Origin Connection Settings
Various settings for the origin connections can be configured in Admin UI / Web Filtering Proxy / Origin Connections as shown on the following screenshot.
Parallel Origin Connections
When a given domain name can be resolved into multiple IP addresses (like for example youtube.com that currently resolves to 13 IP addresses) Web Filtering Proxy can connect to all those addresses in parallel and thus make the overall connecting process appear to be faster. By default, number of parallel connections is limited to 2 and you can increase those as desired.
By default, Web Filtering Proxy uses TLS 1.0+ protocol to connect to origin servers. As more and more web sites move to TLS1.2+ nowadays it is recommended to switch this setting to the upper value. If you desire to limit the ciphers and cipher suits used for the upstream connections you can type those in the corresponding text fields.
The application currently uses the CCADB provided by Mozilla as a database of trusted root certificates. The database file is stored in
C:\ProgramData\Diladele\WebFilteringProxy\var\spool\ccadb\ccadb.pem and is automatically updated from time to time. We are currently working on using the Microsoft Windows built-in system certificate store for origin connections but currently this functionality is still considered experimental and disabled by default.
Sometimes the web site administrators configure their sites not completely correctly and web server does not send the chain of intermediate certificates to the connecting client. It might result into
UNABLE_TO_GET_ISSUER_CERT_LOCALLY error as described in the following article.
To remedy this situation, proxy administrator can save the intermediate certificates into
C:\ProgramData\Diladele\WebFilteringProxy\var\spool\ccadb_intermediate\ folder. After service restart the HTTPS connections to such misconfigured sites shall work normally.
We are currently working on the automatic downloading of the missing certificates using AIA fetching. This is not completely implemented yet.