TCP/IP Proxy Internals: How Proxies Work at the Network Layer

By /

TCP/IP Proxy Internals: How Proxies Work at the Network Layer

Every proxy request you make — whether rotating residential IPs or tunneling through SOCKS5 — ultimately rides on TCP/IP. Understanding what happens at the transport and network layers transforms you from a proxy user into a proxy engineer who can debug connection issues, optimize throughput, and build custom proxy solutions.

This guide strips away the application-layer abstractions and shows you exactly how proxies handle connections at the socket level.

The TCP/IP Stack and Where Proxies Sit

The standard TCP/IP model has four layers:

┌─────────────────────────┐
│   Application Layer     │  HTTP, HTTPS, SOCKS5, DNS
│   (Layer 7)             │  ← Most proxies operate here
├─────────────────────────┤
│   Transport Layer       │  TCP, UDP
│   (Layer 4)             │  ← SOCKS proxies can operate here
├─────────────────────────┤
│   Internet Layer        │  IP, ICMP
│   (Layer 3)             │  ← NAT/transparent proxies
├─────────────────────────┤
│   Network Access Layer  │  Ethernet, Wi-Fi
│   (Layer 1-2)           │
└─────────────────────────┘

Most HTTP/HTTPS proxies operate at Layer 7 (application). SOCKS proxies work at Layer 4-5, making them protocol-agnostic. Transparent proxies and NAT gateways can intercept at Layer 3.

How an HTTP Proxy Handles a Connection

When a client sends a request through an HTTP proxy, here is the step-by-step socket-level flow:

Step 1: Client Connects to Proxy

The client opens a TCP connection to the proxy server:

import socket

def connect_to_proxy(proxy_host, proxy_port):
    """Simulate what happens when a client connects to a proxy."""
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.settimeout(10)

    # TCP three-way handshake with proxy
    # SYN → SYN-ACK → ACK
    sock.connect((proxy_host, proxy_port))

    return sock

At the kernel level, this triggers the TCP three-way handshake:

  1. Client sends SYN packet to proxy
  2. Proxy responds with SYN-ACK
  3. Client sends ACK — connection established

Step 2: Client Sends Request to Proxy

For HTTP proxies, the client sends the full URL (not just the path):

def send_http_proxy_request(sock, target_url):
    """HTTP proxy request uses absolute URI."""
    request = (
        f"GET {target_url} HTTP/1.1\r\n"
        f"Host: {target_url.split('/')[2]}\r\n"
        f"Proxy-Authorization: Basic dXNlcjpwYXNz\r\n"
        f"Connection: keep-alive\r\n"
        f"\r\n"
    )
    sock.sendall(request.encode())

Step 3: Proxy Opens Connection to Target

The proxy parses the request, resolves the target hostname via DNS, and opens a new TCP connection:

import socket
import select

class SimpleHTTPProxy:
    def __init__(self, listen_port=8080):
        self.listen_port = listen_port

    def handle_client(self, client_sock, client_addr):
        """Handle incoming proxy request."""
        # Receive client request
        request = client_sock.recv(8192)
        first_line = request.split(b'\r\n')[0].decode()

        # Parse: GET http://example.com/path HTTP/1.1
        method, url, version = first_line.split(' ')

        # Extract host and port
        if url.startswith('http://'):
            url_part = url[7:]
        host_port = url_part.split('/')[0]
        host = host_port.split(':')[0]
        port = int(host_port.split(':')[1]) if ':' in host_port else 80

        # Connect to target server
        target_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        target_sock.connect((host, port))

        # Rewrite request to use relative path
        path = '/' + '/'.join(url_part.split('/')[1:])
        modified_request = request.replace(
            url.encode(), path.encode(), 1
        )

        # Forward request
        target_sock.sendall(modified_request)

        # Relay response back to client
        self._relay(target_sock, client_sock)

    def _relay(self, source, destination):
        """Forward data between sockets."""
        while True:
            data = source.recv(8192)
            if not data:
                break
            destination.sendall(data)

Step 4: HTTPS via CONNECT Tunnel

HTTPS proxying works differently — the proxy creates a TCP tunnel:

def handle_connect(self, client_sock, host, port):
    """Handle HTTPS CONNECT method — create TCP tunnel."""
    # Connect to target
    target_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    target_sock.connect((host, port))

    # Tell client the tunnel is ready
    client_sock.sendall(b'HTTP/1.1 200 Connection Established\r\n\r\n')

    # Now blindly relay bytes in both directions
    # The proxy cannot see the encrypted content
    self._bidirectional_relay(client_sock, target_sock)

def _bidirectional_relay(self, sock1, sock2):
    """Relay data between two sockets using select()."""
    sockets = [sock1, sock2]

    while True:
        readable, _, exceptional = select.select(sockets, [], sockets, 30)

        if exceptional:
            break

        for sock in readable:
            data = sock.recv(65536)
            if not data:
                return

            # Forward to the other socket
            other = sock2 if sock is sock1 else sock1
            other.sendall(data)

Socket Options That Matter for Proxies

Several socket options dramatically affect proxy performance:

import socket

def configure_proxy_socket(sock):
    """Optimal socket configuration for proxy servers."""

    # Reuse address — critical for proxy restarts
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)

    # TCP keepalive — detect dead connections
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_KEEPALIVE, 1)

    # TCP_NODELAY — disable Nagle's algorithm for lower latency
    sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)

    # Increase send/receive buffers (256KB)
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_SNDBUF, 262144)
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_RCVBUF, 262144)

    # Set timeouts
    sock.settimeout(30)  # 30 second timeout

TCP_NODELAY vs Nagle’s Algorithm

Nagle’s algorithm buffers small packets to reduce overhead. For proxies, this adds latency:

Without TCP_NODELAY (Nagle ON):
Client → [buffer 40ms] → Proxy → [buffer 40ms] → Target
Total added latency: ~80ms per request

With TCP_NODELAY (Nagle OFF):
Client → Proxy → Target
Packets sent immediately — lower latency, slightly more overhead

For scraping and proxy use, always disable Nagle’s algorithm with TCP_NODELAY.

Connection State Machine

A proxy manages connections through TCP states:

Client-side connection:        Proxy-side connection (to target):

LISTEN                         (not yet created)
    ↓ SYN received
SYN_RECEIVED                   (not yet created)
    ↓ ACK received
ESTABLISHED                    SYN_SENT
    ↓ Request parsed               ↓ SYN-ACK received
    ↓                          ESTABLISHED
    ↓ ← data relay →              ↓
    ↓                              ↓
FIN_WAIT_1                     FIN_WAIT_1
    ↓                              ↓
TIME_WAIT                      TIME_WAIT
    ↓                              ↓
CLOSED                         CLOSED

A busy proxy manages thousands of these state machines simultaneously.

NAT Traversal and Transparent Proxying

Transparent proxies intercept traffic without client configuration:

# iptables rule to redirect HTTP traffic through transparent proxy
# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

class TransparentProxy:
    """Intercepts connections redirected by iptables."""

    def handle_connection(self, client_sock):
        # Get original destination using SO_ORIGINAL_DST
        # (Linux-specific socket option)
        SO_ORIGINAL_DST = 80
        original_dst = client_sock.getsockopt(
            socket.SOL_IP, SO_ORIGINAL_DST, 16
        )

        # Parse the original destination
        port = int.from_bytes(original_dst[2:4], 'big')
        ip = socket.inet_ntoa(original_dst[4:8])

        print(f"Intercepted connection to {ip}:{port}")

        # Connect to actual target
        target_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        target_sock.connect((ip, port))

        # Relay traffic
        self._bidirectional_relay(client_sock, target_sock)

Performance: Epoll vs Select vs Kqueue

For high-throughput proxy servers, the I/O multiplexing method matters enormously:

MethodMax FDsPerformancePlatform
select()1024 (default)O(n) per callAll
poll()UnlimitedO(n) per callLinux/macOS
epoll()UnlimitedO(1) per eventLinux only
kqueue()UnlimitedO(1) per eventmacOS/BSD
import selectors

class HighPerformanceProxy:
    """Uses the best available I/O multiplexer."""

    def __init__(self):
        # selectors module auto-picks epoll/kqueue/select
        self.selector = selectors.DefaultSelector()

    def register_connection(self, sock, callback):
        self.selector.register(sock, selectors.EVENT_READ, callback)

    def event_loop(self):
        while True:
            events = self.selector.select(timeout=1)
            for key, mask in events:
                callback = key.data
                callback(key.fileobj)

Production proxy servers like Squid and HAProxy use epoll (Linux) or kqueue (macOS/BSD) to handle tens of thousands of concurrent connections.

Debugging TCP/IP Proxy Issues

Common Issues and Diagnosis

Connection resets (RST packets):

# Watch for RST packets
tcpdump -i any 'tcp[tcpflags] & tcp-rst != 0' -nn

# Common cause: proxy sends to closed connection
# Fix: implement proper connection state tracking

TIME_WAIT accumulation:

# Count TIME_WAIT connections
ss -s | grep TIME-WAIT

# If thousands accumulate, enable SO_REUSEADDR
# and consider SO_REUSEPORT for load distribution

Half-open connections:

# Find connections stuck in SYN_RECV
ss -tn state syn-recv

# May indicate SYN flood or slow proxy processing

Using tcpdump to Trace Proxy Traffic

# Capture all traffic through proxy port
tcpdump -i any port 8080 -w proxy_traffic.pcap

# Show only connection setup/teardown
tcpdump -i any port 8080 'tcp[tcpflags] & (tcp-syn|tcp-fin|tcp-rst) != 0'

# Filter by destination
tcpdump -i any dst host 93.184.216.34 and port 80

Internal Links

FAQ

What is the difference between a Layer 4 and Layer 7 proxy?

A Layer 4 proxy (like SOCKS) operates at the transport layer, forwarding TCP/UDP connections without understanding the application protocol. A Layer 7 proxy (like HTTP proxy) understands the application protocol, can inspect headers, modify requests, and cache responses. Layer 4 proxies are faster but offer less control.

Why does my proxy add latency to every request?

Proxies add latency because each request requires two TCP connections (client-to-proxy and proxy-to-target), each with its own handshake. Enabling connection keepalive, using TCP_NODELAY, and choosing geographically close proxies minimizes this overhead.

Can a proxy see HTTPS traffic?

Not through a CONNECT tunnel — the proxy only sees encrypted bytes flowing between client and target. However, a proxy performing TLS interception (MITM) can decrypt traffic if the client trusts the proxy’s CA certificate. Tools like mitmproxy and Charles Proxy use this approach for debugging.

What causes “connection reset by peer” errors with proxies?

This typically means the remote server (or proxy) sent a TCP RST packet, forcibly closing the connection. Common causes include: the proxy detected you as a bot, the connection timed out on the server side, or the proxy server crashed. Check your request rate and ensure your proxy is healthy.

How many concurrent connections can a proxy handle?

It depends on the I/O model. A select()-based proxy tops out around 1,024 connections. An epoll-based proxy on Linux can handle 100,000+ concurrent connections with proper tuning (file descriptor limits, kernel buffer sizes, and CPU resources).

Related Reading

Scroll to Top