>connection.log");

Print F scalar(localtime)." ";

For(split/ /,$_)(

Print F " $_ ";

Print F " //====// ";

Close(F);

First browser request:

GET /?test HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5a) Gecko/20030728 Mozilla Firebird/0.6.1

The server responds:

The server reports that everything is fine:

HTTP/1.1 200 OK Server: squid/2.5.STABLE3 Mime-Version: 1.0 Content-Type: text/html Content-Length: 19 Connection: close

Using Mozilla FireBird 0.6.1 as an example, this protocol illustrates the completely “legal” possibility of using authorization on a transparent proxy server. A reasonable question arises: why does the Squid server FAQ contain the phrase “...proxy_auth can’t be used in a transparent proxy...”?

First, let's look at the Squid source codes. The connection between authorization and server operating mode can be traced in two files – acl.c and client_side.c. When analyzing the code, it becomes clear that the ability to use authorization in in this case simply ignored!

Source code section acl.c:

Http_hdr_type headertype;

If (NULL == r) (

Return -1;

) else if (!r->flags.accelerated) (

/* Proxy authorization on proxy requests */

Headertype = HDR_PROXY_AUTHORIZATION;

) else if (r->flags.internal) (

/* WWW authorization on accelerated internal requests */

) else (

#if AUTH_ON_ACCELERATION

/* WWW authorization on accelerated requests */

Headertype = HDR_AUTHORIZATION;

#else

Debug(28, 1) ("aclAuthenticated: authentication not applicable on accelerated requests.");

Return -1;

#endif

Source code section client_side.c:

If (answer == ACCESS_REQ_PROXY_AUTH || aclIsProxyAuth(AclMatchedName)) (

If (!http->flags.accel) (

/* Proxy authorization needed */

Status = HTTP_PROXY_AUTHENTICATION_REQUIRED;

) else (

/* WWW authorization needed */

Status = HTTP_UNAUTHORIZED;

If (page_id == ERR_NONE)

Page_id = ERR_CACHE_ACCESS_DENIED;

) else (

Status = HTTP_FORBIDDEN;

If (page_id == ERR_NONE)

Page_id = ERR_ACCESS_DENIED;

This oddity, discovered during the research, further fueled the author’s interest in the issue under discussion.

In this regard, naturally, source The server has undergone changes. The result was a modified version of the Squid server with working together authorization and transparent mode. But...

Further research revealed that most popular browser Microsoft Internet Explorer is unable to follow standards! If the settings of this client do not explicitly specify the use of a proxy server, then MSIE simply ignores processing of the 407 http status and issues an error. Moreover, older versions for Windows 9X generally “crumble” with critical error in the WININET.DLL library when receiving the above-described status code.

In this regard, it becomes clear that using authorization with transparent proxying is impossible. After all, the vast majority of users work with Microsoft Internet Explorer. If your network only uses Mozilla-based browsers, you can modify your Squid-2.5.STABLE3 server using patches located at http://www.comprice.ru/cmapuk/squid_patch.tgz

In addition to the above, it is worth adding that all current browsers, one way or another, do not fully comply with the standards. For example, HTTP status 305 (Use Proxy), which tells the client to use the proxy server specified in the response, is ignored by both Microsoft Internet Explorer, Mozilla FireBird and Opera. Besides, Opera browser(tested on version 6.05) does not support NTLM authorization, although the 407 status code is processed correctly and is easily authorized using the Basic type.

So, there is now no doubt about the actual existence of the problem and the practical impossibility of solving it. However, the “political” rationale for non-compliance with standards remains unknown. After some thought on this topic, the author of the article came up with a hypothesis about the reason for the “non-standard” nature of MSIE as an HTTP client.

If absolutely standard browser When a server response with code 407 is received and sends authorization data, this information can be obtained by any third party. In an example it looks like this. The malicious user configures a web server (external or on the local network) to respond with the above code to any requests (this can be an elementary “home-written” server of 10-15 lines). After this, using the simplest techniques social engineering The victim user is lured into a trap to obtain just one HTTP session between the victim and the attacker's server. As a result, the “hacker” obtains the user’s authorization data (for example, NTLM authorization data), which can lead to unauthorized access to information with all the ensuing consequences.

Taking this hypothesis into account, we can conclude that ignoring such necessary and at the same time dangerous standard features has some pretty good reasons.

Multiple protocols

As a rule, the task of a proxy server includes servicing clients not only via HTTP, but also FTP and HTTPS. In addition, there is often a need for an HTTP connection on alternative ports (8000, 8080, etc.). Related to this is the second and, perhaps, most complex problem transparent proxying – the Squid proxy server in transparent mode can serve connections using only one protocol – HTTP.

Due to the fact that the solution to this problem is by no means trivial, this part of the article will be devoted to considering the causes of this problem and only theoretical ways to solve it.

Alternative HTTP Ports

As mentioned at the beginning of the article, the HTTP 1.1 protocol specification requires the client to include a mandatory “Host” header in the request. This header contains the name of the server to which the request is addressed. Thus, to obtain data from http://www.server.info when direct connection The minimum HTTP request would be:

GET / HTTP/1.1

Host: www.server.info

If the client software is adapted to work through a proxy server and configured accordingly, the request will look like this:

GET http://www.server.info HTTP/1.1

Host: www.server.info

If the remote server serves clients via alternative port, the request through the proxy will contain information about this:

GET http://www.server.info:8080 HTTP/1.1

Host: www.server.info

When connecting directly to a remote server, the client request does not change depending on the port and remains the same as in the first example. As a result, when working in transparent mode, the proxy server cannot determine the real port remote server, which the client turned to, since the client does not even suspect the existence of an “intermediary”.

Modern versions of the Squid proxy server support the ability to determine the host and port using packet filter libraries such as ipfilter on BSD systems or netfilter on Linux. To work with these libraries, you must specify the appropriate options (--enable-ipf-transparent) when compiling the server. After the server is built, it will have access to detailed information about the connection.

Code section client_side.c:

#if IPF_TRANSPARENT

NatLookup.nl_inport = http->conn->me.sin_port;

NatLookup.nl_outport = http->conn->peer.sin_port;

NatLookup.nl_inip = http->conn->me.sin_addr;

NatLookup.nl_outip = http->conn->peer.sin_addr;

As it may seem, with this approach there is a need to use firewall filtering based on ipfilter/ipnat and abandon ipfw. However, for Squid to work, you just need to enable support for this packet filter, and you can still forward packets using ipfw.

Proxying FTP and HTTPS

With normal proxying, client requests to a proxy server to receive a file from a remote server via FTP look the same as HTTP requests:

GET ftp://ftp.server.info HTTP/1.1

Host: ftp.server.info

The client implementing this FTP protocol, in this case, is the proxy server itself. After receiving the file, the proxy server responds to the client with a normal HTTP response and returns the data.

The client can also “request” the proxy server to connect directly to remote host for data exchange. Then the request will look like this:

CONNECT ftp.server.info:21 HTTP/1.1

Host: ftp.server.info

Thanks to this type of request, the intermediary clearly understands the task assigned to it and performs it in accordance with the recommendations of the system administrator in the form of acl and http_access directives in the configuration file.

Communication between a client and a remote server via SSL-protected protocols always occurs using the CONNECT method:

CONNECT secure.server.info:443 HTTP/1.1

Host: secure.server.info

When a client directly connects to a remote host without intermediaries (and with transparent proxying, the client “thinks” this way), it implements the protocols itself application level, such as FTP and HTTP. As a result, the proxy server cannot determine the task assigned to it. When using a firewall to redirect all connections to ports 21 and 443 to the proxy port (3128), the latter receives in the first case the string “USER username”, and in the second a generally set of incoherent characters.

Solving this problem requires surgical intervention in the source code of the Squid proxy server. The goal of modifying the server is to “teach” the server to become almost the same intermediary as with the CONNECT method, depending on the port number of the requested remote server.

To demonstrate this idea, let's write another simple server:

#!/usr/bin/perl -w

use strict;

use Socket;

# Local address mini-proxy

my $maddr = sockaddr_in(30021,inet_aton("localhost"));

# Let's say we already know the remote FTP address

my $paddr = sockaddr_in(21,inet_aton("ftp.freebsd.org"));

# Open a socket for the proxy server and start listening

socket(SOCK,PF_INET,SOCK_STREAM,getprotobyname("tcp")) or die $!;

setsockopt(SOCK,SOL_SOCKET,SO_REUSEADDR,1) or die $!;

bind(SOCK,$maddr) or die $!;

listen(SOCK,SOMAXCONN);

# Intercept the PIPE signal. This signal appears when trying to work with a closed stream

$SIG(PIPE)=sub(

Close(SERVER);

Close(CLIENT);

Close(SOCK);

Exit;

$|=1; # disable stream buffering STDOUT

# Accept connections

while (accept(CLIENT,SOCK))(

Print "Connection detect.";

# Connect to remote FTP

Socket(SERVER,PF_INET,SOCK_STREAM,getprotobyname("tcp")) or die $!;

Connect(SERVER,$paddr);

# Let's start exchanging information

While(1)(

My $server="";

# Disable buffering of client and server streams

Select(CLIENT); $|=1;

Select(SERVER); $|=1;

Select(STDOUT);

# While the server has not completed the transfer

# using the status identifier we accept all data, give it to the client, and at the same time display it on the screen

While($server !~/^d(3)s/)(

$server=;

Print CLIENT $server;

Print $server;

# We accept the command from the client and send it to the server. We also display

My $client=;

Print SERVER $client;

Print $client;

Close SERVER;

Close CLIENT;

close SOCK;

Add to firewall rule redirect all requests to port 21 to local port 30021 and launch the test server.

ipfw add 30002 fwd 127.0.0.1,30021 tcp from 192.168.0.0/24 to any 21 via xl0

Now open the browser and try to go to ftp://ftp.freebsd.org (of course, without proxy settings). The result of a simple test shows that transparent proxying over protocols other than HTTP is quite possible. Now let's put it already specific task for modifying the Squid proxy server.

1. Add a new directive to the server configuration capabilities (let’s call it direct_port) in the following format:

direct_port PORT PROTOCOL

where PORT is the final port of the remote server; PROTOCOL is a protocol over which the proxy server should act as an intermediary. Example:

direct_port 21 FTP, direct_port 443 SSL

2. Add to the existing “service” of mediation using the CONNECT method modified version, in which the proxy server does not interfere with the communication between the client and the remote server with unnecessary headers.

3. Establish control over the new connection type using ACL directives.

Solving this problem for a researcher who has never participated in the development of the Squid proxy server is a very labor-intensive process. Therefore, the author of this article has this moment No ready-made solution in the form of patches, etc. However, perhaps this research will attract the attention of enthusiasts (or the Squid developers themselves) to the above problem and a solution will appear.

Conclusion

The study showed that true transparent proxying without harm to users and administrators is a reality. The only serious problem on the way to implementing transparent proxying technology remains non-compliance with standards Microsoft browser Internet Explorer. It is quite possible that in the future this drawback in MSIE will disappear if we draw the attention of Microsoft specialists to this problem. IN currently, or rather, after the Squid proxy server is modified, any organization whose corporate standards do not include the use of the MSIE browser will be able to fully use transparent proxying.

Another problem that remains in the shadows is that the proxy server can determine the address of the remote server, but not its name. In this regard, there may be a problem with access via FTP and HTTPS to servers with virtual domains, which are often used on free hosting(and not only).

In conclusion, I would like to say at least one phrase in the first person. I hope that the work done will not leave the community of free developers indifferent to the imperfections of application software and will encourage amateurs and professionals to new research.

Not many users know what a transparent proxy server squid is, why a squid is needed, its advantages and disadvantages. Now we will look at each question separately and try to understand the topic.

Disadvantages of a transparent proxy:

• In transparent mode, does not work with SSL. This means that you will not be able to access a site with the address https://... in authentication mode it can work on the HTTP, SSL, FTP protocols.
• It cannot work in two modes at once: authentication and transparent - access to the Internet without any settings, logins, etc. Authentication mode - when the user needs to enter a login/password or other settings provided by the administrator.
• Doesn't know how to work with mail servers POP3, SMTP, IMAP. You will not be able to receive or send mail through a SQUID proxy.

Mode - cascade proxy

As mentioned above, squid can save information in the computer's RAM, which can be returned to in a split second if necessary. When searching for information, a cascade proxy allows you to access all groups on the network only if it is not available. An Internet search is carried out. Undoubtedly, a convenient and useful function.

To summarize, we can say with confidence: squid is excellent enterprise solution for organization secure access in Internet. Squid is a transparent proxy that allows you to access the Internet without going through additional authentication, but at the same time, it also has its disadvantages, the main one of which is the inability to use SSL.

(Proxy server) is an intermediate computer that acts as an intermediary between your computer and the Internet. Proxies are usually used either to speed up the Internet or to anonymously navigate the Internet. Also, the use of an anonymous proxy can be used as additional remedy protection: an anonymous proxy replaces your IP address, and the attacker will try to attack not your computer, but the proxy server, which often has the maximum powerful system protection.

There are several types of proxies, the main difference of which is the functions they perform:

HTTP/HTTPS proxy– the most common type of proxy server, which often has a port number of 80, 8080, 3128. HTTP proxies are divided into anonymity levels into: transparent (do not hide the client’s real IP address), anonymous (indicate that a proxy is being used, but do not give out the client’s real IP address), distorting (distort the client’s IP address), elite proxies (do not indicate the fact that a proxy server is used hides the client's real IP address).
SOCKS proxy– a proxy server that transfers absolutely all data from the client to the server, without changing or adding anything. From the point of view of the web server, the SOCKS proxy is a client, i.e. SOCKS proxies are anonymous by definition. Has subtypes SOCKS4, SOCKS4a, SOCKS5. Most often, SOCKS proxies have 1080, 1081 port numbers.
FTP proxy– a proxy server designed to work with file managers.
CGI proxy or Anonymizer— web pages that allow anonymous transition from one web page to another. For use of this type proxy does not need to change your browser settings; it is enough to indicate the address of the anonymizer before the address of the page to which you are going to go.

Based on the principle of operation, proxy servers can be divided into two key characteristics.

Firstly, some proxy servers have associated
caches, while others do not. Second, regardless of caching, some proxies modify messages passing through them, while others do not.

Caching proxies
The difference between regular and caching proxies is quite important.
A regular proxy server simply forwards requests and responses. A caching proxy server is capable of supporting own storage responses received
previously. When the proxy server receives a request that can be satisfied by a cached response, the request is not forwarded and the response is returned by the proxy server. As we'll see later in this chapter, certain conditions must be met for a cached response to be returned. We use the term caching proxy for a proxy that has a cache associated with it.

Transparent proxy server
Based on the principle of message transmission, proxy servers can be divided into two:
groups: transparent and opaque. The difference between them is related to the modification of messages passing through the proxy server. A transparent proxy modifies the request or response only as necessary. An example of such a change to a message by a transparent proxy would be to add identifying information about itself or the server from which the message originated.
received. Such information may even be required by the HTTP protocol. In section 3.8 we will talk about the misuse of the term "transparent proxy" in various fields Web industry to designate proxy servers, which would be more accurately called intercepting proxy servers.
Opaque proxy server capable of modifying the request and/or responses.
An example of such a request change is anonymization, in accordance with which information about the proxy server client is hidden. An example of changing a response would be a format conversion - an image is converted from one format to another to reduce the size of the response. Another example of an opaque proxy is a proxy that translates a document from one language to another. There are rules that are common to both types of proxy servers. At the same time, each type of proxy server has its own rules. A transparent proxy must ensure that the length of the message content does not change as the message passes through the proxy. Note that transparent and opaque proxies are different from gateways and tunnels. Both types of proxies can, unlike tunnels, have a cache associated with them. Both types of proxy servers act as an intermediate link between the Web client and the Web server; those. Messages are exchanged in HTTP format.

Transparent proxies mean standard proxy servers, which do not change the user’s data, leaving them in their “original” form. That is, they do not hide the IP address.

Transparent Proxy handles all HTTP traffic without requiring the user to specify any settings.

Such proxies help speed up access to site pages that the user defines - mainly frequently visited ones. Loading speeds up by placing sites in the cache. As a rule, transparent proxies are faster (faster download speeds) than their elite or anonymous “comrades”.

Employers use this type of proxy to restrict employee access to certain websites ( social media, For example).

The main disadvantage is low level secrecy. Basically, transparent proxies are used to boost counters on a page, when downloading files from file hosting services, and to block local firewalls.

Transparent Proxy conveys HTTP headers something like this:

REMOTE_ADDR – demonstrates IP proxy

The presence of the _X_ variable indicates that the use of this variable is optional. A similar variable is transmitted in the form HTTP_X_FORWARDER_FOR.

However, proxy leaders (Cash Engine, Squid) are quite active in supporting this variable.

Anonymous proxy

When it comes to caching, anonymous proxies have similar benefits to transparent ones. Plus one more thing undeniable advantage, the essence of which is conveyed in the name itself, is anonymity. And since confidentiality on the Internet is a guarantee that the computer will not be hacked with all the ensuing consequences, there are more and more fans of anonymous proxies.

Anonymous proxies hide user data when surfing the Internet. They change the IP address randomly. And the IP address is not registered for a simple reason: the HTTP_X_FORWARDER_FOR value is not sent to the end site at all. Impressive, isn't it?!

An anonymous proxy also produces:

REMOTE_ADDR - demonstrates IP proxy

HTTP_VIA – shows the proxy server address

HTTP_X_FORWARDER_FOR - tells the proxy your IP address.

However, all information is filled out solely for show and does not contain true information. And nothing more is needed, as many Internet users believe.

Elite Proxy

Using an elite proxy is the most advanced level of protection, because such a proxy can maximum degree ensure the safety of your Internet browsing.

Elite Proxy is excellent at camouflage. This means that no signs of using a proxy server will appear on the Internet. But it will be impossible to find out your IP address. The HTTP_X_FORWARDED_FOR, HTTP_PROXY_CONNECTION, HTTP_VIA headers are not sent at all. The host does not receive any information: neither about the use of a proxy, nor the IP address. In this regard, elite proxies are superior to all other proxy servers.

However, Elite Proxy also has a drawback: the REMOTE_ADDR header stores the proxy's IP address. Therefore, when you send packets with cookies saved as a result of Internet surfing, when you did not use an elite proxy, sites will not recognize you. Don't want to let this happen? Clear your cache and cookies in advance.