How Proxy Servers Work: Request Flow Explained
Step-by-step explanation of HTTP CONNECT tunneling, SOCKS handshakes, headers, and common proxy failure modes for developers.
Understanding how a proxy forwards traffic helps you debug timeouts, TLS errors, and mysterious 407 responses. Whether you use HTTP or SOCKS, the same pattern applies: your client opens a connection to the proxy, the proxy opens a connection to the target, and bytes flow in both directions.
The request flow
A typical outbound HTTP request through a proxy follows these steps:
- Your client resolves the proxy hostname and opens a TCP connection.
- For plain HTTP, the client may send the full URL in the request line (GET http://example.com/).
- For HTTPS, the client sends CONNECT example.com:443 and tunnels TLS inside the resulting pipe.
- The proxy relays bytes until the connection closes or times out.
From the target's perspective, the source IP is the proxy — not your server. That is the fundamental property automation teams rely on.
HTTP CONNECT tunneling
Modern HTTPS scraping almost always uses CONNECT. Your client asks the proxy to open a TCP socket to port 443 on the remote host, then performs the TLS handshake through that tunnel. The proxy sees encrypted traffic and cannot read payloads without MITM certificates (which you should avoid in production pipelines).
Client -> Proxy: CONNECT api.example.com:443 HTTP/1.1
Proxy -> Origin: TCP connect to api.example.com:443
Proxy -> Client: HTTP/1.1 200 Connection Established
Client <-> Origin: TLS handshake + HTTP inside tunnelSOCKS handshake
SOCKS5 adds a small binary handshake before relaying. The client authenticates (optionally), specifies target host and port, and receives a success or failure reply. Unlike HTTP proxies, SOCKS is protocol-agnostic — the same proxy can carry SMTP, SSH, or custom TCP services.
Compare details in SOCKS4 vs SOCKS5 and HTTP vs SOCKS5.
Headers and anonymity
X-Forwarded-For and Via
Some proxies append X-Forwarded-For or Via headers revealing client chains. Elite or high-anonymity proxies omit or minimize these. Learn more in transparent vs anonymous vs elite proxies.
Common failure modes
- 407 Proxy Authentication Required — missing or wrong credentials.
- 502 Bad Gateway — proxy could not reach the origin.
- Timeouts — overloaded or dead endpoint; rotate and health-check.
- TLS errors — often caused by intercepting proxies or clock skew.
Systematic testing catches bad endpoints early. See testing proxy speed and anonymity.
Need proxies at scale?
proxies.st offers health-checked HTTP and SOCKS pools with dashboard access, API keys, and plain-text bulk feeds for pipelines.
Related guides
What Is a Proxy Server? Complete Guide
Learn what a proxy server is, how forward proxies work, and why teams use HTTP and SOCKS pools for automation, scraping, and data pipelines.
Transparent vs Anonymous vs Elite Proxies
Understand proxy anonymity levels, header leakage, how sites detect proxies, and what to choose for your pipeline.