When your backends use web filtering, your users are redirected to an error page if a website is blocked. By default, this error page is hosted on each backend on port 9025/9026.
With HaCluster, you can centralize the handling of these error page requests.
¶ Default behavior
- Workstations connect to port 3128 on the HaCluster Load Balancer to browse the Internet.
- When one of the backends (host3) determines that the requested website is blocked, it denies access and instructs the browser to redirect to its own error page.
- The browser then attempts to connect to the backend's error page on port 9025 or 9026 via HTTPS.
However, the connection goes through the load balancer (prx0) on 3128 port, which may route it to a different backend.
¶ Error page managed by the load balancer
This behavior is different:
- The browser continues to operate the same way when accessing the Internet, but when a website is blocked, the backend (host3) instructs the browser to contact the load balancer directly (prx0) as the final destination for the error page service.
- In this case, the browser no longer uses the proxy port of the load balancer but instead connects directly to it.
- The load balancer then forwards the request to one of available the backends on port 9025.
If the error page is served over SSL, only the certificate on the load balancer is required, since it forwards the requests to a backend over HTTP on port 9025.
¶ Configuration
- On the left menu, go to
HaCluster > Status - Open the Parameters tab
- Down to the “Centralized Configuration of Backends”
- Click on the inactive option “Web-Filtering Splash Service”
Turn on the “Enable” checkbox
In the Hostname field, specify the host that backends will use to construct redirect URLs (e.g., https://hacluster.articatech.int).
Set the Ports that the load balancer will listen on to receive incoming requests from clients.
- If you want to serve an error page over SSL, you will need to create or upload a "server certificate" whose DNS Names match the hostname you entered in the field above.(Note: Do not use a root certificate—make sure to use a server certificate.)
Use the Certificate Center to upload or generate the certificate.
Once you save the configuration, your load balancer will begin listening on the specified ports and will instruct the backends to listen only on port 9025 and to redirect blocked requests to the common hostname you specified.