Web Proxy
Web Proxy
Section titled âWeb ProxyâTL;DR (Quick Start)
Section titled âTL;DR (Quick Start)âFor the impatient: enable basic HTTP proxy.
# Enable proxy/ip/proxy/set enabled=yes port=8080
# Block a website/ip/proxy/access/add dst-host=*.facebook.com action=denyFor transparent proxy (no client configuration):
/ip/firewall/nat/add chain=dstnat protocol=tcp src-address=192.168.1.0/24 \ dst-port=80 action=redirect to-ports=8080Verify with:
/ip/proxy/monitorOverview
Section titled âOverviewâWhat this does: The Web Proxy caches HTTP content locally, reducing bandwidth usage and improving response times. It also enables content filtering by blocking websites, file types, or specific URLs.
When to use this:
- Reducing bandwidth usage through HTTP caching
- Blocking access to specific websites or content types
- Implementing basic content filtering for a network
- Relaying requests through an upstream (parent) proxy
Prerequisites:
- Firewall rules to prevent open proxy abuse
- For transparent proxy: NAT rules to redirect traffic
- For disk caching: Formatted and mounted storage
HTTP Only
The MikroTik Web Proxy only handles HTTP traffic (port 80). HTTPS traffic cannot be transparently proxied. For HTTPS filtering, clients must explicitly configure the proxy in their browser settings.
Configuration Steps
Section titled âConfiguration StepsâStep 1: Enable the Proxy
Section titled âStep 1: Enable the ProxyâEnable the proxy service:
/ip/proxy/set enabled=yes port=8080Step 2: Secure the Proxy (Critical)
Section titled âStep 2: Secure the Proxy (Critical)âBefore anything else, prevent your proxy from being abused as an open proxy:
/ip/firewall/filter/add chain=input protocol=tcp dst-port=8080 \ src-address=192.168.1.0/24 action=accept comment="Allow LAN to proxy"/ip/firewall/filter/add chain=input protocol=tcp dst-port=8080 \ action=drop comment="Block external proxy access"Step 3: Configure Clients (Regular Proxy)
Section titled âStep 3: Configure Clients (Regular Proxy)âFor regular proxy mode, configure client browsers to use:
- Proxy Address: Router IP (e.g., 192.168.1.1)
- Port: 8080
Step 4: Verify Operation
Section titled âStep 4: Verify OperationâCheck proxy status:
/ip/proxy/monitorExpected output:
status: running uptime: 1h30m requests: 1542 hits: 312 cache-used: 45.2MiB total-ram-used: 52.1MiB client-connections: 5 server-connections: 3Common Scenarios
Section titled âCommon ScenariosâScenario: Transparent Proxy (No Client Config)
Section titled âScenario: Transparent Proxy (No Client Config)âRedirect all HTTP traffic through the proxy automatically:
# Enable proxy/ip/proxy/set enabled=yes port=8080
# Redirect HTTP traffic to proxy/ip/firewall/nat/add chain=dstnat protocol=tcp \ src-address=192.168.1.0/24 dst-port=80 \ action=redirect to-ports=8080 comment="Transparent proxy"Transparent proxy only works for HTTP (port 80). HTTPS traffic will bypass the proxy.
Scenario: Block Websites by Domain
Section titled âScenario: Block Websites by DomainâBlock access to specific websites:
/ip/proxy/access/add dst-host=*.facebook.com action=deny/ip/proxy/access/add dst-host=*.youtube.com action=deny/ip/proxy/access/add dst-host=*.tiktok.com action=denyWildcard patterns:
*matches any characters?matches a single character*.example.commatches all subdomains
Scenario: Block File Types
Section titled âScenario: Block File TypesâPrevent downloading specific file types:
/ip/proxy/access/add path=*.exe action=deny comment="Block executables"/ip/proxy/access/add path=*.mp3 action=deny comment="Block MP3s"/ip/proxy/access/add path=*.torrent action=deny comment="Block torrents"/ip/proxy/access/add path=*.zip action=deny comment="Block ZIP files"Scenario: Whitelist Mode (Block Everything Except)
Section titled âScenario: Whitelist Mode (Block Everything Except)âAllow only specific sites:
/ip/proxy/access/add dst-host=*.company.com action=allow/ip/proxy/access/add dst-host=*.microsoft.com action=allow/ip/proxy/access/add dst-host=*.google.com action=allow/ip/proxy/access/add action=deny comment="Block everything else"Order matters: Rules are processed top-to-bottom; first match wins.
Scenario: Enable Disk-Based Caching
Section titled âScenario: Enable Disk-Based CachingâStore cache on disk instead of RAM:
# Check available disks/disk/print
# Enable disk caching/ip/proxy/set cache-on-disk=yes \ cache-path=/usb1/proxy-cache \ max-cache-size=1000000 \ max-cache-object-size=10240max-cache-size: Total cache size in KiB (1000000 = ~1GB)max-cache-object-size: Maximum single file size to cache in KiB
Scenario: Parent Proxy (Upstream Relay)
Section titled âScenario: Parent Proxy (Upstream Relay)âRoute all requests through an upstream proxy:
/ip/proxy/set parent-proxy=10.0.0.1 parent-proxy-port=3128Scenario: Bypass Parent for Local Sites
Section titled âScenario: Bypass Parent for Local SitesâAccess local resources directly, not through parent proxy:
/ip/proxy/direct/add dst-address=192.168.0.0/16 action=allow/ip/proxy/direct/add dst-address=10.0.0.0/8 action=allow/ip/proxy/direct/add dst-host=*.local action=allowScenario: Block by Source Address
Section titled âScenario: Block by Source AddressâRestrict specific clients:
# Block guest network from proxy/ip/proxy/access/add src-address=192.168.2.0/24 action=deny
# Allow main network/ip/proxy/access/add src-address=192.168.1.0/24 action=allowScenario: Anonymous Proxy
Section titled âScenario: Anonymous ProxyâHide client IP addresses from destination servers:
/ip/proxy/set anonymous=yesThis suppresses the X-Forwarded-For header.
Scenario: Donât Cache Dynamic Content
Section titled âScenario: Donât Cache Dynamic ContentâPrevent caching of dynamic/frequently-changing content:
/ip/proxy/cache/add dst-host=*.php action=deny/ip/proxy/cache/add path=*cgi-bin* action=deny/ip/proxy/cache/add path=*?* action=deny comment="Don't cache URLs with query strings"Scenario: View Active Connections
Section titled âScenario: View Active ConnectionsâMonitor current proxy connections:
/ip/proxy/connections/printShows source, destination, state, and bytes transferred.
Scenario: View Cached Content
Section titled âScenario: View Cached ContentâList objects in cache:
/ip/proxy/cache-contents/printClear the cache:
/ip/proxy/cache-contents/remove [find]Verification
Section titled âVerificationâConfirm the Web Proxy is working correctly:
Check 1: Verify Proxy Status
Section titled âCheck 1: Verify Proxy Statusâ/ip/proxy/printExpected: enabled: yes with configured settings.
Check 2: Monitor Real-Time Statistics
Section titled âCheck 2: Monitor Real-Time Statisticsâ/ip/proxy/monitorExpected: status: running, increasing requests count.
Check 3: Verify Access Rules
Section titled âCheck 3: Verify Access Rulesâ/ip/proxy/access/printExpected: Rules listed in correct order.
Check 4: Check Cache Hits
Section titled âCheck 4: Check Cache Hitsâ/ip/proxy/monitorExpected: hits count increasing (indicates caching is working).
Check 5: View Active Connections
Section titled âCheck 5: View Active Connectionsâ/ip/proxy/connections/printExpected: Active client/server connections during browsing.
Troubleshooting
Section titled âTroubleshootingâ| Symptom | Cause | Solution |
|---|---|---|
| Proxy accessible from Internet | No firewall rules | Add firewall rules to restrict access to LAN only |
| HTTPS sites not filtered | HTTPS bypasses transparent proxy | Use explicit proxy config on clients; transparent only works for HTTP |
| No cache hits | Cache-Control headers or small object limit | Increase max-cache-object-size; try always-from-cache=yes |
| Disk cache not working | Invalid path or unmounted disk | Verify disk with /disk/print; check path exists |
| Access rules not working | Rule order incorrect | First match wins; put specific rules before general rules |
| Some websites broken | Site detects/blocks proxy | Add to direct access list or use explicit proxy mode |
| High memory usage | RAM-based caching | Enable cache-on-disk=yes with external storage |
| Clients canât connect | Firewall blocking proxy port | Add accept rule for proxy port from LAN |
Debug: Check Proxy Logs
Section titled âDebug: Check Proxy Logsâ/log/print where topics~"proxy"Debug: Test Access Rules
Section titled âDebug: Test Access RulesâUse a specific client and check if rules match:
/ip/proxy/access/print statsShows hit counts per rule.
Debug: Verify NAT Rule (Transparent)
Section titled âDebug: Verify NAT Rule (Transparent)â/ip/firewall/nat/print where action=redirectEnsure the redirect rule is active and matching traffic.
Common Mistakes
- Open proxy vulnerability - Always add firewall rules before enabling the proxy. An open proxy will be abused for spam and attacks.
- Expecting HTTPS filtering - Transparent proxy only works for HTTP port 80. HTTPS requires explicit client configuration.
- Wrong rule order - Access rules are processed top-to-bottom. Put specific rules before catch-all rules.
- RAM exhaustion - Default RAM-based caching can exhaust memory. Use disk caching for large deployments.
- Caching dynamic content - Donât cache URLs with query strings or dynamic pages; create cache deny rules.
Access List Matching
Section titled âAccess List MatchingâAccess rules support various matching criteria:
| Property | Matches | Example |
|---|---|---|
src-address | Client IP/subnet | 192.168.1.0/24 |
dst-address | Server IP/subnet | 10.0.0.0/8 |
dst-host | Hostname pattern | *.facebook.com |
dst-port | Destination port | 80 or 80-443 |
path | URL path pattern | *.exe, */downloads/* |
method | HTTP method | GET, POST, CONNECT |
Wildcard Patterns
Section titled âWildcard Patternsâ| Pattern | Matches |
|---|---|
* | Any characters |
? | Single character |
*.example.com | All subdomains of example.com |
*facebook* | Any URL containing âfacebookâ |
:regex | Regular expression (prefix with colon) |
Related Topics
Section titled âRelated TopicsâPrerequisites
Section titled âPrerequisitesâ- NAT Masquerade - required for transparent proxy redirect
- Firewall Basics - securing proxy access
Alternative Solutions
Section titled âAlternative Solutionsâ- DNS Server - alternative for domain blocking
- Firewall Address Lists - IP-based blocking
Storage
Section titled âStorageâNetwork
Section titled âNetworkâ- DHCP Server - distribute proxy settings
- IP Addresses - proxy interface addressing
Reference
Section titled âReferenceâKey Commands Reference
Section titled âKey Commands Referenceâ| Command | Description |
|---|---|
/ip/proxy/set | Configure proxy settings |
/ip/proxy/print | View configuration |
/ip/proxy/monitor | Real-time statistics |
/ip/proxy/access/add | Create access rule |
/ip/proxy/access/print | View access rules |
/ip/proxy/direct/add | Create direct access rule |
/ip/proxy/cache/add | Create cache control rule |
/ip/proxy/connections/print | View active connections |
/ip/proxy/cache-contents/print | View cached objects |
Core Properties
Section titled âCore Propertiesâ| Property | Type | Default | Description |
|---|---|---|---|
enabled | yes/no | no | Enable proxy service |
port | integer | 8080 | Listening port |
src-address | IP | 0.0.0.0 | Source address for outbound |
anonymous | yes/no | no | Hide client IP |
cache-administrator | string | webmaster | Admin email for error pages |
Cache Properties
Section titled âCache Propertiesâ| Property | Type | Default | Description |
|---|---|---|---|
cache-on-disk | yes/no | no | Store cache on disk |
cache-path | string | web-proxy | Disk cache directory |
max-cache-size | KiB | unlimited | Maximum total cache size |
max-cache-object-size | KiB | 2048 | Maximum single object size |
max-fresh-time | time | 3d | Maximum cache retention |
always-from-cache | yes/no | no | Serve expired cache if unavailable |
Parent Proxy Properties
Section titled âParent Proxy Propertiesâ| Property | Type | Default | Description |
|---|---|---|---|
parent-proxy | IP | 0.0.0.0 | Upstream proxy address |
parent-proxy-port | integer | 0 | Upstream proxy port |
Connection Properties
Section titled âConnection Propertiesâ| Property | Type | Default | Description |
|---|---|---|---|
max-client-connections | integer | 600 | Max client connections |
max-server-connections | integer | 600 | Max server connections |
Monitor Output Fields
Section titled âMonitor Output Fieldsâ| Field | Description |
|---|---|
status | Service status (running/stopped) |
uptime | Time since proxy started |
requests | Total requests received |
hits | Requests served from cache |
cache-used | Current cache size |
total-ram-used | RAM consumption |
client-connections | Active client connections |
server-connections | Active server connections |