General usefulness of web proxy

enricosavazzi · November 10, 2023, 2:40pm

I read statements on the web saying that configuring a web proxy on the router enhances security for LAN clients. I can see that the following may apply:

The web proxy may prevent access to questionable/unsafe/time-wasting web sites, but the list of web sites must be manually entered and maintained (a full-time job for a single sysadmin).
If combined with appropriate firewall rules, some dangerous content could be dropped by the firewall (but this would happen anyway for HTTP, even without a proxy). HTTPS could be secured by decrypting the incoming web contents on the router, running through the firewall rules, then re-encrypting (with the router’s certificate) and forwarding to the LAN client.

Aside for this, I don’t see how a web proxy can provide more security than a masquerading NAT. What am I missing?

Also, how does a RouterOS web proxy manage HTTPS? Does the router do the decryption/examination/re-encryption procedure mentioned above? Or just forwards HTTPS content as-is to the LAN clients? (and in the latter case, where is the added security?)

MaxwellsEq · November 10, 2023, 5:13pm

I’ve not used the Mikrotik web proxy, so can only comment on general instances. Web proxies can be run on heavily locked down OS builds and implement a known “trusted” HTTP stack (and even peak at CSS or HTML). This can mean that attacks via HTTP fail to break out of the proxy and so protect clients behind from web attacks targeted at their OS. They can also run policies protecting clients from some websites.

They can also frustrate users where anomalous interactions behave unexpectedly.

HTTPS can only be proxied if the proxy has keys installed or MITM snooped.