Support insights despite a system-wide proxy

[Lagicrus]

What would you like to add or change?: Allow PR to act as a middle man for a proxy so it can know where connections are going (If this makes sense/solves the issue below)

Why do you and others need this?: Currently, PortMaster isn't fully useful as I use a system-wide proxy, so when I dig through the connection history I just see local_ip:3128 many many times. Which whilst technically correct, is wrong as the connection is going to another destination after the fact. So I wonder if I can get PM to act as a "proxy middle-man" of sorts, so I can still use my proxy, albeit via PM, but PM now knows what I am actually connecting to, instead of 20 connections to a proxy server.

Hopefully this makes sense 😅

[ppacher]

Hi @Lagicrus, thanks for reaching out to us.

Can you explain what exactly your use case for a local (HTTP?, SOCKS?) proxy is? Right now there's no way for the Portmaster to detect which application connects to which IPs if a proxy is in use. For the time being we do not plan to implement proxy functionality for the Portmaster itself. Maybe we can provide a different solution with a better understanding or your use-case.

Thanks again for reaching out!

[Lagicrus]

Hey @ppacher ,

Currently, I use Squid as my proxy server over HTTP (unsure if it can do SOCKS). Primarily I use it for blocking content & acting as a cache, on both this device and others, and in greater resolution, than Portmaster can as I know the domain & specific files I can block. I know Portmaster can't detect where an application connects to if it goes through a proxy which is why I opened this issue :) Whilst I can acknowledge that my specific use case might be niche, though, with advantages, I do see others running into similar issues as well where they need to use a proxy, say on more restrictive networks.

I don't expect PM to "do" what a proxy does, just act as a "middle man" so I can still use my Proxy server and its full capabilities, but now PM knows where everything is going.

Thanks for the rapid response

[ppacher]

Thanks for describing your use-case. I definitely understand the need for this and users in restrictive networks that are forced to use a proxy will for sure benefit from this as well.

I'll add the backlog label and discuss this with the rest of the team. Maybe we can find a "easy" solution for that. No promises though ....

[Lagicrus]

Perfectly understandable :)

[ZzZombo]

I fully support this suggestion. I use a global proxy both as a corporate proxy and Privoxy in front of it for my own needs.

[dhaavi]

Thinking into this a little again because of #592 and I think the only real option is to provide a proxy directly, which then forwards the traffic to the next proxy - I expect the connection to the proxy to be encrypted and as such we cannot look into it at all.

Any thoughts on this? Is there another way?

[ZzZombo]

Sorry, but I don't understand your reservations. HTTP v1.1 requires that user agents specify the Host header when connecting to a server. This is also the header HTTP proxies use to know what is the end server they should open the tunnel to. But even in HTTP v1.0 the host header de-facto is mandatory when using a proxy server and all proxies I've ever come across will not function correctly w/o it.

With this in mind, your software only has to read this header in order to figure out what is the actual endpoint for a proxied connection for display.

[dhaavi]

Proxies can mean some different things, especially given the different ways that encryption can be applied to the whole process.

Please read this post for some more insights and then clarify what it is exactly that you want: https://security.stackexchange.com/a/61336

[ZzZombo]

In my case I use only plain/non-secure HTTP proxies that however do perform HTTP tunnelling.

[dhaavi]

I think that we might even be able to easily support that when PR #92 is finally merged - we currently don't have a timeline for that, though.

[Raphty]

I am cleaning out old issues. If you feel this issue should not have been closed let me know.

Please keep in mind, the free version of Portmaster only has limited support. For free users our active Discord community as well as the chat bot are the fastest and best way to get their help. https://discord.gg/safing If you find our work brings value to you, please consider supporting it by purchasing Plus or Pro Packages https://safing.io/pricing/. If you are already a subscriber, first Thank You! and also if you want priority support pleas send in an email and let me know your username so I can prioritize your request accordingly.