How it works

In order to filter web requests a user’s browser needs to be explicitly directed to use the proxy that is deployed in the same network. It is also possible to set the transparent proxy but we are not going to explain how this is done in this tutorial because the steps involved may be quite different from explicit proxy setup.

When a user tries to navigate to a web site, the browser sends a request to the proxy server, asking it to get the requested page on its behalf. The proxy establishes a new connection to the remote site and returns the response to the browser. When normal HTTP is used the proxy is able to see the original contents of the response and filter it. In case of HTTPS the flow of data is a little different. The browser asks the proxy to establish a virtual tunnel between itself and the remote server and then sends encrypted data through the proxy. A domain name to which the virtual tunnel is being established is usually known, so the proxy is able to block this virtual tunnel when it finds out that domain name belongs to a prohibited category. Unfortunately, this is not a complete solution as there are a lot of sites on the Internet that are general in nature (like Google or YouTube) but allow you to easily navigate to something undesired.

To improve the quality of web filtering and get access to contents in encrypted connections, browsers in the network may be setup to trust the proxy to act on their behalf for establishing HTTPS connections, filtering them and passing the allowed data to clients while blocking everything that is not allowed. Although this assumption is too strict to be implemented in public networks, it is easily doable in controlled home, educational or corporate environments where administrators act as sole owners of network devices and may force any trusting rules. After established trust the browser is able to ask the proxy to connect to a remote site in a safe manner with HTTPS, the proxy is able to decrypt the traffic, filter it, encrypt it again and pass it to the browser. As the browser trusts the proxy it continues working with filtered HTTPS without any errors or warnings.