tags : Networking, Security, VPN, Internet
Transparent proxies
- A transparent proxy is one that you don’t need to manually configure your browser to use. It could be anything that’s inline with your internet path will transparently intercept your traffic and proceed to proxy it. This could be your router, firewall, maybe even your ISP. I am not sure how they work with HTTPS, they’ll need to be combined with SSL proxy of some kind.
- When operating on the application level, the problem is that many applications many not honor the proxy settings. A solution to these things is possibly to use transparent proxy which does not need any configuration on application side.
Forward Proxies
- There can be
nreasons why you’d want a forward proxy, but I am listing these thinking about censorship.- You can mix these network proxies with your VPN or TOR network as you see fit.
- You could also host them in different servers.
- I do not understand these properly and there are edge cases around UDP support etc. I have to experiment to see what exactly I can get out of these.
Popular tools
- Outline
- Designed specifically to circumvent certain firewalls and bypass censorship. Never designed to be anonymous or private.
- This is built on top of Shadowsocks but claims to be more resistant to blocking and detection.
- Shadowsocks in turn is built on top of SOCKS5 which sort of adds an encryption layer. You can just use SSH to do the same though.
- v2ray and cloak: These are other popular solutions in the bypass censorship space. Good overview here.
- So called “SmartDNS” solutions. I am not exactly sure how these work. These bundle DNS and a proxy together in the same service. Examples: Unlocator, NordVPN etc. also see Seji64/SniDust. I don’t really want to use this at all but just putting this here as an option.
Other tools
Reverse Proxies
You can use these things to do load-balancing/ssl termination/reverse proxy/protocol demultiplexing/HA/failover/caching/rate-limiting etc. Here’s a more complete list
| Name | Remark |
|---|---|
| Traefik | Automatic TLS, SD, TCP/UDP support, config heavy, web ui, use consul if needed |
| Caddy | Automatic TLS, Only HTTP support by default. If used with ALB(AWS), ALB needs to run in TCP mode. |
| Envoy | Little extra for moi |
| NGINX | Good but needs extra configurations, can you step-ca |
| NGINX Proxy Manager | Ez and nice but maintenance is not very active |
| Apache | I used it in the past did not like it v.much don’t remember why exactly |
| HAproxy | Did not look into, putting for completeness sake |
These are slightly different from virtual hosts (See DNS) as such, to be pedantic, virtual hosts are like we’ll serve files only from the same server etc, but I sort of see them in the same way. (Please correct me if I am wrong here if anyone reads this shit)
Notes