Tuesday, 3 April 2007

Intercepting

Many organizations — including corporations, schools, and families — use a proxy server to enforce acceptable network use policies or to provide security, anti-malware and/or caching services. A traditional web proxy is not transparent to the client application, which must be configured to use the proxy (manually or with a configuration script). In some cases, where alternative means of connection to the Internet are available (e.g. a SOCKS server or NAT connection), the user may be able to avoid policy control by simply resetting the client configuration and bypassing the proxy. Furthermore administration of browser configuration can be a burden for network administrators.

An intercepting proxy, often incorrectly called transparent proxy (also known as a forced proxy) combines a proxy server with NAT. Connections made by client browsers through the NAT are intercepted and redirected to the proxy without client-side configuration (or often knowledge).

Intercepting proxies are commonly used in businesses to prevent avoidance of acceptable use policy, and to ease administrative burden, since no client browser configuration is required.

Intercepting proxies are also commonly used by Internet Service Providers in many countries in order to reduce upstream link bandwidth requirements by providing a shared cache to their customers.

It is often possible to detect the use of an intercepting proxy server by comparing the external IP address to the address seen by an external web server, or by examining the HTTP headers on the server side.

Some poorly implemented intercepting proxies have historically had certain downsides, e.g. an inability to use user authentication if the proxy does not recognize that the browser was not intending to talk to a proxy. Some problems are described in RFC 3143 (Known HTTP Proxy/Caching Problems). A well-implemented proxy should not inhibit browser authentication at all.

The term transparent proxy, often incorrectly used instead of intercepting proxy to describe the same behavior, is defined in RFC 2616 (Hypertext Transfer Protocol -- HTTP/1.1) as:

"proxy that does not modify the request or response beyond what is required for proxy authentication and identification."

http://en.wikipedia.org/wiki/Proxy_server

No comments: