Difference between revisions of "System configuration"
(→Global) |
|||
Line 112: | Line 112: | ||
*'''TRUE :''' Append Custom Categories applicable to the Referring Web-Page to the Categories associated with the Requested URL | *'''TRUE :''' Append Custom Categories applicable to the Referring Web-Page to the Categories associated with the Requested URL | ||
== Example == | |||
'''Rule#1''' | |||
Proxy hostname is set to AD’s domain | |||
Connection outbound pool size is set to 3000, this number should be approximately around the number of concurrent connections create by total number of users | |||
Connection pool timeout is set to 6 seconds, where unused connections in the connection pool are discarded every 6 second. | |||
For connections in the pool, it’s timeout value rests every time the connection is being used. | |||
Send debugging to client, debugging headers are greatly used during troubleshooting process | |||
Debugging headers are added to http response header | |||
Dynamic categorization is set to false, Dynamic categorization is used to categorized website based on its referrer. | |||
Dynamic categorization can be used to avoid broken webpages in cases where resources are loaded from different sources which might be blocked in Dynamic categorization is not in use. | |||
[[File:Slide1-sysconf.png|left]] | |||
== Compression and buffering policies == | == Compression and buffering policies == |
Revision as of 16:22, 4 January 2023
Overview
Use 'System configuration' to tune various parameters with respective network infrastructure.
By this tuning you can improve overall Internet service performance and manage your secure port utilization.
Enabling System configuration section on SafeSquid User InterfaceAccess the SafeSquid interface |
|
Go to Configure Page |
|
Go to Application Setup |
|
Open System configuration Section |
|
Global |
|
Proxy hostname
When your enterprise has multiple instances of SafeSquid, the various instances identify each other by this 'Proxy hostname'.
If your enterprise maintains single LDAP domain, then set proxy hostname parameter as 'your LDAP domain'.
Then you can login over LDAP authentication without mentioning the domain.
Connection pool size
Set the maximum concurrent outbound connections.
SafeSquid can reuse an established outbound connection, from the Connection Pool.
Connection Pool Size should be at least equal to anticipated concurrent requests, Minimally.
If the Connection Pool is full, SafeSquid automatically deletes the oldest connection, to accommodate a new outbound connection
Connection pool timeout
You can set here the maximum time period in seconds, that a connection may be kept in the connection pool.
The age of a connection is reset every-time it gets used.
When the age of a connection exceeds the timeout specified here, it automatically removes from the pool
Send debugging headers to
Vital debugging information like application of profiling and filtering policies can be included in the HTTP protocol headers.
Specify if this information should be sent to client, server, or both.
Leave the field empty if this information should not be sent at all.
Available Options
- NONE : Do not send debugging headers to client or server
- CLIENT : Send debugging headers to client
- SERVER : Send debugging headers to server
- BOTH : Send debugging headers to both client and server
Dynamic Categorization
The requested URL is normally considered for categorization purposes.
However, when accessing a web page, Internet Browsers may require connecting to various other URLs to complete the portrayal of the web-page.
Requests to these dependency URLs may thus get differently categorized than the originally requested web-page.
Thus, even if the initially requested URL is included in a "Custom Category" created by you, and permitted for access, the proxy users may witness "broken pages".
Providing a satisfactory web-experience to the users, thus requires identification and explicit access permission for each of such dependency URL.
Dynamic Categorization determines requests made by Internet Browser to serve a web-page included in a Custom Category.
Custom Categories applicable to the "Referring Web-Page" are added to the list of categories determined for the requested URL.
Dynamic Categorization enables a holistic web-experience to the users, when accessing permitted web-sites.
Available Options
- FALSE : Apply only the Categories associated with the Requested URL
- TRUE : Append Custom Categories applicable to the Referring Web-Page to the Categories associated with the Requested URL
Example
Rule#1
Proxy hostname is set to AD’s domain Connection outbound pool size is set to 3000, this number should be approximately around the number of concurrent connections create by total number of users Connection pool timeout is set to 6 seconds, where unused connections in the connection pool are discarded every 6 second.
For connections in the pool, it’s timeout value rests every time the connection is being used. Send debugging to client, debugging headers are greatly used during troubleshooting process Debugging headers are added to http response header
Dynamic categorization is set to false, Dynamic categorization is used to categorized website based on its referrer. Dynamic categorization can be used to avoid broken webpages in cases where resources are loaded from different sources which might be blocked in Dynamic categorization is not in use.
Compression and buffering policies
The following entries applied on each connection based on the profiles defined. Policy evaluation is done in top-down order. The first entry matching the profile is applied to the connection.
Enabled
Enable or Disable this entry
- TRUE : Enable this entry.
- FALSE : Disable this entry.
Comment
For documentation, and future references, explainthe relevance of this entry with your policies.
That is, by reading the policies, a future user can understand the purpose of that entry.
Profiles
Specify the Profiles applicable for this entry.
This entry will be applicable only if the connection has any one of the specified profiles.
Leave it Blank, to apply for all connections irrespective of any applied profile.
To avoid application to a connection that has a profile, use negated profile (!profile).
Connection timeout
You can specify maximum time in seconds, for safesquid to wait for the establishment of connection.
This affects the outbound connections made by SafeSquid.
Example : If you have a slow Internet Connection. Create a profile for slow to connect to web-sites, and select them by increasing this timeout value.
Header timeout
Depending upon your network conditions, a significant amount of time may pass between the events of connection set up and the receipt of initial headers from the client.
The timeout in seconds to wait for a client to make theinitial HTTP request.
The default value of "5" seconds may not be enough when used by ISPs to service dial-up customers.
Keepalive timeout
SafeSquid can keep a connection established with a client, in a client pool. Thus, it can quickly respond to further requests from such clients.
You can specify here in seconds, the maximum time for which the connection may be held at the pool.
Maximum download buffer size
Some of the SafeSquid's functions like keyword filtering, content rewrite, image filter, virus scanning, etc. require content to be downloaded for processing.
SafeSquid buffers such content, and then passes then to the relevant processors. You can specify here, the maximum size of the downloaded content that may be buffered, and therefore processed. You may use these units: (K) kilobytes, (M) Megabytes
Maximum upload buffer size
The maximum size of uploads that are buffered for processing, larger uploads are sent directly to the Web server without processing.
Having an upload buffer that is too large causes the browser to timeout since all the data is received by safesquid immediately, but may take more time to process and transfer to the website.
Buffer Wait time
When the content is being buffered, the client may be sent an intimation of the downloading status.
SafeSquid can automatically send the template "downloading", when the content is being downloaded into the buffer. You can specify, the time interval in seconds, at which the downloading template is resent.
CONNECT ports
SafeSquid can be used by applications that support, like FTP-clients and other utilities to make "CONNECT", requests. CONNECT over HTTP allows these applications to create a direct tunnel for the required target services.
The specification may be done as a port range. For example - 20,21,1023-65535.
Caution : The data exchanged by CONNECT protocol cannot be buffered, and therefore analyzed for filtering purposes.
Always compress mimetype
A regular expression matching the MIME-types which should always be buffered and compressed even if they wouldn't be buffered otherwise.
Compress outgoing
SafeSquid can compress data using gzip compression, before sending data to clients. This can significantly boost throughput if SafeSquid is being used as a remotely hosted solution.
For networks wherein SafeSquid is deployed locally, it is recommended you disable this feature.
- TRUE : Enable Compress outgoing.
- FALSE : Disable Compress outgoing.
Compress incoming
This option makes Safesquid attach an Accept-Encoding header that lets the Web server know we can accept gzip and deflate content encodings regardless of whether or not the browser making the request supports it
If the browser doesn't support it, it is buffered and decompressed before sending.
- TRUE : Always Request Compressed data from remote web-server.
- FALSE : Never Request Compressed data from remote web-server.
- AUTO : Request Compressed data from remote web-server ONLY if supported by client.
Add X-Forwarded-For header
This option adds a header letting an upstream proxy or Web server know the IP address where the original request came from.
This feature must be enabled if you are deploying SafeSquid as an ISP based solution
- TRUE : Enable addition of X-Forwarded-For header.
- FALSE : Disable addition of X-Forwarded-For header.
Buffer Chunked Responses
Buffering Chunked Responses is generally never advisable.
Unfortunately, however, real-time content inspection requires buffering of response payload.
Therefore, under certain conditions, if you have no choice, you may want to buffer chunked responses.
Select one of the options very wisely.
Recommended and default is FALSE .
Add Via header
This option adds a header letting an upstream proxy or Web server know what proxy server the request passed through.
This feature must be enabled if you are deploying SafeSquid as an ISP based solution.
- TRUE : Enable via header.
- FALSE : Disable via header.
Note : You can view information of the current connection(s) that are being held open in the connection pool and/or awaiting reuse on SafeSquid Web-GUI i.e. on Connection Pool tab of Reports page.