Univention Corporate Server - Extended IP and network management documentation

Univention Corporate Server - Extended IP and network management documentation#

Advanced proxy configuration#

This section describes some scenarios for using the web proxy.

For information about the installation of the proxy server, see Installation.

Cascading of proxies#

In some scenarios, cascading of proxy servers may be required. In such a setup, individual proxy servers access logically superordinate proxy servers when web sites are opened, which then fetch the requested data from the internet. This allows creation of a hierarchical structure of proxy servers and, for example, the operation of a central cache in a company’s headquarters that the proxy servers at the individual company sites can access.

The superordinate proxy server is referred to as a parent proxy. The parent proxy can be specified via the Univention Configuration Registry variables squid/parent/host (IP address or hostname) and squid/parent/port (port number).

Proxy requests from computers in the proxy server’s local network are answered directly and not forwarded to the parent proxy. If additional networks should be excluded from forwarding to the parent proxy, these can be specified via the Univention Configuration Registry Variable squid/parent/directnetworks. When doing so, the CIDR notation must be used (e.g.; several networks should be separated by blank spaces.

Operation as a transparent proxy#

It’s possible to configure Squid as a transparent proxy. This can help to avoid the configuration of the proxy server in all application programs. When using a transparent proxy, all unencrypted web queries are automatically rerouted through the proxy server.


The transparent proxy only works for unencrypted web traffic through HTTP, and not for HTTPS.


The transparent proxy requires that you turned off the LDAP authentication on the proxy server. The turned off LDAP authentication is the default setting.

To configure the transparent proxy, use the following steps:

  1. Configure the proxy server as the default gateway on all clients.

  2. Enable the transparent proxy by setting squid/transparentproxy to true.

  3. Restart the proxy server and the firewall:

    $ systemctl restart univention-firewall.service squid.service

The UCS system that runs the proxy server, redirects all incoming proxy traffic to the transparent proxy port of the proxy server.