Anonymous Proxies

Anonymous proxies strip the client IP but still signal that a proxy sits in the path. For how this compares to transparent, distorting, and elite, see proxy anonymity levels guide.

What is an anonymous proxy?

Anonymous proxies hide your client IP yet keep hop markers that reveal a proxy in the path. Most stacks achieve this by dropping client-address headers and keeping headers like Via.

Anonymous mode sits between transparent and elite. It is common for forward HTTP proxies and easy to verify with a header echo endpoint.

What it hides vs what it exposes

It hides your original IP address. It exposes the presence of a proxy through headers or network traits.

Targets often see Via and sometimes X-Forwarded-For set to the gateway IP. IP reputation and client fingerprinting still apply.

Anonymous vs other levels

Transparent sends your client IP as-is. Distorting forges a fake client IP. Elite hides both your IP and proxy indicators.

Choose anonymous when hiding the client IP is enough and the target does not penalize proxy markers. Move to elite if hop markers are a problem.

Header behavior at a glance

Anonymous drops client IPs and keeps hop markers. Elite drops both client IPs and hop markers.

HTTPS CONNECT note

In CONNECT mode the proxy relays encrypted traffic, so end-to-end headers are not modified in transit. Detection then leans on egress reputation and client TLS or browser fingerprints. For a refresher on HTTP vs HTTPS behavior, see our primer on HTTP/HTTPS proxies (/docs/http-https-proxies/).

Quick verification tests

You confirm anonymity by seeing the proxy IP while also seeing hop markers.

1. HTTP echo
   

curl -s https://httpbin.org/anything \

  -x http://PROXY_HOST:PORT | jq .headers

Check that your own IP is absent from any header and that Via exists.

2. HTTPS CONNECT echo
   

curl -s https://httpbin.org/anything \

  -x http://PROXY_HOST:PORT --proxy-insecure | jq .origin

Confirm origin equals the proxy egress. Expect detection to depend on egress reputation and your client fingerprint.

3. Direct baseline
   

curl -s https://httpbin.org/ip | jq

The IP must differ from the proxy tests.

Where anonymous is a good fit

It suits targets that only require hiding the client IP and do not penalize proxy headers. Many APIs and internal tools tolerate Via or a gateway X-Forwarded-For.

Anonymous is also a simple default for forward proxies when you do not need header-level stealth.

Where anonymous struggles

If the target scores Via, common proxy subnets, or reused fingerprints, expect throttling or blocks. Header tweaks alone do not fix poor IP reputation or unrealistic TLS and browser fingerprints.

If proxy markers are the issue, consider elite mode and stronger egress pools.

Minimal configs for anonymous behavior

These examples drop client IPs while keeping hop markers. Re-test after updates to avoid silent regressions.

Squid 6.x

Distillate: Drop client-address headers; keep Via.

# squid.conf

via on

forwarded_for off            # do not append client IP

request_header_access X-Forwarded-For deny all

request_header_access X-Real-IP       deny all

request_header_access Forwarded        deny all

Result: targets typically see Via, no client IP.

Nginx (forward proxy module)

Distillate: Strip client IP headers; add a neutral hop marker if desired.

# nginx.conf (stream/http proxying context varies by build)

proxy_set_header X-Forwarded-For "";

proxy_set_header X-Real-IP       "";

proxy_set_header Forwarded        "";

# Optional hop marker:

proxy_set_header Via "1.1 proxy-gw";

HAProxy 2.8+

Distillate: Remove client IP headers; preserve a hop marker if needed.

http-request del-header X-Forwarded-For

http-request del-header X-Real-IP

http-request del-header Forwarded

# Optional:

http-response set-header Via "1.1 proxy-gw"

Common pitfalls

Misconfigured chains reintroduce client IPs. Keep the chain short and drop client IP headers at the first public egress.

CDNs or reverse proxies in front may rewrite X-Forwarded-For. Standardize hop order and test with httpbin after any change.

Pros and cons

Distillate: Easy to set up, but not stealthy about being a proxy.

Pros

• Hides client IP with minimal setup
  
• Works on standard HTTP proxy stacks
  

Cons

• Reveals proxy usage through hop markers
  
• Still subject to IP reputation and client fingerprint checks
  

Tip
Test via HTTP or HTTPS requests, not ICMP ping.

FAQs

Distillate: Short, direct answers aligned with the page content.

What makes a proxy “anonymous”?
It hides the client IP while leaving hop markers such as Via or a gateway X-Forwarded-For.

Does HTTPS CONNECT make an anonymous proxy elite?
No. CONNECT tunnels payloads, but the destination still judges egress IP reputation and your client fingerprint.

Why do I still see X-Forwarded-For?
Anonymous mode may keep it but set it to the proxy IP. That hides you but shows a proxy hop.

How do I verify anonymity quickly?
Send a request to an echo endpoint through the proxy and confirm your real IP is not present in any header. Compare with a direct request.

When should I prefer elite level?
When targets penalize proxy markers or when you need to blend in with direct clients.

Related in this topic

• Transparent Proxies
  
• Distorting Proxies
  
• Elite Proxies