So, maybe you’re setting up a SOCKS or HTTP(S) proxy, and maybe you’re configuring your OS to use it for all the traffic.
That’s good! Except, there are a few things you probably don’t want to proxy, especially if it’s an “external” proxy out on the internet, or you’re looking to send all the traffic through Tor.
Here’s a list of TLDs and IP addresses you don’t want to proxy (ready to copy into, e.g., macOS’ System Settings):
*.local,*.localdomain,*.intranet,*.internal,*.private,*.corp,*.home,*.lan,*.home.arpa,*.fritz.box,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,0.0.0.0/8,100.64.0.0/10,169.254.0.0/16,192.0.0.0/24,192.0.2.0/24,192.88.99.0/24,198.18.0.0/15,198.51.100.0/24,203.0.113.0/24,224.0.0.0/4,240.0.0.0/4,fd00::/8,::1/128,64:ff9b:1::/48,2001:db8::/32,fc00::/7,fe80::/10Some of these TLDs are reserved for private use, others are not, but are commonly used for that anyway (and seemingly not on the public internet, yet), whereas the IP addresses in the list are actually reserved.
So, if you’re feeling like complaining because some of these TLDs are not meant for this use, I’d like to point out that I’m not the one violating the specification, and instead it’s the countless consumer-grade devices people have at home, and I’m just accounting for those. Probably half of Germany has the *.fritz.box TLD at home, meanwhile OpenWrt uses *.lan by default. If I don’t account for things like that, things *will* break. Besides, there’s currently no *.lan or *.home, etc. TLD, that’s because the ICANN is aware of the problem with “unauthorized” use, so they’re currently barring such TLDs from being registered to avoid naming collisions. So, in a sense, *.home is like an unofficial standard now, and they’re actually looking into turning it (and a few others) into an actual standard.
PS In case it wasn’t clear: The reason you don’t want to proxy these, is because your proxy likely can’t reach those addresses, and you also don’t want to accidentally send requests (potentially with sensitive data) to the proxy.
Sources:
- https://serverfault.com/a/937808
- https://gitlab.torproject.org/legacy/trac/-/wikis/doc/TransparentProxy
- https://en.wikipedia.org/wiki/Private_network
- https://en.wikipedia.org/wiki/Reserved_IP_addresses
- The “TLD” *.fritz.box was added by me because I have German vibes.
@sindastra ah yes – the horrors of proxy servers. That's a good list, but not safe for use in corporate networks where there are private IP ranges being used (// Grammar?) and proxies.I'm kinda glad we're now MITM-ing ourselves now with a TLS-breaking "transparent proxy". (It breaks open the TLS, scans the packets, and re-signs it with its CA).