Managing multiple or a single upstream proxy

After configuring upstream proxy settings, you can use a single upstream proxy for all web requests.

Multiple upstream proxies

There are three potential destinations for a web request forwarded to an upstream proxy. These are as follows, in order of precedence:

  1. A pool of one or more proxies allowed by the upstream proxy policies, to service the request.
  2. The default proxy, if configured.
  3. Direct forwarding of requests to their origin servers, if allowed. An origin server is defined as the target destination of web request, in other words, the server from which a requested resource originates.

Upstream proxy policies are additive. The Smoothwall Filter checks requests against all the policies, in order. Any proxy allowed to service a request is added to the proxy pool. If the final pool for a request contains two or more proxies, load-balancing and fail-over rules decide the one that sent the request.

Note: The rules only apply to requests serviced by the Smoothwall Filter. If a device behind the Filter can obtain direct, unfiltered web access, the client’s requests are treated no differently from other Internet traffic.

Upstream policies

You can configure and deploy policies to manage access to upstream proxies. The policies can allow or deny access to upstream proxies based on network location, direct web requests to a specific upstream proxy depending on the type of request and provide load balancing and fail over.

Policies

By configuring multiple upstream proxy policies, you can balance the web request load across two or more upstream proxies.

Once you've configured policies for the upstream proxies that you need, the Smoothwall Filter compares any web requests against the policy table and each of the proxies can service the request, so load balancing and failover rules are used to pick the most suitable proxy. The Smoothwall Filter monitors availability of upstream proxies automatically and avoids forwarding requests to unavailable proxies.

If none of the proxies permitted to service a request are available, the Smoothwall Filter uses the default proxy. If the default proxy isn't available, or if no default proxy is configured, the request is forwarded directly to its origin server.

Enforcing usage

You can prevent web requests from being forwarded directly to their origin servers when other permissible upstream proxies are unavailable, by turning off the Allow direct connections option.

For advanced control of direct connection behavior, you can configure policies using the Default upstream proxy option "None". For example, to prevent only YouTube traffic from being sent directly, select the Allow direct connections option, then create a policy with an Upstream proxy with "None" selected, the Action of "Block", and a destination filter corresponding to the youtube.com domain.

Conversely, to allow direct access only for requests to certain sites, clear the Allow direct connections option and create a policy with an Upstream proxy with "None" selected, the Action of "Allow" policies matching those requests for which direct access is permissible. This might be useful for bandwidth conservation if direct access is routed over a slower link than access to the upstream proxies.

Procedure

  1. On the WEB PROXY menu, under the Upstream proxy submenu, click Manage policies.
  2. Under the Global options section, from the Default upstream proxy list, select the default proxy used when upstream proxies aren't available, not configured or not allowed by policies.
    • If you want to allow direct connections to origin servers, select the Allow direct connections option. If allowed, direct connections will be made as a final fallback if the default proxy is unavailable or not configured. If not selected, it prevents web requests from being forwarded directly to their origin servers when other permissible upstream proxies are unavailable. Note: The Allow direct connections option eliminates the last option for forwarding requests in failure scenarios. Therefore, you should only use it to implement strict conditions that all traffic go through an upstream proxy.
    • If you want to send the originating IP addresses of client requests upstream, select the Leak client IP with X-forwarded-For header option.
  3. If you want to only configure a single upstream proxy click Save, otherwise, to configure multiple proxies to load balance, click Advanced ».
  4. Under the Load balancing section, from the Load balancing method list, choose the method that you want.
    • Source IP: Based on the client’s IP address, the Smoothwall Filter selects one proxy from the set of allowed proxies and uses it if that proxy is available. For example: three requests for example.com from one device might all go via proxy A; three requests from the device next to it might all go via proxy B.
    • Username: Based on the client’s username, the Smoothwall Filter selects one proxy from the set of allowed proxies and uses it if that proxy is available. For example: three requests for example.com while logged in as Alice might all go via proxy A; three requests while logged in as Bob might go via proxy B, even if Bob has the same IP as Alice.
    • Round-robin: The Smoothwall Filter cycles through the proxies one by one. Three requests for example.com, with three proxies allowed to serve the request, would send one request via each.
  5. Under the Manage upstream proxy policy section, from the Upstream proxy list, select the proxy for which you're configuring the policy.
  6. From the Source filter list, select the source filter used to determine the upstream proxy policy to apply, based on the source IP(s), subnet(s) or IP range(s).
  7. From the Destination filter list, select the destination filter used to determine the upstream proxy policy to apply, based on the destination domain(s), IP(s) or destination URL regular expressions.
  8. Choose if you want to Allow or Deny access to upstream proxies based on network location, enter a descriptive Comment and make sure that the Enabled option is selected, otherwise, clear it and click Save.

Follow-up task

  • To add more upstream proxies, repeat the process by selecting another proxy from under the Manage upstream proxy policy section.