What is a Transparent Proxy | Client vs. Server Side Use Cases
What is a Transparent Proxy
A transparent proxy, also known as an inline proxy, intercepting proxy or forced proxy, is a server that intercepts the connection between an end-user or device and the internet. It is called “transparent” because it does so without modifying requests and responses. Squid Transparent Proxy Server is a popular open source transparent proxy tool.
For example, a user on a corporate network may be surfing the Internet. The user requests to view a news article on, and views the same content as they would on their local connection at home.
However, unbeknownst to the user, the news article is delivered not from the origin server, but rather from a transparent proxy running on the corporate network. The user’s experience is exactly the same. However, the user’s employer now has the ability to monitor their behavior, and also restrict access to certain websites.
Example of a transparent proxy deployment
Transparent Proxies and Forced Proxies
Transparent proxies are sometimes known as forced proxies because they can be applied to a user’s connection without any change to their computer’s proxy settings.
As a result, a transparent proxy can be “forced” on a user without their consent or knowledge (although in many cases users are informed about the presence of a proxy). Some websites maintain unofficial transparent proxy lists, to help users become aware they are monitored.
Transparent proxies, by definition, are set up by the operator of a network or a website, and not by the end-user.
Transparent Proxy Settings
When you set up a transparent proxy, some of the common proxy settings are:
Authentication—provides the server with the same credentials as the users behind the proxy
Interception—defines how the proxy should intercept traffic, at the operating system level or at the router level
Caching—defines whether the proxy server should cache content for returning users
Reverse proxy—you can place the proxy in front of a web server to accelerate performance for users (as opposed to setting it to intercept remote access)
Filtering chat, data streaming, torrent threads, etc—configure the transparent proxy not to allow users to access certain protocols or ports
Uses for Transparent Proxy on Client Side
You can deploy a transparent proxy on the client side, meaning that all traffic to and from a client endpoint is intercepted by the proxy. Use cases for client-side transparent proxies include:
Content Filtering
You can use a transparent proxy to filter out unwanted content, defined via proxy settings. For example, when a specific website is requested, the proxy can refrain from forwarding the request to the web server. Instead, it intercepts the connection and displays an error or notice to the user.
Gateway Proxies
You can use a gateway proxy to modify or block network traffic based on rules. For example, a firewall is a transparent proxy, which allows traffic to pass between an internal network and the Internet, but blocks traffic if it violates the firewall’s rule table.
Transparent Caching
If multiple people are accessing the same content from the same location—for example, many students viewing the same news site via their university network—it is more efficient to initially cache the content, and serve it from cache to subsequent users. A transparent proxy can do this for an organization, facility or neighborhood.
Traffic Monitoring
If you operate a network, you can set up a transparent proxy to monitor user traffic and behavior.
Traffic monitoring can also have illegitimate uses—for example, an unscrupulous public wifi operator can monitor user’s connections and steal data and credentials.
Authentication
Public wifi spots and cellular Internet operators sometimes use transparent proxies to force users to authenticate themselves on the network, and agree to terms of service. Only after a user authenticates and agrees, are they allowed to surf.
Users may not realize that even after the initial authentication screen, the entire connection is intercepted and could be monitored by the operator, via the transparent proxy.
Uses for Transparent Proxy on the Server Side
TCP Intercept for DoS Protection
TCP intercept is a type of transparent proxy which you can use to protect a server against a SYN-flood Denial of Service (DoS) attack. It intercepts all traffic to a web server, accepts client requests, and performs a three-way handshake. If successful, it performs a three-way handshake with the server, and joins the two half-connections between client and server.
The TCP intercept watches TCP requests, and waits (typically 30 seconds) for connections to be established. When the number of inactive connections exceeds a certain threshold, the TCP intercept enters “aggressive mode”. In this mode, each new arriving connection causes the oldest inactive connection to be deleted.
This technique is no longer effective against modern, large scale Distributed Denial of Service (DDoS) attacks. Attackers controlling high-powered servers, or millions of zombie computers, can create SYN floods that easily overwhelm a TCP intercept controller.
This is why many organizations are using cloud-based services like Imperva’s DDoS Protection. Cloud-based DDoS services are able to scale up on-demand to handle large scale attacks, and can also protect against other types of DDoS. For example, DDoS services can prevent protocol attacks and application layer attacks, which do not occur at the TCP layer.
Transparent Proxy and CDN for Front-End Optimization
A Content Delivery Network (CDN) is a globally distributed network of proxy servers, which caches and serves content to users near their geographical location.
A CDN, such as Imperva’s Global Content Delivery Network, is a type of transparent proxy operating on the server side, whose purpose is to perform front-end optimization to improve the end-user experience. It intercepts traffic to a web server and instead of letting the user access the origin server directly, it offers the same content from its cache. This results in improved performance for user and reduced system resources required on the server.
What is a transparent proxy? How to detect and bypass
Most internet users interact with transparent proxies every day without realizing it. In this article, we’ll discuss how transparent proxies work, how they’re used, and how to detect whether you’re behind one.
@pabischoff February 20, 2019
Like all network proxies, a transparent proxy intercepts and redirects data in transit, typically through the internet. In plainest terms, transparent proxies do not modify the data that pass through them. But what really sets transparent proxies apart is that clients—end user devices used by you and me—don’t need to configure or even be aware of the proxy in order for it to work. Transparent proxies are sometimes called inline, intercepting, reverse, invisible, or forced proxies.
If you’re a frequent internet user, you probably interact with transparent proxies all the time without realizing it. Chances are, your internet service provider uses transparent proxies whenever you want to access popular websites, videos, and news articles. Instead of sending and receiving a video from Netflix’s server across the country every time someone wants to watch it, your local ISP will “cache” a copy of the video on its own servers. When you go to watch the video, the transparent proxy will redirect you to the cached version of the video, saving upstream bandwidth. As an end user, you get higher quality video with less buffering, but otherwise the experience is indistinguishable from a direct connection to Netflix.
Transparent proxies are integral to content delivery networks, or CDNs, that perform caching on a large scale. But that’s just one of many applications. In this article, we’ll discuss in more detail how transparent proxies work, how they are used, their pros and cons, and how to detect and bypass them.
How transparent proxies work
To the end user, a transparent proxy is basically malware. It intercepts internet traffic and redirects it to another destination without the end user’s consent. This essentially describes a man-in-the-middle (MITM) attack. However, transparent proxies are not always malicious.
Transparent proxies usually sit between users and the web. When a user sends a request to connect to, say, a website, it is first redirected to the proxy server. Redirection is usually handled by a firewall on the same host as the proxy server, such as iptables on Linux.
The proxy server receives the request and then asks the redirector–the firewall–for the original destination of the connection. It can then decide whether to allow the connection to go through to the original destination, block the connection, or redirect the connection.
Squid is the most popular software used to set up transparent proxies.
How transparent proxies are used
Transparent proxies do not require any configuration on the client side, so users don’t need to download any apps or make any configuration changes on their end to use them. Instead, configuration is left to the service provider, which has greater control over how users interact with their services. This makes transparent proxies useful for situations in which the quantity and types of clients on the network are unknown.
Caching
We briefly described proxy caching in the introduction. Whenever a user connects to a website to, say, watch a video, a copy of the video is stored in a cache on the proxy’s host server. The proxy redirects future requests for that video to the cached version, and the user never knows the difference. Similar methods are used in large-scale content delivery networks (CDNs).
Proxy caching saves the ISP upstream bandwidth that would have been used to stream the video all the way from the source upon each request, and the user’s video buffers more quickly.
Filtering
Filtering proxies are used to restrict access to resources on the network. If that network is the internet, then filtering proxies can be used for censorship. An office building’s proxy could disregard requests to Facebook and YouTube in order to keep employees on task. Schools and libraries often employ filtering proxies to prevent users from accessing inappropriate content. Nation-states can use filtering proxies to monitor and censor content that they deem inappropriate or offensive.
Gateway
Have you ever connected to a public wifi hotspot that required you to agree to the provider’s terms of service, log in with your email, or watch an ad before it would allow access to the internet? Chances are, that network was using a gateway proxy. Transparent proxies can modify or block traffic based on certain rules, selectively restricting access to the internet. In this example, the proxy redirects users to a login page.
DDoS protection
Proxy DDoS protection, or “remote” DDoS protection, is a technique that uses a transparent proxy to prevent distributed denial-of-service (DDoS) attacks from crippling networks. A DDoS attack involves flooding a server with junk requests, often from a botnet that includes multiple devices. When a DDoS attack hits the proxy server, it prevents the flood of packets from hitting the main server. Users who can’t connect through the proxy due to congestion from the attack are simply redirected to another transparent proxy. A server can have as many backup transparent proxies as necessary to fend off junk requests and keep the site up and running for legitimate users.
How to detect if you’re behind a transparent proxy
A simple way to check whether or not you’re behind a transparent proxy is to attempt to connect to a server you know does not exist. If there’s no proxy, you’ll see a typical error message in your browser. Chrome says, “This site can’t be reached, ” because the IP address cannot be found.
If you are behind a proxy, the error might be different or you might be redirected to another page, such as a search page.
If that doesn’t give you a straightforward result, a few websites have proxy detection services with varying reliability, like this one.
If you visit an HTTPS-encrypted website and click on the lock icon, your browser will give you some basic information about the site’s SSL certificate. If the certificate is issued to your ISP and not the website owner, that could be a sign that you’re behind a transparent proxy.
VPNs and HTTPS vs transparent proxies
In a standard, non-encrypted connection, internet traffic can be monitored and filtered by a transparent proxy. The data contained therein can be cached on the proxy server for later use.
HTTPS
Websites that use HTTPS secure browser traffic between the server and client with SSL encryption. The encryption scrambles the data before leaving the device, making it indecipherable to anyone who intercepts it. However, DNS traffic is typically not encrypted and tells the proxy server where the encrypted HTTPS traffic is going. The actual contents of network traffic may not be visible, so the data can’t be cached, but the proxy can at least see where it’s going. (Note: This is why transparent proxies are often incompatible with encrypted DNS, or DNSSEC. )
Transparent proxy software like Squid can handle HTTPS traffic in a few different ways, but generally the proxy can still monitor the destination of data in transit through some means. In some cases, network administrators set up HTTPS interception on transparent proxies. The proxy server acts as a man-in-the-middle with its own HTTPS certificate authority. In this scenario, HTTPS traffic is intercepted and decrypted at the proxy server instead of the destination website. The data can then be cached, filtered, or inspected before being re-encrypted and sent on to the destination.
VPN
If you’re behind a transparent proxy and you want to bypass it altogether, then use a VPN. A good VPN encrypts all traffic leaving your device, including DNS and HTTP/S traffic. Without knowing the contents or destination of your data, the transparent proxy cannot take action and will simply forward it to the destination unmodified (unless it explicitly blocks traffic to the VPN server). Note that a VPN will make the proxy cache inaccessible, which can make things slower for the end user.
Transparent Proxy vs. Non-Transparent Porxy
Skip to content
web proxy service can be configured to operate in either transparent or non-transparent mode – but what are the differences, and how should you choose between them?
In transparent mode, there are no special configuration steps needed to setup client browsers, thus allowing the proxy service to be activated and in-use almost immediately. Once activated, all traffic destined for the Internet arriving on port 80 is automatically redirected through the proxy. With the latest Guardian products you can even use NTLM with Active Directory in conjunction with transparent proxying allowing for single sign on and minimal network configuration.
Both transparent and non-transparent proxying can be used together at the same time. Enabling transparent does not stop non-transparent from working. In situations where transparent is the norm but a specific application requires non-transparent you can simply configure the proxy settings in that application. Both modes have pros and cons. This article explains how to decide on the most appropriate mode for your network.
When to avoid transparent proxying
Transparent mode should be avoided in the following situations:
When you want to filter HTTPS sites – Content filtering cannot be applied to HTTPS traffic because transparent proxying cannot redirect HTTPS. HTTPS pages are encrypted, so content filtering cannot be applied to HTTPS pages – only filtering on the unencrypted URL will work. In general, transparent proxying is not robust enough to guarantee restrictions on web downloads or access to inappropriate sites. What you can do, however, is block all HTTPS through traffic using outgoing firewall rules and then those few that require HTTPS can have their browser settings configured to manual proxy settings.
When using proxy authentication – Proxy authentication cannot be used when operating in transparent mode. This is because the browser does not know that a proxy is being used (i. e. the proxy is transparent) and consequently does not know how to respond to a proxy authentication request.
When using Ident for authentication – Ident with transparent proxying is possible, but all Ident servers must be configured to accept any request, not just one qualified by correct destination IP and ports.
When using web-enabled client applications – Applications that connect to the Internet are often confused by transparent proxying. This can normally only be resolved by configuring the client application with the proxy details.
When you want to use the SSL Login authentication method. – It is not possible to be redirected to the requested website once logged in – this requires the use of the Guardian proxy in non-transparent mode.
When exceptions are required – If a client needs to have direct access to a particular domain without going through the proxy, transparent mode should not be used as such a setup is very difficult to configure and manage.
When you have no local DNS server – If your computers are using transparent proxying and you have no local caching DNS server then all requests will require a DNS lookup to your ISP slowing down browsing. Using manual proxy settings will cause the proxy to do the DNS lookups, which it will cache, and speed up web browsing. An example might be in a basic Web Cafe with no firewall or router that has a caching DNS.
Why use non-transparent proxying?
The main reason to use non-transparent (or manual proxying) is so that the web browser and other client applications know that a proxy is being used, and so can act accordingly. Initial configuration of a non-transparent proxy might be trickier, but ultimately provides a much more powerful and flexible proxying service.
Another advantage of non-transparent proxying is that spyware and worms that use the web for transmission may not be able to function because they don’t know the proxy settings. This can reduce the spread of malicious software and prevent bandwidth from being wasted by infected systems.
Configuring proxy settings in non-transparent mode
When using non-transparent proxying, appropriate proxy settings must be configured on client machines and browsers. This can be achieved in a number of different ways:
Manually – Proxy settings can be entered manually in most web browsers and web-enabled applications. Usually such settings are entered as part of the applications Connection Settings or similar. The address of the proxy is required, along with the proxy port number. These settings are displayed on the “Services / web proxy” and “Guardian / web proxy” pages as part of the “Automatic configuration script” region.
Automatic configuration script – The Smoothwall proxy provides file that can be used to automatically configure proxy settings in most Internet browsers. To use the automatic configuration script, enter the URL displayed in the “Automatic configuration script” region of the “Services / web proxy” and “Guardian / web proxy” pages into your browser software.
Microsoft Windows 2000 domain – In a Windows 2000+ domain, proxy settings can be configured in the domain security policy. This eliminates the need to manually configure any part of the users system.
Automatic discovery – Many browsers support automatic discovery of proxy settings using the WPAD (Web Proxy Auto-Discovery) protocol. This is relatively easy to configure if you have a local DNS server.
Using DHCP to distrubute proxy settings – DHCP can also be used to set proxy settings. That might be a better method than using security policies. Currently the DHCP server on the Smoothwall firewalls cannot be used for giving out locations.
Microsoft Windows login script – The Windows login script can be used to import a registry file which will automatically configure the system wide proxy settings.
files – Browsers like Firefox can be configured automatically with ini files. Such files could be copied or modified as part of the login script on a Microsoft Windows or Linux network.
Third party solutions – Third party applications are available for Windows which can, at login, automatically configure web browser proxy settings. These range from simple programs designed specifically to automate proxy configuration, or more sophisticated applications that provide a range of services such as monitoring the users desktop.
When to use transparent proxying
When minimal or no network configuration is required.
Transparent proxying can be useful in mixed environments containing Unix, Linux, Apple Mac and Microsoft Windows systems. This allows quick access to the web proxy for everyone, without having to configure a multitude of different platform specific applications and browsers.
Transparent mode can be used for convenience if Guardian is being used to provide non-HTTPS filtering. However, if Guardian is being used to guarantee prevention of abuse, non-transparent proxying should be used or instead use transparent and have outgoing HTTPS blocked at the firewall.
Problem
What is the difference between transparent and non-transparent proxies, and how does the firewall handle them differently? Which proxies can the firewall handle non-transparently?
Solution
In a transparent proxy connection, the client sends all requests through its default gateway. The destination IP address in the packet from the client is the actual destination’s IP address (e. g., ’s IP address) and not the firewall. Since the firewall lies along the routing path to the client’s default gateway, or is the client’s default gateway, it is able to inspect the proxy application layer data as specified. After inspecting the data, the firewall passes the packet on. The client is responsible for its own DNS lookups. In a transparent connection, the client is unaware of the firewall.
In a non-transparent proxy connection, the client (e. g., a Web browser) sends all requests to the firewall. The client’s connections settings explicitly specify that all requests be sent to the firewall as a proxy. The destination IP address in the packet from the client is the firewall’s IP address, even though the site it wants to access is, for example, The firewall inspects the proxy application layer data as specified, NATs the packets, and passes them on to the final destination. The firewall is responsible for DNS lookups. In a non-transparent connection, the client is completely aware of the firewall.
Although a non-transparent connection may sound more complicated, it may be beneficial (or even necessary) depending on routing or if you use certain authentication methods or non-standard ports. The following proxies can be configured to be non-transparent:
FTP
HTTP
HTTPS
Oracle
Telnet
Frequently Asked Questions about proxy transparent
Is transparent proxy safe?
To the end user, a transparent proxy is basically malware. It intercepts internet traffic and redirects it to another destination without the end user’s consent. This essentially describes a man-in-the-middle (MITM) attack. However, transparent proxies are not always malicious.Feb 20, 2019
What is the difference between transparent and non-transparent proxy?
In a transparent proxy connection, the client sends all requests through its default gateway. … In a non-transparent proxy connection, the client (e.g., a Web browser) sends all requests to the firewall. The client’s connections settings explicitly specify that all requests be sent to the firewall as a proxy.Apr 28, 2014
How do I make my proxy transparent?
Right-click your service, and select Add Interface -> HTTP or HTTPS to display the appropriate dialog (for example, Configure HTTP Interface). Select the checkbox labeled Transparent Proxy (allow bind to foreign address).
