What is a Proxy Connection?

A proxy connection allows SurveyAnalytica to route outbound traffic through an intermediary proxy server before reaching its destination. This is commonly required in enterprise environments where direct internet access is restricted and all outbound traffic must pass through a corporate proxy for security, compliance, or monitoring purposes.

SurveyAnalytica supports three proxy protocols:

• HTTP Proxy — Routes HTTP traffic through the proxy. Suitable for plaintext API calls and webhook delivery.
• HTTPS Proxy (CONNECT) — Uses the HTTP CONNECT method to establish a tunnel through the proxy, allowing end-to-end TLS encryption. The proxy sees the destination hostname but cannot inspect the encrypted traffic.
• SOCKS5 Proxy — A general-purpose proxy that operates at a lower level than HTTP. Supports any TCP protocol (databases, SMTP, custom protocols) and optionally UDP. Provides username/password authentication.

When to Use Each Proxy Type

HTTP Proxy

Use an HTTP proxy when:

• Your organization requires all outbound HTTP traffic to pass through a content inspection or logging proxy.
• You need to route webhook deliveries through a corporate gateway.
• The target services use HTTP (non-TLS) endpoints.

Limitation: An HTTP proxy can read and modify the traffic in transit. Do not use for sensitive data unless the proxy is fully trusted.

HTTPS Proxy (CONNECT)

Use an HTTPS proxy when:

• You need proxy routing for HTTPS endpoints while maintaining end-to-end encryption.
• Your corporate network requires outbound HTTPS traffic to go through an explicit proxy.
• You need TLS certificate verification to work correctly (the proxy does not terminate TLS).

This is the most common choice for enterprise environments.

SOCKS5 Proxy

Use a SOCKS5 proxy when:

• You need to proxy non-HTTP traffic (e.g., database connections on port 5432 or 3306).
• Your proxy infrastructure is SOCKS-based rather than HTTP-based.
• You need protocol-agnostic proxying that works with any TCP connection.

Step-by-Step Configuration

Step 1: Navigate to Network Connections

In SurveyAnalytica, go to Settings → Network Connections and click Add Connection. Select Proxy as the connection type.

Step 2: Select the Proxy Protocol

Choose one of the following:

• HTTP — For HTTP proxy servers
• HTTPS — For HTTPS CONNECT proxy servers
• SOCKS5 — For SOCKS5 proxy servers

Step 3: Enter Proxy Server Details

Field	Description	Example
Host	The hostname or IP address of the proxy server	proxy.corp.example.com
Port	The port the proxy listens on	3128 (HTTP/HTTPS), 1080 (SOCKS5)

Step 4: Configure Authentication (Optional)

If your proxy requires authentication, enable the Authentication toggle and enter:

Field	Description
Username	The proxy authentication username
Password	The proxy authentication password

For SOCKS5, this uses the SOCKS5 username/password authentication method (RFC 1929). For HTTP/HTTPS, this uses the Proxy-Authorization header with Basic authentication.

Step 5: Save and Test

Click Test Connection to verify that SurveyAnalytica can reach the proxy and route traffic through it. The test performs the following checks:

1. Connectivity: Can SurveyAnalytica reach the proxy server on the specified host and port?
2. Authentication: If credentials are provided, do they authenticate successfully?
3. Routing: Can the proxy successfully forward a request to an external endpoint?

If all checks pass, click Save to finalize the connection.

Common Proxy Setups for Enterprise Environments

Corporate Forward Proxy (Squid, Blue Coat, Zscaler)

Most enterprise networks use an explicit forward proxy for outbound internet access. Typical configuration:

• Protocol: HTTPS (CONNECT)
• Host: Your corporate proxy hostname (e.g., proxy.corp.example.com)
• Port: 3128 or 8080 (varies by organization)
• Authentication: Often required (Active Directory/LDAP credentials)

Cloud Security Proxy (Zscaler, Netskope)

Cloud-based security proxies route traffic through a cloud inspection point:

• Protocol: HTTPS (CONNECT)
• Host: The cloud proxy endpoint assigned to your organization
• Port: 443 or 80
• Authentication: Typically token-based or certificate-based (configure as provided by your security team)

SSH-based SOCKS Proxy

For quick tunneling through a bastion host using SSH dynamic port forwarding:

• Protocol: SOCKS5
• Host: localhost (if the SOCKS proxy is running locally via SSH) or the bastion host IP
• Port: 1080 (or the port specified in your SSH dynamic forwarding command)
• Authentication: Usually none (SSH handles authentication)

Note: For persistent SSH-based tunneling, consider using the dedicated SSH Tunnel connection type instead.

Internal Network Proxy with No Auth

Some organizations run transparent or non-authenticated proxies on the internal network:

• Protocol: HTTP
• Host: Internal proxy IP (e.g., 10.0.0.100)
• Port: 3128
• Authentication: None

Troubleshooting

Connection Test Fails: Cannot Reach Proxy

• Verify the proxy host and port are correct.
• Ensure the proxy server is running and accepting connections.
• Check that SurveyAnalytica’s egress IPs are allowed to connect to your proxy (ask your network team to whitelist them).

Authentication Errors (407 Proxy Authentication Required)

• Verify the username and password are correct.
• Check if your proxy requires a specific authentication scheme (Basic, NTLM, Kerberos). SurveyAnalytica supports Basic and username/password (SOCKS5) authentication.
• For NTLM/Kerberos proxies, you may need to configure an intermediate proxy that translates to Basic auth.

Proxy Connects but Target Service Returns Errors

• Check if the proxy has URL filtering or content inspection rules that block the target domain.
• For HTTPS proxies with TLS inspection, ensure the proxy’s CA certificate is trusted or TLS inspection is bypassed for SurveyAnalytica traffic.
• Verify the target service allows connections from the proxy’s egress IP.

Slow Performance Through Proxy

• SOCKS5 proxies add minimal overhead. If performance is poor, the bottleneck is likely the proxy server itself or its network path.
• For high-throughput integrations, ensure the proxy has sufficient bandwidth and connection limits.
• Consider using a direct VPN connection instead if proxy overhead is unacceptable for your use case.

Security Considerations

• Credential storage: Proxy credentials are stored encrypted at rest in SurveyAnalytica. They are only decrypted when establishing a connection.
• TLS verification: When using HTTPS proxies, SurveyAnalytica verifies TLS certificates of the target service end-to-end. The proxy cannot inspect encrypted traffic.
• Access control: Proxy connection configurations are scoped to your workspace and are only accessible to users with the Network Connections permission.
• Audit logging: All proxy connection creation, modification, and usage events are recorded in the workspace audit log.