System configuration

From Secure Web Gateway


Use 'System configuration' to tune various parameters with respective network infrastructure.

By this tuning you can improve overall Internet service performance and manage your secure port utilization.

Enabling System configuration section on SafeSquid User Interface

Access the SafeSquid interface


Go to Configure Page

Goto configure.png

Go to Application Setup

Go to Application setup.png

Open System configuration Section




Proxy hostname

When your enterprise has multiple instances of SafeSquid, the various instances identify each other by this 'Proxy hostname'.

If your enterprise maintains single LDAP domain, then set proxy hostname parameter as 'your LDAP domain'.

Then you can login over LDAP authentication without mentioning the domain.

Connection pool size

Set the maximum concurrent outbound connections.

SafeSquid can reuse an established outbound connection, from the Connection Pool.

Connection Pool Size should be at least equal to anticipated concurrent requests, Minimally.

If the Connection Pool is full, SafeSquid automatically deletes the oldest connection, to accommodate a new outbound connection

Connection pool timeout

You can set here the maximum time period in seconds, that a connection may be kept in the connection pool.

The age of a connection is reset every-time it gets used.

When the age of a connection exceeds the timeout specified here, it automatically removes from the pool

Compression and buffering policies

The following entries applied on each connection based on the profiles defined. Policy evaluation is done in top-down order. The first entry matching the profile is applied to the connection.



Enable or Disable this entry

  • TRUE : Enable this entry.
  • FALSE : Disable this entry.


For documentation, and future references, explainthe relevance of this entry with your policies.

That is, by reading the policies, a future user can understand the purpose of that entry.


Specify the Profiles applicable for this entry.

This entry will be applicable only if the connection has any one of the specified profiles.

Leave it Blank, to apply for all connections irrespective of any applied profile.

To avoid application to a connection that has a profile, use negated profile (!profile).

Connection timeout

You can specify maximum time in seconds, for safesquid to wait for the establishment of connection.

This affects the outbound connections made by SafeSquid.

Example : If you have a slow Internet Connection. Create a profile for slow to connect to web-sites, and select them by increasing this timeout value.

Header timeout

Depending upon your network conditions, a significant amount of time may pass between the events of connection set up and the receipt of initial headers from the client.

The timeout in seconds to wait for a client to make theinitial HTTP request.

The default value of "5" seconds may not be enough when used by ISPs to service dial-up customers.

Keepalive timeout

SafeSquid can keep a connection established with a client, in a client pool. Thus, it can quickly respond to further requests from such clients.

You can specify here in seconds, the maximum time for which the connection may be held at the pool.

Maximum download buffer size

Some of the SafeSquid's functions like keyword filtering, content rewrite, image filter, virus scanning, etc. require content to be downloaded for processing.

SafeSquid buffers such content, and then passes then to the relevant processors. You can specify here, the maximum size of the downloaded content that may be buffered, and therefore processed. You may use these units: (K) kilobytes, (M) Megabytes

Maximum upload buffer size

The maximum size of uploads that are buffered for processing, larger uploads are sent directly to the Web server without processing.

Having an upload buffer that is too large causes the browser to timeout since all the data is received by safesquid immediately, but may take more time to process and transfer to the website.

Buffer Wait time

When the content is being buffered, the client may be sent an intimation of the downloading status.

SafeSquid can automatically send the template "downloading", when the content is being downloaded into the buffer. You can specify, the time interval in seconds, at which the downloading template is resent.


SafeSquid can be used by applications that support, like FTP-clients and other utilities to make "CONNECT", requests. CONNECT over HTTP allows these applications to create a direct tunnel for the required target services.

The specification may be done as a port range. For example - 20,21,1023-65535.

Caution : The data exchanged by CONNECT protocol cannot be buffered, and therefore analyzed for filtering purposes.

Always compress mimetype

A regular expression matching the MIME-types which should always be buffered and compressed even if they wouldn't be buffered otherwise.

Compress outgoing

SafeSquid can compress data using gzip compression, before sending data to clients. This can significantly boost throughput if SafeSquid is being used as a remotely hosted solution.

For networks wherein SafeSquid is deployed locally, it is recommended you disable this feature.

  • TRUE : Enable Compress outgoing.
  • FALSE : Disable Compress outgoing.

Compress incoming

This option makes Safesquid attach an Accept-Encoding header that lets the Web server know we can accept gzip and deflate content encodings regardless of whether or not the browser making the request supports it

If the browser doesn't support it, it is buffered and decompressed before sending.

  • TRUE : Always Request Compressed data from remote web-server.
  • FALSE : Never Request Compressed data from remote web-server.
  • AUTO : Request Compressed data from remote web-server ONLY if supported by client.

Add X-Forwarded-For header

This option adds a header letting an upstream proxy or Web server know the IP address where the original request came from.

This feature must be enabled if you are deploying SafeSquid as an ISP based solution

  • TRUE : Enable addition of X-Forwarded-For header.
  • FALSE : Disable addition of X-Forwarded-For header.

Add Via header

This option adds a header letting an upstream proxy or Web server know what proxy server the request passed through.

This feature must be enabled if you are deploying SafeSquid as an ISP based solution.

  • TRUE : Enable via header.
  • FALSE : Disable via header.

Note : You can view information of the current connection(s) that are being held open in the connection pool and/or awaiting reuse on SafeSquid Web-GUI i.e. on Connection Pool tab of Reports page.