Origin Connection Settings
Various settings for the origin connections can be configured in Admin UI / Web Filtering Proxy / Settings / Origin Connections as shown on the following screenshot.
Parallel Origin Connections
When a given domain name can be resolved into multiple IP addresses (like for example youtube.com that currently resolves to 13 IP addresses) Web Filtering Proxy can connect to all those addresses in parallel and thus make the overall connecting process appear to be faster. By default, number of parallel connections is limited to 2 and you can increase those as desired.
SSL/TLS Settings
By default, Web Filtering Proxy uses TLS 1.0+ protocol to connect to origin servers. As more and more web sites move to TLS1.2+ nowadays it is recommended to switch this setting to the upper value. If you desire to limit the ciphers and cipher suits used for the upstream connections you can type those in the corresponding text fields.
Verification Mode
TLS connections to origin server can be verified using certmgr
, winstore
and ccadb
modes. The certmgr
mode loads the certificates from system certificate store of Microsoft Windows once upon application startup. This mode is default and recommended mode.
The application can also use the CCADB provided by Mozilla as a database of trusted root certificates when verification mode is set to ccadb
. The database file is then stored in C:\ProgramData\Diladele\WebProxy\N.N\var\spool\ccadb\ccadb.pem
and is automatically updated from time to time.
The latest version of the program is also able to utilize the Microsoft Windows built-in system certificate store for verifying origin connections using OpenSSL's org.openssl.winstore
verification mode.
Intermediate Certificates
Sometimes the web site administrators configure their sites not completely correctly and web server does not send the chain of intermediate certificates to the connecting client. It might result into UNABLE_TO_GET_ISSUER_CERT_LOCALLY
error as described in the following article.
To remedy this situation, proxy administrator can save the intermediate certificates into C:\ProgramData\Diladele\WebProxy\N.N\var\spool\ccadb_intermediate
folder. After service restart the HTTPS connections to such misconfigured sites shall work normally.
Note this method is only applicable in ccadb
verification mode (see above).