Quick verdict: Proxy server errors fall into two buckets — errors from the proxy itself (407, some 502s) and errors from the destination that the proxy is just relaying (403, 404, 429, 503, 504). Knowing which side is responsible is the first debugging step. This guide covers the eight most common codes, the one-line fix for each, and which retries are safe.
Every code below has been tested through SpyderProxy's residential, datacenter, and mobile pools. Where a deep-dive guide exists for a specific error, you'll find the link inline.
| Code | Meaning | Side | Retry safe? |
|---|---|---|---|
| 401 | Unauthorized (target needs login) | Destination | No |
| 403 | Forbidden (IP/region/path blocked) | Destination | No (rotate IP) |
| 407 | Proxy authentication required | Proxy | No (fix creds) |
| 408 | Request timeout | Either | Yes (backoff) |
| 415 | Unsupported media type | Destination | No |
| 429 | Too many requests | Destination | Yes (backoff + rotate) |
| 502 | Bad gateway | Proxy or upstream | Yes (short backoff) |
| 503 | Service unavailable | Destination | Yes (long backoff) |
| 504 | Gateway timeout | Proxy or upstream | Yes (backoff) |
What it means: The destination resource requires authentication and your request didn't include valid credentials. The proxy is just passing this through from the origin.
Fix: Add Authorization header (Authorization: Bearer <token> or Basic auth). If the API uses cookies or signed sessions, log in first and reuse the cookie/session token.
Don't confuse with 407. 401 is from the destination; 407 is from the proxy.
What it means: The destination understood the request but refused it. Typical causes: your IP is on a block list, your country is geo-restricted, the URL path is forbidden, or anti-bot detection flagged the request.
Fix: Rotate to a clean residential IP, add realistic browser headers (User-Agent, Accept-Language), match TLS fingerprint to a real browser. For full debugging, see our HTTP 403 deep-dive.
What it means: The proxy itself wants credentials and didn't get them. Note: this comes from the proxy, not the destination.
Fix: Verify your proxy URL or config includes the username and password. Common library patterns:
# curl
curl -x http://USER:[email protected]:8080 https://api.example.com
# Python requests
import requests
proxies = {"https": "http://USER:[email protected]:8080"}
r = requests.get("https://api.example.com", proxies=proxies)
# Node fetch (with proxy-agent)
import { HttpsProxyAgent } from "https-proxy-agent";
const agent = new HttpsProxyAgent("http://USER:[email protected]:8080");
fetch("https://api.example.com", { agent });Watch for: auth headers stripped on redirect (curl needs --proxy-anyauth; Python requests preserves them by default).
What it means: The proxy or destination didn't receive the complete request in time. Often a slow network, a slow client, or a stalled TCP connection.
Fix: Retry with a fresh connection. If chronic, increase timeout settings on the client side. Check the proxy region — a US client routing through an Asian proxy adds 200ms+ RTT.
What it means: The destination understood the request but the Content-Type header is not one it accepts.
Fix: Set Content-Type explicitly to what the API expects, usually application/json for REST endpoints. Full debugging at our HTTP 415 guide.
What it means: The destination's rate limiter triggered. Could be per-IP, per-account, per-endpoint, or per-API-key.
Fix: Honor the Retry-After header if present. Otherwise use exponential backoff with jitter. For sustained workloads, rotate IPs through a rotating residential pool. Full strategy in our HTTP 429 guide.
What it means: The proxy got an invalid response from the upstream server. Three sub-cases:
Fix: Single retry after 5-10s. If 502s persist on every retry, the destination is down and you should pause the workflow.
What it means: The destination server is overloaded, in maintenance, or under DDoS. Almost always the destination's problem, not the proxy's.
Fix: Long exponential backoff (start at 30s, double, cap at 10 minutes). Don't retry aggressively — you'll prolong the destination's outage and risk getting your IP flagged when service restores.
What it means: The proxy waited for a response from upstream but didn't get one in time. Different from 502 (which gets an invalid response) — 504 gets nothing at all.
Fix: Retry once with a 30-second wait. If chronic, the destination has structural problems and your scraper should switch endpoints or pause.
Cloudflare returns proprietary error codes for their WAF rejections. Quick reference:
Full breakdown at our Cloudflare error codes guide. The fix is almost always: rotate to a higher-trust residential IP and match a real browser's TLS fingerprint.
The fastest debugging trick: send the same request without the proxy.
Verify proxy connectivity independently with SpyderProxy's proxy checker or IP lookup. If those work, the proxy is fine; the issue is upstream.