1. Definition Overview
| Aspect | Full Proxy Mode | Half Proxy Mode |
|---|---|---|
| Core behavior | Terminates client session and creates new server session | Intercepts initial handshake but maintains single end-to-end session |
| Session count | 2 TCP sessions (Client→Proxy, Proxy→Server) | 1 TCP session (end-to-end through device) |
| Proxy control level | Complete control of L4/L7 | Partial control of L3/L4 |
| Example devices | F5 (Standard Proxy), A10 ADC, Cloudflare, WAF | FortiGate Flow Mode, F5 FastL4, Cisco ASA, PA Firewall |
2. TCP Layer Behavior
🔵 Full Proxy
- Proxy fully terminates the TCP handshake.
- Creates a new TCP session to the server.
- Can manipulate:
- Window size
- MSS
- Congestion control
- Retransmissions
- Enables:
- Connection pooling
- TCP optimization
- Slow client mitigation
🟢 Half Proxy
- Proxy intercepts SYN, inspects, and forwards.
- No second TCP session.
- Acts as stateful firewall (pass-through after validation).
- Cannot:
- Manipulate TCP flows
- Retry failed server connections independently
Winner: Full Proxy (for control and optimization)
3. TLS / HTTPS Handling
| Feature | Full Proxy | Half Proxy |
|---|---|---|
| TLS Termination | ✔ Yes | ❌ No |
| SSL Offloading | ✔ Yes | ❌ No |
| TLS Re-encryption | ✔ To server (optional) | ❌ Not possible |
| Cipher control | ✔ Yes | ❌ No |
| TLS → HTTP/2 conversion | ✔ Yes | ❌ No |
In Full Proxy mode:
Client ↔ Proxy (TLS1.3)
Proxy ↔ Server (TLS1.2 or HTTP)
In Half Proxy:
Client ↔ Server encrypted
(proxy cannot see contents)
Winner: Full Proxy (for HTTPS visibility & security)
4. L7 (HTTP/HTTPS) Visibility and Control
| Capability | Full Proxy | Half Proxy |
|---|---|---|
| HTTP header rewrite | ✔ Yes | ❌ No |
| Cookie injection / modification | ✔ Yes | ❌ No |
| URL rewrite | ✔ Yes | ❌ No |
| Response rewrite | ✔ Yes | ❌ No |
| Application Routing | ✔ Yes (Host, URI, MIME type) | ❌ No |
| WAF inspection | ✔ Full payload | ❌ Only metadata |
Full Proxy can read & modify:
- URIs
- Headers
- Cookies
- Methods
- Response bodies
Half Proxy cannot see encrypted payload → cannot enforce L7 policy.
5. Security Capabilities
🔵 Full Proxy Security
- Full WAF (SQLi, XSS, CSRF)
- L7 DDoS protection
- Bot mitigation (JavaScript challenges)
- TLS inspection
- Credential stuffing detection
- API security
🟢 Half Proxy Security
- Basic L3/L4 firewalling
- Stateful inspection
- SYN flood protection
- Basic rate limiting
| Security Level | Full Proxy | Half Proxy |
|---|---|---|
| L7 Security | ⭐⭐⭐⭐⭐ | ⭐ |
| TLS Inspection | ⭐⭐⭐⭐⭐ | ❌ |
| Attack Mitigation | Strong | Limited |
6. Performance & Latency
| Metric | Full Proxy | Half Proxy |
|---|---|---|
| Latency | Slightly higher (due to termination) | Very low |
| Throughput | Lower than pure forwarding | Very high |
| CPU Usage | High (TLS, WAF, L7 parsing) | Low to Medium |
| Scalability | Needs stronger hardware | Scales easily |
Winner: Half Proxy for raw throughput.
Winner: Full Proxy for security and intelligence.
7. DDoS Protection Capability
| Attack Type | Full Proxy | Half Proxy |
|---|---|---|
| SYN Flood | ✔ Proxy absorbs | ✔ Limited protection |
| HTTP Flood | ✔ L7 mitigation | ❌ Cannot inspect content |
| TLS Exhaustion | ✔ Can rate-limit TLS | ❌ No TLS visibility |
| Slowloris | ✔ Detects slow clients | ❌ Cannot detect content behaviour |
8. Traffic Flow Diagram Comparison
Full Proxy – Two Independent TCP Sessions
Client ──TCP#1──► [ FULL PROXY ] ──TCP#2──► Server
◄───────────────────────────────────◄
Proxy sits in the middle, owning both sessions independently.
Half Proxy – Single End-to-End TCP Session
Client ──────────────TCP──────────────► [ HALF PROXY ] ─────────────► Server
Proxy does NOT create a new session; it just passes traffic.
9. Flowchart Comparison
🔵 Full Proxy Flowchart
Client Request
│
▼
Proxy TCP/TLS Termination
│
L7/WAF Inspection
│
Proxy Creates New Server Connection
│
Forward to Server
🟢 Half Proxy Flowchart
Client Request
│
Intercept SYN
│
Stateful Inspection
│
Forward SYN to Server
│
Traffic flows directly (pass-through)
10. Use Cases
🔵 Full Proxy Use Cases
- Public websites, APIs, banking systems
- TLS inspection and offloading
- WAF, DDoS mitigation
- Microservice gateways
- Load balancing L7 rules
🟢 Half Proxy Use Cases
- High-speed L4 traffic
- Firewalls doing simple stateful filtering
- Low-latency environments (VoIP, gaming)
- Traffic that doesn’t require L7 visibility
11. Vendor Support
| Vendor | Full Proxy | Half Proxy |
|---|---|---|
| F5 BIG-IP | ✔ Standard Proxy Mode | ✔ FastL4 |
| A10 Thunder | ✔ Advanced Proxy Mode | ✔ L4 Mode |
| FortiGate | ✔ Proxy Mode | ✔ Flow Mode |
| Cloudflare | ✔ Always Full Proxy | ❌ No |
| NGINX Plus | ✔ Reverse Proxy | ✔ L4 Stream Proxy |
| Citrix NetScaler | ✔ Yes | ✔ Yes |
| Cisco ASA | ❌ No | ✔ Stateful Half Proxy |
| Palo Alto | Partial | ✔ Yes |
12. Summary – Which Is Better?
| Requirement | Best Mode |
|---|---|
| Maximum security | Full Proxy |
| TLS inspection | Full Proxy |
| WAF / API security | Full Proxy |
| Lowest latency | Half Proxy |
| High throughput | Half Proxy |
| Minimal CPU use | Half Proxy |
| URL rewriting | Full Proxy |
| Header injection | Full Proxy |
| DDoS (L7) | Full Proxy |
| DDoS (L3/L4 only) | Both |
13. SUMMARY
Full Proxy = complete L4/L7 control, advanced security, SSL offload, WAF, and intelligent load balancing.
It terminates both sides of the connection and creates two independent TCP sessions.
Ideal for modern web applications.
Half Proxy = partial interception, stateful inspection, low latency, high throughput, and minimal CPU.
It does NOT terminate sessions and cannot see encrypted traffic.
Ideal for high-speed L4 forwarding.
14. Useful Links
https://www.youtube.com/@sanchitgurukul
Disclaimer: This article may contain information that was accurate at the time of writing but could be outdated now. Please verify details with the latest vendor advisories or contact us at admin@sanchitgurukul.com.
