ProxioDocs
Proxies & Targeting

Protocols & Ports

Proxio Residential serves HTTP/HTTPS and SOCKS5 on a single endpoint, geo.proxio.cc:16666. Learn when to use socks5h:// versus socks5://, why SOCKS5 is CONNECT-only, and how the gateway handles your TLS.

The Residential gateway lives at a single endpoint and speaks two protocols on the same host and port:

geo.proxio.cc:16666
  • HTTP / HTTPS forward proxy, including CONNECT tunneling for HTTPS destinations.
  • SOCKS5, using the CONNECT command only.

The gateway detects the protocol automatically on the first byte of your connection, so both protocols genuinely share the same port. You pick the protocol with the URL scheme; there is no separate port to remember.

ProtocolSchemeExample
HTTP / HTTPShttp://http://USERNAME:[email protected]:16666
SOCKS5socks5h://socks5h://USERNAME:[email protected]:16666

socks5h:// versus socks5://

Both schemes speak SOCKS5. The difference is where DNS resolution happens:

  • socks5h:// resolves the destination hostname through the proxy. This is what you want, because it avoids leaking your DNS lookups locally and lets the exit node resolve names.
  • socks5:// resolves the hostname on your side before connecting.

Which one you write depends on your client library:

ToolHTTP schemeSOCKS5 scheme
cURLhttp://socks5h://
Python (requests / httpx)http://socks5h://
Node.jshttp://socks5h://
PHPhttp://socks5://
C#http://socks5://

Rule of thumb

In cURL, Python and Node.js, use socks5h:// so DNS goes through the proxy. PHP and C# proxy libraries handle DNS themselves, so they use socks5://.

curl -x "socks5h://abcxyz123def-region-us:[email protected]:16666" https://ipinfo.io
import requests

proxy = "socks5h://abcxyz123def-region-us:[email protected]:16666"
r = requests.get("https://ipinfo.io", proxies={"http": proxy, "https": proxy})
print(r.json())
import https from "node:https";
import { SocksProxyAgent } from "socks-proxy-agent";

const agent = new SocksProxyAgent(
  "socks5h://abcxyz123def-region-us:[email protected]:16666"
);
https.get("https://ipinfo.io/json", { agent }, (res) => {
  let body = "";
  res.on("data", (chunk) => (body += chunk));
  res.on("end", () => console.log(body));
});
<?php
$ch = curl_init("https://ipinfo.io");
curl_setopt($ch, CURLOPT_PROXY, "socks5://geo.proxio.cc:16666");
curl_setopt($ch, CURLOPT_PROXYUSERPWD, "abcxyz123def-region-us:PASSWORD");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
echo curl_exec($ch);

SOCKS5 is CONNECT-only

Proxio's SOCKS5 implementation supports the CONNECT command only. It does not support UDP ASSOCIATE or BIND, so UDP-based traffic and inbound/listening sockets are not available over the proxy. TCP flows, which is virtually all web scraping and browsing, work as normal.

A few more SOCKS5 details worth knowing:

  • Auth methods: username/password (RFC 1929) and no-auth. No-auth only works when your source IP is registered for IP authentication; otherwise the connection is refused.
  • Address types: IPv4, IPv6 and domain names are all accepted in the request.
  • Remote DNS really is remote. When you send a domain name (the socks5h:// behavior), the gateway forwards it as-is and the name resolves at the exit, not on the gateway and not on your machine.

Timeouts and connection limits

LimitValueWhat it means in practice
Handshake timeout10 secondsYour client must complete the proxy handshake (greeting plus credentials) within 10 seconds of connecting, or the socket is dropped.
Idle timeout5 minutesIf neither side sends any bytes for 5 minutes, the tunnel is closed. Any traffic in either direction resets the timer.
Maximum connection durationNoneThere is no absolute cap. A tunnel that stays active can live for hours.
Concurrent connections per credential2,000Opening more parallel connections than this on one credential returns an error (HTTP 429). Spread very large jobs across multiple credentials.

How your TLS is handled

The gateway is a layer-4 passthrough. Proxio never inspects or stores the content of your traffic. The gateway is a passthrough and never terminates your TLS to the destination site. Connection metadata required for billing and abuse prevention is retained for a limited period.

In practice: your HTTPS session is negotiated end-to-end between your client and the target. The proxy moves the encrypted bytes; it does not sit in the middle of your TLS.

Credentials on the first hop

Your username and password travel as proxy Basic authentication to the gateway on the first hop of the connection. Treat them like any secret.

If a credential leaks, reset it

If you think a username or password has been exposed, reset it from your Residential service's Sub-users tab. The old credential stops working immediately, and you get a fresh one to swap in.

On this page