Skip to content

Is it Possible to Configure Upstream Proxy?

Question: We have deployed Web Safety within our LAN but according to the corporate policies it needs to utilize upstream proxy and thus cannot go direct to the Internet. How to configure it in Admin UI?

Answer: To configure upstream proxy settings, open Admin UI / Squid / Cache / Upstream Proxy page. Type the IP address of your upstream proxy into the Proxy Address textbox, select the mode of operation and click Save and Restart (we use 10.1.2.3 just as an example).

Upstream Proxy

Modes of Operation

Upstream proxy can work in three modes.

Mode Upstream Proxy
None Upstream proxy is disabled. This is the default mode when all requests are sent directly to the origin servers on the Internet.
Selected Upstream proxy is only used for selected requests. The ACL rules describing which requests to forward to upstream can be specified in the Advanced field.
All Upstream proxy is used for all requests. The ACL rules describing which requests to forward directly can be specified in the Advanced field.

Selected Mode

As an example, consider we need to forward all requests from clients in the 10.0.0.0/8 subnet to the upstream proxy. We also need to forward all requests to example.com to the upstream proxy too. All other requests should go directly. In this case the following rules in the Advanced field will need to be specified.

# incoming requests from these client IP addresses will be forwarded to
# the upstream proxy
acl special_hosts src  10.0.0.0/8

# any request to these domain names will be forwarded to the upstream
# proxy - note how we use both dstdomain and ssl::server_name acl types 
# to cover both plain HTTP and HTTPS
acl special_sites1 dstdomain .example.com
acl special_sites2 ssl::server_name .example.com

# rules to prohibit direct path to the internet to acls specified above
never_direct allow special_hosts
never_direct allow special_sites1
never_direct allow special_sites2

In addition, the application will then generate the following settings into squid.conf thus forcing all other requests to go directly.

cache_peer 10.1.2.3 parent 3128 0 no-query default
never_direct deny all

All Mode

In this case, consider that all requests need to go to the upstream proxy, except for requests from clients in the 10.0.0.0/8 subnet and requests to example.com. In this case the following rules in the Advanced field will need to be specified.

# incoming requests from these client IP addresses will be forwarded directly
acl special_hosts src  10.0.0.0/8

# any request to these domain names will be forwarded directly
# proxy - note how we use both dstdomain and ssl::server_name acl types 
# to cover both plain HTTP and HTTPS
acl special_sites1 dstdomain .example.com
acl special_sites2 ssl::server_name .example.com

# rules to prohibit upstream proxy to the internet to acls specified above
never_direct deny special_hosts
never_direct deny special_sites1
never_direct deny special_sites2

In addition, the application will then generate the following settings into squid.conf thus forcing all other requests to go to the upstream proxy.

cache_peer 10.1.2.3 parent 3128 0 no-query default
never_direct allow all

You can read more info at Cache Hierarchy page in Squid documentation.