Quick orientation
If a proxy is between your client and the internet, any hiccup can look like a network outage. Below are common proxy issues you’ll see and straightforward ways to diagnose and fix them. Read the short troubleshooting steps first, then use the command examples and tips for deeper investigation.
How to approach a proxy problem
- Check whether the problem is client-specific, network-wide, or server-side.
- Gather symptoms: browser errors, http status codes, app logs, timestamps.
- Confirm simple things first: correct proxy address/port, DNS resolution, credentials.
- inspect proxy logs and run connectivity checks from both client and proxy host.
Common issues and fixes
1) No connection / “Proxy server not responding”
Symptoms: browser times out, no response, connection refused.
- Causes: wrong host or port, proxy process down, firewall blocking, dns problem.
- Fixes:
- Ping and traceroute to the proxy host to confirm network path.
- Check port with telnet, nc or curl:
telnet proxy.example.com 3128
# or
nc -vz proxy.example.com 3128
# or try a proxied request
curl -x - Confirm proxy service is running on the server (systemctl, process list) and check firewall rules (iptables, nftables, ufw, security groups).
- If DNS fails, use the proxy’s IP instead of hostname or fix the DNS server entries.
2) Authentication problems (HTTP 407)
Symptoms: browser repeatedly prompts for credentials, 407 errors in logs.
- Causes: bad username/password, unsupported auth type (NTLM/Kerberos mismatch), stale cache of credentials.
- Fixes:
- Clear saved credentials in the browser and re-enter them.
- Verify server and client agree on auth mechanisms (basic, digest, NTLM, Kerberos). If NTLM is required, standard basic auth won’t work.
- On linux/cli apps, set credentials in the proxy url or use a helper (for NTLM: cntlm or ntlm_auth). Example:
export http_proxy=" - Check the proxy audit/logs to see why it rejects authentication and adjust domain and SPN settings for Kerberos.
3) ssl/tls and certificate warnings
Symptoms: certificate errors in browsers, TLS handshake failures, mixed content warnings.
- Causes: corporate SSL interception (TLS bump), expired or missing CA certificate, wrong hostname in certificate.
- Fixes:
- Determine whether the proxy performs SSL inspection. If it does, install the proxy’s CA certificate into the client’s trusted store (OS, browser, Java keystore as needed).
- Check certificate dates and hostnames. Replace or reissue certificates if expired or misconfigured.
- For apps that do certificate pinning, configure them to trust the inspecting CA or bypass inspection for those domains.
4) Slow browsing or high latency
Symptoms: pages load slowly, timeouts under load, proxy CPU or memory high.
- Causes: overloaded proxy, suboptimal caching, network congestion, DNS delays.
- Fixes:
- Check proxy resource usage and logs. Scale the proxy or tune worker threads and connection limits.
- Inspect cache hit ratio and TTLs; tune cache policies or clear stale objects.
- Measure DNS resolution times and consider local dns caching or faster resolvers.
- Temporarily bypass the proxy to see if the problem is with the proxy or the network beyond it.
5) HTTP errors from the proxy (502, 503, 504)
Symptoms: gateway errors returned by the proxy for certain requests.
- Causes: upstream server unavailable, proxy timeout, misconfigured backend, misrouted requests.
- Fixes:
- Confirm upstream servers are reachable and healthy.
- Adjust proxy timeout and retry settings if legitimate upstream latency exists.
- Check proxy routing rules and any load-balancer settings that might direct traffic incorrectly.
6) PAC/WPAD script problems
Symptoms: some clients use wrong proxy, automatic configuration fails, inconsistent behavior across devices.
- Causes: syntax errors in PAC file, incorrect MIME type, caching of old PAC files, wrong WPAD DNS/DHCP records.
- Fixes:
- Validate the PAC file with a linter or by running it through test inputs.
- Serve the PAC file with the correct MIME type (application/x-ns-proxy-autoconfig).
- clear browser cache and DHCP/DNS entries used for WPAD. Confirm WPAD host names are correct and reachable.
7) Transparent proxy and SSL interception friction
Symptoms: local services fail, TLS handshake errors, double interception.
- Causes: interception applied transparently without client awareness, incorrect routing, conflicts with NAT.
- Fixes:
- Ensure transparent interception rules are precise and bypass local addresses and services that must not be intercepted.
- For TLS, prefer explicit proxying for sites requiring end-to-end certificates or configure split-tunnel policies.
- Check iptables/TProxy or firewall rules and remove unintended redirections.
8) DNS problems and leaks
Symptoms: wrong site resolution, requests going directly to internet DNS, location-based restrictions leak.
- Causes: client resolving DNS locally instead of using proxy, browser DNS prefetch, misconfigured proxy DNS settings.
- Fixes:
- Configure the proxy to perform dns lookups or ensure clients use internal DNS as required.
- Disable DNS prefetch in browsers in privacy-sensitive deployments.
- Verify resolver settings on the proxy and clients and check /etc/resolv.conf, systemd-resolved or equivalent.
9) Application-specific proxy issues
Symptoms: browsers work but git, Java, or other command-line tools fail.
- Causes: apps ignore system proxy settings or need explicit configuration.
- Fixes:
- Set environment variables for CLI tools:
export http_proxy=""
export https_proxy="" - For Java apps, use JVM flags:
-Dhttp.proxyHost=proxy.example.com -Dhttp.proxyPort=3128 - Check app documentation,some clients require username/password fields in a separate config or lack NTLM support.
- Set environment variables for CLI tools:
Useful commands and checks
Quick commands by platform to inspect proxy configuration and connectivity.
Linux / macOS
# Check environment variables
echo $http_proxy $https_proxy
# Test connection to proxy port
nc -vz proxy.example.com 3128
# Test a proxied HTTP request
curl -v -x Windows
REM Show WinHTTP proxy (often used by system services)
netsh winhttp show proxy
REM Check Internet Options (GUI): Internet Options → Connections → LAN settingsProxy server checks
# On the proxy host (Linux)
sudo systemctl status squid
tail -n 200 /var/log/squid/access.log
tail -n 200 /var/log/squid/cache.logLogging and monitoring
Logs are your best friend. Look at access logs for status codes and timestamps, and check error logs for auth and TLS failures.
- Monitor resource use: CPU, memory, network I/O.
- Set up alerting for high error rate, CPU spikes, or low cache hit ratio.
Checklist: quick fixes to try now
- Confirm proxy hostname and port in client settings.
- Try bypassing the proxy to isolate the problem.
- Clear browser cache, saved credentials, and PAC file cache.
- Verify proxy service is running and reachable from the client.
- Install the proxy CA if SSL interception is used.
- Check proxy logs for obvious error codes or rejected requests.
When to escalate
- Proxy server is down or repeatedly crashing,engage the server admin.
- Authentication failures affecting many users,coordinate with identity team (Kerberos/AD).
- Widespread ssl errors,security team should confirm certificate and CA trust chains.
Summary
Proxy issues usually come down to a few categories: connectivity, authentication, TLS, configuration (PAC/WPAD), caching and application mismatches. Start by confirming addresses and ports, test direct connectivity, and look at the proxy logs. Address authentication and TLS problems by matching client and proxy expectations,install the proxy CA where needed and use the right auth method. For stubborn performance or gateway errors, check upstream health and scale or tune the proxy. If a problem affects many users, capture logs and escalate with precise symptoms and times so the server or identity owners can help.
