Sun Java System Web Proxy Server 3.6 SP 12 Release Notes for UNIX

Sun Java™ System Web Proxy Server Release Notes

Version 3.6 SP12 for UNIX January 2009

Part Number 820-5882

Sun Java™ System Web Proxy Server 3.6 SP12 for UNIX (hereafter referred to as Sun Java System Web Proxy Server 3.6 SP12 for UNIX or just Proxy Server) contains a number of enhancements, including important security vulnerability fixes. All users of Sun Java System Web Proxy Server are strongly encouraged to install this service pack.

These release notes contain important information available at the time of release of Sun Java System Web Proxy Server 3.6 SP12, including information about features and enhancements, known limitations and problems, technical notes, and pointers to additional resources. Review the release notes prior to installing and configuring your software, and then periodically thereafter for the most up-to-date information.

The complete documentation for Sun Java System Web Proxy Server can be found at the following location:

http://docs.sun.com/app/docs/prod/webproxys?l=en

Sun Java System Web Proxy Server 3.6 SP12 for UNIX can be installed on the following platforms: Solaris™ Operating System (Solaris OS), AIX, and HP-UX. For operating system version details, refer to Supported Platforms.

These release notes contain the following sections:


Enhancements in Service Pack Releases

Some of the enhancements made in the service pack releases of Sun Java System Web Proxy Server 3.6 are listed below:

LDAP C SDK 4.0 Support

Sun Java System Web Proxy Server 3.6 SP4 supports LDAP C SDK 4.0, which fixes some of the problems with LDAP C SDK 3.0.

HTTP/1.1 Protocol Support

Sun Java System Web Proxy Server 3.6 SP3 supports the HTTP/1.1 protocol in compliance with RFC 2616. This includes support for:

WebDAV Support

Sun Java System Web Proxy Server 3.6 SP3 supports the Web Distributed Authoring and Versioning (WebDAV) protocol in compliance with RFC 2518. For more details, see the Sun Java System Web Proxy Server 3.6 Administrator's Guide.

Support for Arbitrary Methods

Sun Java System Web Proxy Server 3.6 SP3 can be configured to allow arbitrary methods. For more details, see the Sun Java System Web Proxy Server 3.6 Administrator's Guide.

Handling Client Authentication With Digital Certificates (4543418)

Proxy Server now provides user authentication facilities using digital authentication certificates. This is achieved with the certmap.conf  file. Specifically, this certificate-mapping file determines how a server should look up a user entry in the LDAP directory. This file (located under <server_root>/userdb) can be edited and entries added to match the organization of your LDAP directory and to list the certificates you want your users to have.

Specifically, the mapping file defines:

A mapping has the following syntax:

certmap name issuerDN

name:property [value]

The first line specifies a name for the mapping. The name is arbitrary; you can define it to be whatever you want. However, issuerDN must match the distinguished name of the certificate authority who issued the client certificate. For example, the following two issuerDN lines differ only in the spaces separating the components, but the server treats these two entries as different:

Certmap Iplanet1 ou=Red Certificate Authority,o=iPlanet,c=US

Certmap Iplanet2 ou=Red Certificate Authority, o=iPlanet, c=US

The second and subsequent lines in the named mapping match properties with values. The certmap.conf  file has six standard properties. You can use the Certificate-Mapping API to create your own custom properties.

To enable/disable this feature, a new magnus.conf variable has been added with two possible values (ON/OFF). The feature is disabled (OFF) by default. To enable the feature, use the following syntax:

CertificateChecking ON

ACLs and Authentication with certificates

When you declare allowed users and/or groups, remember that the written ACL file uses the UID field for authentication (basic or SSL) at a later stage. In the case of SSL authentication, the client certificate is used for this purpose.

The proxy attempts to match the certificate presented by the user with the credentials of the user stored in the LDAP Directory Server, following the search criteria defined in the certmap.conf  file. If this step was successful the proxy attempts to match the UID extracted from the certificate with the name of the user stored in the ACL file.

Therefore, the UID field must exist within the client certificate. If the UID field is not found in the user certificate, the proxy will use the CN (Common Name) field to match the name stored in the generated ACL file, by default.

Use of LDAP dynamic groups for authentication (4570987)

Proxy Server supports LDAP dynamic groups, in addition to LDAP static groups, for authentication, access control, and user and group management. Dynamic groups are managed via the LDAP server user interface. They are used in Proxy Server administration in the same way as static groups (by providing the name of the group to define ACLs).

This feature introduces two new configuration parameters in the configuration file magnus.conf:

Authentication/LDAP caching on NT (4571109)

Proxy Server can now cache LDAP information in a simple hash-based proxy authentication cache. LDAP caching reduces the load on your directory server and improves performance. The proxy authentication cache stores user password and user group information, which resides in memory.

From the administration user interface, you can enable and disable the authentication cache, configure the hash table size, configure the number of entries the cache holds, and set the entry expiration time.

The following is the obj.conf  directive for enabling and disabling this feature:

Init status=<ON|OFF> hash-size=<Size_of_hash_table>

table-size=<Size_of_table_of_entries> expires=<Expires_in_so_many_seconds> fn="init-pauth-cache"

where :

Example:

Init status="on" hash-size="271" table-size="1355" expire="3600" fn="init-pauth-cache"

Handling of LDAP server failover (4575151)

Proxy Server provides basic failover capability, so that it can serve requests when Directory Server is not running. Directory Server must still be running to administer Proxy Server through the administration console.

To add alternate LDAP servers, enter multiple host names in the Directory Server field in the administration console of Proxy Server, separated by a blank character. The LDAP port is common to all servers, so alternate servers must use the same LDAP port as configured in the administration console.

Proxy Server has two time-out values, one for the bind and one for searches. When a time-out is raised, Proxy Server retries to contact the failed LDAP server once. If Directory Server is unreachable, the current LDAP operation fails and all opened connections on the failed server are marked down. The next Proxy Server operation will use a new pool of connections to the next alternate server. Proxy Server does not switch back to the main LDAP server if it becomes available.

At start time, Proxy Server opens a set of connections to the LDAP directory server (see the LdapConnPool parameter). If the main server is unreachable, Proxy Server tries to switch to an alternate server and tries to open connections. If this procedure fails, an error is reported to the log.

No failover is implemented in the console, so the primary directory must be up and running to use the administration console.

You can configure server failover using two new parameters in the configuration file, magnus.conf:


Installation Notes

This section describes how to install proxy server, and contains the following information:

Supported Platforms

Sun Java System Web Proxy Server 3.6 SP12 is supported on the following platforms:

Table 1 Supported Platforms

Operating System

Architecture

Sun Solaris 9, Solaris 8; Solaris 2.6* supported through binary compatibility

UltraSPARC

IBM AIX 4.3.3

Power PC

Hewlett-Packard HP-UX 11.0

PA-RISC 2.0

*Support for the following Solaris operating system is now listed as Deprecated and will be removed with the "next" release of the Sun Java System Web Proxy Server 3.6 product:

Please take needed action to move or migrate your Web Proxy Servers to a supported operating system.

Supported Browsers

Required Patches

This section provides patch information for Solaris OS.

Sun Solaris Patch Information

All patches on Sun's recommended patch list should be installed. For Sun's recommended patch list, see:

http://sunsolve.sun.com/pubpatch

For each patch, install the listed revision or a later revision. For example, if patch 111111-01 is required, the later revision 111111-03 will also work.

Sun Java System Web Proxy Server 3.6 on Solaris 2.6 requires patch 105529 rev09 or later.

Impact of US DST Changes 2007

Daylight Savings Time (DST) will start in U.S.A from the 2nd Sunday of March and end on the 1st Sunday of November. This will impact the date and time rules of the Operating System.

To make sure that log files contain the correct time in US time zones, and that the Administration Server is not impacted by this change, Sun recommends you to do the following:

Memory Information

Depending upon the platform, each process uses the following amount of RAM when idle:

Table 2 Memory Usage

Operating System

Memory Usage per Process

Solaris 8

5 MB per process (Proxy Server default is set to 32 processes)

AIX 4.3.3

3 MB per process (Proxy Server default is set to 32 processes)

HP-UX 11.0

3.5 MB per process (Proxy Server default is set to 32 processes)

SSL Information

SSL information remains the same as in the previous version.


Migration Notes

This section includes migration information for installing Sun Java System Web Proxy Server 3.6:

Migrating from Netscape Proxy Server on UNIX

Use the option "Migrate from previous version" in the administration window to migrate from Netscape Proxy Server 3.5 releases to Web Proxy Server 3.6.



Note

When you import a server from an earlier version, be sure to assign the same Server Identifier as was originally used to identify the server, otherwise you will experience problems with existing access control settings.



Troubleshooting

Members of a proxy array cannot update configuration from the master.

There are two possible reasons for this problem:

  1. When setting up a proxy array for the first time, be sure to use a higher Configuration ID for the master than for the members. Otherwise, members will not take into account the configuration they read from the master. For example, set Configuration ID to 2 for the master and 1 for members.
  2. On UNIX only, if Administration Server and Proxy Server are running under two different users, Proxy Server may not be able to update the parray.pat file because this file is created by Administration Server with Administration Server's write access.

I cannot view my access log file from the server manager.

The log files may have grown too big. To remedy this, manually rotate the log files. In the server manager, select Server Status|Archive Log and click the Archive button. A new set of empty log files is created and the previous one are renamed. The old log files can be deleted or backed up elsewhere.

To avoid this problem in the future:

  1. Limit the amount of information stored in the access log file. To do so, select Server Status ->Log Preferences, and check only information fields corresponding to the information you want the access log file to record.
  2. Start a job to rotate log files regularly. To do so, choose Server Status->Archive Log, check rotate log at and choose the hours and days of access log rotations. To select more than one hour, keep the Ctrl key pressed down while clicking on the hour menu. Click OK.

On HP-UX, when I restart the SOCKS Server it simply stops running.

On an HP-UX box, an attempt to restart the SOCKS Server while requests are being processed simply stops the SOCKS Server. Restart occurs each time you click the Save and Apply button in any SOCKS Server administration screen.

The fix for bug #538551 prevents the SOCKS Server from stopping at restart but only if no request is being processed at the same time. A simple workaround is to stop, then start the SOCKS Server instead of performing a restart.


Resolved Issues

This section contains lists of issues resolved in the following releases:

Issues Resolved in 3.6 SP12

This section lists the issues resolved in Sun Java System Web Proxy Server 3.6 SP12

Problem 6655101: CONNECT requests: iwait/fwait/cwait parameters not logged correctly for in access log

Proxy Server 3.6 does not log iwait/cwait/fwait parameters correctly for CONNECT requests. This problem has been fixed in SP12.

Problem 6782590: Version changes for 3.6 sp12

The README-3.6.txt file has been updated with the "Service Pack 12" product version information.

Problem 6710049: Proxy's own version of vsnprintf does not limit the output length

Proxy Server's own implementation of snprintf() and vsnprintf() does not limit the output length causing buffer over flow and memory  corruption. Removing snprintf() and vsnprintf() has resolved this issue.

Problem 6715916: Proxy 3.6: Template issue with CONNECT requests

Templates for CONNECT requests do not function properly. The object "proxy-retrieve" which recognizes CONNECT requests has been added to the obj.conf file.

Issues Resolved in 3.6 SP11

This section lists the issues resolved in Sun Java System Web Proxy Server 3.6 SP11

Problem 6523831: CONNECT in SSL ignores cache-enable directive in 3.6SP6

This problem is observed when using Proxy Server 3.6 SP6 and has been fixed in SP11. When the DNS cache is enabled in Proxy Server, only non-SSL sites are cached and the SSL sites are ignored. The cache enable directive does not get applied to SSL sites. This results in slower rendering of the web pages.

Problem 6529305 Virtual Multihosting does not work when host is in uppercase.

This problem occurs when the virtual multihosting feature is used. When a virtual host is created using upper case characters, the virtual multihosting feature does not work.

Problem 6540780 proxy36sp10 hangs up in LDAP query.

This problem occurs when users upgrade Proxy Server from Service Pack 9 to Service Pack 10. Proxy Server hangs when an LDAP query is executed on heavy load.

Problem 6576015 Fix Bug# 5073658 in 3.6 SP11

Proxy Server does not close TCP connections to the client. This happens when displaying a page using Internet Explorer on Proxy Server 3.6 SP5. As a result of this there is a delay in displaying the contents of a page. This however works fine with Proxy Server 3.6 SP4 on Solaris.

Problem 6584526 403 status code can be returned intermittently when anonymous search access is restricted.

This problem occurs in a scenario when a proxy authentication occurs using LDAP server. Under load, a 403 response code intermittently occurs in a configuration where anonymous search access is restricted.

Problem 6592126 Request to reduce the number of messages logged when LDAP failover occurs.

This problem is seen when Proxy Server is configured with the LDAP failover mechanism. After configuration, if an LDAP failover occurs, it has been observed that the error log file rapidly increases in size. These error log messages say that an alternate LDAP server is being used every time a user authentication occurs.

Problem 6537736 Proxy Server domain buffer overflow vulnerability

When a sock request is sent to a sock server, if the domain name specified in the buffer is too large, a buffer overflow occurs.

Problem 6537745 Proxy server user authentication buffer overflow

When a sock request is sent to a sock server, if the user name specified in the request is too large, a buffer overflow occurs.

Problem 6566309 Cross site scripting vulnerability in Sun Java System Web Proxy Server 4.0 - "View URL Database"

A cross site scripting vulnerability is seen in Proxy Server in the View URL Database functionality of the admin server.

Problem 6609325 Fix NSS bug# 6468495 in 3.6 sp11

The security module of Proxy Server 3.6 SP11 incorrectly parses signatures. This leads to a security vulnerability which can be exploited using forged certificates.

Issues Resolved in 3.6 SP10

This section lists the issues resolved in Sun Java System Web Proxy Server 3.6 SP10:

Problem 6385937: rsa_rc4_128_sha parameter is not reflected properly in Encryption Preferences on Admin Screen.

rsa_rc4_128_sha parameter is not reflected properly in the Server Preferences>Encryption Preferences page on the administration interface.

Problem 6390237: Proxy passes incorrect content length if double content length in response.

If the response contains double Content-Length headers, Proxy Server is required to pass an error message indicating that it received a duplicate Content-Length response header.

Problem 6397454: ICP processes die and do not restart.

The ICP processes exit and do not restart unless the Proxy Server is restarted.

Problem 6400654: Proxy Server does not start if LDAPConnPool is set to a value greater than 5.

If you set LDAPConnPool to any value greater than 5, the Proxy Server fails to start.

Problem 6406902: Proxy Server 3.6 SP9 takes a long time to stop.

When stopping a Proxy Server 3.6 SP9 using the stop script found in the /<server_root>/<instance> directory, the parent process exits, but the child processes remain until they have completed the request they are currently serving. This can lead to a time delay in the Proxy Server shutting down completely.

Problem 6406276: Proxy Server requires authentication although configured ACL doesn't require it.

Problem 6408062: Timeout After Interrupt value does not change when it is changed through the Proxy Server Administration interface.

Problem 6421108: Proxy 3.6 SP9 redirection does not work if there is a query string in the original URI.

Proxy Server redirection does not work if there is a query string in the original URI requested.

Problem 6441963: Proxy Server results in libsec code -8174 when server user is changed.

Problem 6446748: Required to increase max value of SOCKS5_TIMEOUT

The maximum timeout value for the idle SOCKS Proxy Server connection is 60 minutes. It is required to increase this value.

Problem 6457439: Proxy Server shows wrong data in log reports.

Proxy Server 3.6 sometimes displays wrong data in log reports.

Problem 6494864: Proxy Server crashes when LDAPConnPool value is changed to greater than 5 and ONLY RESTART is clicked.

Proxy Server 3.6 crashes when it is restarted after changing the LDAPConnPool value to greater than 5.

Problem 6509535: Impact of US DST changes 2007.

The impact of US DST changes 2007 is documented in the Release Notes in a new section under Installation Notes.

Issues Resolved in 3.6 SP9

This section lists the issues resolved in Sun Java System Web Proxy Server 3.6 SP9:

Problem 6191615: URL filter with regex causes Proxy Server 3.6 SP6 to dump core.

Certain regular expressions when used as URL filters cause the Proxy Server to crash while starting.

Problem 6290468: Proxy Server Admin GUI displays an error message even when the config is valid.

The Admin GUI incorrectly reports a valid setting made through the GUI as erroneous.

Problem 6320531: Incorrect password retry count when Proxy Server uses Directory Server for user authentication.

Whenever there is a failed authentication attempt due to an incorrect password, the paswodrdretrycount attribute in the directory server is expected to count just one. By checking the paswodrdretrycount it is noticed that the directory server counts two for each client authentication failure.

Problem 6326072: Error on ftp request if the entire path to the file is not specified.

On an ftp request, Proxy Server 3.6 returns an error if the entire path to the file is not specified.

Problem 6329630: http-parse-request reports: invalid protocol in request line CONNECT.

Proxy Server 3.6 SP8 fails on https sites with Navigator 4.7x after a few requests (initialy same https request goes through) with the following error:

http-parse-request reports: invalid protocol in request line CONNECT

Problem 6329635: Proxy Server 3.6 SP8 does not recognize single LF as a line terminator.

Proxy Server 3.6 SP8 does not recognize single LF as a line terminator. It responds with the error message "400 Bad request" to requests which use single LF (not CRLF) as a line terminator for the request line.

Problem 6341353: Proxy Server 3.6 SP8 crashes when a 404 response is sent to a HEAD request.

When an origin server responds to a HEAD request sent through Proxy Server 3.6 SP8 with a "404 Not found', the Proxy Server crashes.

Probelm 6341355: Proxy Server 3.6 SP8 crashes when an Origin Server responds with a 304 to a request for a Real Audio.

When an origin server responds to a request for a Real Audio file with error 304, the Proxy Server crashes.

Problem 6342631: Proxy Server 3.6 SP8 crashes when receiving an invalid HTTP response.

Problem 6347444: Proxy Server can forward an invalid 200 response.

When the origin server sends back an invalid status line the Proxy Server simply forwards that to the client.

Problem 6354627: Proxy Server 3.6 SP8 cache incorrectly handles requests with If-None-Match header.

If client requests contain If-None-Match headers, then in certain cases the Proxy Server fails to forward these requests to the origin server.

Problem 6369072: Proxy Server 3.6 SP6 fails to shutdown.

Problem 6369668: Proxy Server 3.6 SP8 is unable to handle 100-continue responses which contain other headers.

Issues Resolved in 3.6 SP8

This section lists issues resolved in Sun Java System Web Proxy Server 3.6 SP8:

Problem 6271590 : Memory Leak in ICP Process of Proxy Server 3.6 SP7

Under a heavy load, a memory leak causes the ICP process to grow in size and consume a lot of memory.

Problem 6264430 : Heavy CPU utilization on ns-proxy process on invalid POST request from client to proxy.

Certain types of POST requests can cause the ns-proxy process to hang and to enter a cycle of heavy CPU utilization.

Problem 6261414 : ns-sockd memory leak

ns-sockd is a standalone process which allows the tunneling application protocols using either SOCKS V4 or V5. The ns-sockd daemon provided with proxy server leaks memory when presented with a specific type of TCP behaviour.

Problem 6257201 : If a plugin is configured with REQ_ABORT, proxy-connection: keep-alive requests receives wrong response

If a plugin is configured with REQ_ABORT, the requests with `proxy-connection: keep-alive' receive responses with multiple Connection headers.

Problem 6256629 : Proxy Server sends `Proxy-Authorization' header to the Web Server.

When a proxy server is configured to use ACLs with templates, the Proxy-Authorization header is not removed by the proxy server. Instead it is sent in the request from the proxy server to the web server.

Problem 6255119 : Proxy 3.6 SP6 daemon_atrestart: registered fn is not called when child processes are recycled.

Functions registered through daemon_atrestart are not called when the ns-proxy child process is recycled after its process life.

Problem 6254435 : Proxy 3.6 SP6 with Keep-Alive off does not send Connection: close header.

When keep-alive is off, proxy should send a Connection: close and close the connection. Sometimes proxy closes the connection without sending the Connection: close header.

Problem 6254143 : High CPU utilization on ns-proxy process on invalid POST.

Certain types of POST requests can cause the ns-proxy process to hang and to enter a cycle of heavy CPU utilization.

Problem 6251144 : Restart fails when both ConnAddress and Address are specified.

The restart command fails and the proxy server hangs when both ConnAddress and Address directives are specified in magnus.conf.

Problem 6242078 : Proxy Server removes Transfer-Encoding header, but not chunk size values from the data.

Proxy server removes the `Transfer-Encoding: chunked' header as dictated by the Connection: Transfer-Encoding header, but it does not remove the chunk size element of the data.

Problem 6237563 : Downloading file over 2GB size through proxy fails.

Downloading of files of size greater than 2GB is enabled on proxy server 3.6 SP8, but the caching subsystem is not modified to cache such files. While attempting such a download an error message might appear in the logs indicating that the caching was aborted, but it does not mean that the download has failed. This only indicates that the file has not been cached.

Problem 6222794 : Same regex does not work in URL Filters, but works in Access Control and Routing in 3.6SP1 (and SP6)

Regular expressions containing the pattern [^/] do not work properely when used as URL filters but they work when used for Access Control and Routing.

Problem 6300506 : HTTP smuggling in UNIX proxy server.

Issues Resolved in 3.6 SP7

This section lists issues resolved in Sun Java System Web Proxy Server 3.6 SP7:

Problem 5022146: Adding a new ACL can fail.

This problem occurs when an ACL is configured with a rule for authenticating users through LDAP. If a user or group for which the ACL has been configured, is deleted from the LDAP database, then the process of adding a new ACL can fail.

Problem 6183900: 'Save & apply' does not restart the child processes after a batch update has been created.

If a batch update has been configured and started, then the restart functionality does not work.

Problem 6185076: Need to refresh the LDAP user authentication cache in the proxy server when the user password is changed in the LDAP server.

If LDAP user authentication cache is enabled in the proxy server, then a password change for a particular user in the LDAP server is not reflected immediately. This may result in that user being denied access with an updated password.

Problem 5091231: Proxy leaks file descriptor.

When the system hosting the proxy server can resolve the host names to IP address using a DNS and can also connect to the remote host but is unable to do so, then proxy leaks file descriptors.

Problem 6197092: Proxy responds in chunked format for HTTP/1.0 requests if content is present in the cache.

If some content was served in the chunked format for an HTTP/1.1 request and was cached, then the proxy responds to subsequent requests for the same content by serving it in a chunked format.

Problem 5002863: sockd process crashes with SIGSEGV error.

The SOCKS server crashes intermittently under stress conditions.

Problem 6211698: It is possible to expose the local server name when using virtual mapping.

In a sequence of virtual mappings combined with mappings for relative URIs, if a relative URI is sent without a trailing "/" the local server name will be sent back with a redirect (302) response rather than the virtual host name.

Problem 6209005: Web Proxy Server 3.6 SP6 on AIX fails to transfer files larger than 126MB through FTP.

It is not possible to transfer files larger than 126 MB through the proxy server, using the FTP protocol.

Problem 6202281: Requires support for additional cipher SSL_RSA_WITH_RC4_128_SHA from SSL v3.

Support is required for an additional cipher SSL_RSA_WITH_RC4_128_SHA to be included to the list of SSL 3.0 ciphers that Proxy Server 3.6 supports. Proxy Server 3.6 SP6 currently supports RC4 with 128 encryption and MD5 message authentication and this RFE is to extend the list to RC4_128_SHA message authentication as well.

Problem 5078284: The Proxy Server fails to encode unusual characters in the user name when forwarding.

The proxy server does not encode or decode the unusual characters when it makes a FTP login request to the remote server. For example, if the user name contains the "^" character, the connection fails. However, the same is not true with the password field.

Problem 5055160: Enabling 'url recording' with caching disabled, gives 'Internal Error'.

If caching is disabled at the time of installation (when adding a new proxy instance) and URL recording is enabled explicitly later from the administration server for that particular instance, a 'Internal Error The administration server was unable to fulfill your request.' message is displayed.

Problem 5109863: Remotely exploitable buffer overflow.

This is a remotely exploitable buffer overflow when the client sends the exceedingly large lengths of data for particular HTTP headers.

Problem 6174807: Proxy is unable to handle a specific chunk encoded response.

Proxy is unable to handle a specific chunk encoded response, even though the response from the origin server is HTTP/1.1 compliant. This results in the client receiving only a part of the data sent back by the web server.

Problem 6178362: Proxy does not terminate the forwarding of chunked data correctly.

When an Internet Explorer client makes a HTTP 1.0 keep-alive request, through the proxy to a web server that sends the data to the proxy in more than one chunk, the proxy returns the data to the client without a Content-Length or Connection: close header. This results in the proxy sending the last packet of data to the client, but keeping the connection open until its connection to the web server times out.

Issues Resolved in 3.6 SP6

This section lists issues resolved in Sun Java System Web Proxy Server 3.6 SP6:

Problem 4973653: If-None-Match-* support not adequate.

Problem 5009230: ACLs should be cleaned up when user uses Admin GUI to remove [Templates]->[Remove].

Problem 4967409: Netscape 6.1 displays invalid output.

Problem 5060399: Secure Reverse Proxy 3.6 SP5: Problems with POST (only with HTTP 1.1).

Problem 5064495: WP3.6 SP4: Web page is not displayed normally.

Problem 5060918: Proxy forwarding closed headers.

Problem 5022166: Restart can produce more processes that are specified.

Problem 4765864: MIME filter doesnt work if content is in cache.

Problem 4798317: Sock Server Crashed.

Problem 4992774: LDAP Failover in Proxy does not failover.

Problem 5056937: Migration of Proxy Server doesn't migrate the backup.conf file correctly.

Problem 5079482: Reverse proxy gets SIGSEGV when it times out.

Problem 5080085: Reverse proxy hangs.

Problem 5081409: 304 response MUST include explicitly required headers.

Issues Resolved in 3.6 SP5

This section lists issues resolved in Sun Java System Web Proxy Server 3.6 SP5:

Problem 4924517: Proxy closes HTTP/1.1 connections.

Problem 4959413 Proxy should send Connection: close header.

Problem 4990959: Unable to view video file with Windows Media Player via a Proxy using Auth.

Problem 5024975: Snmp Data is not available when the subagent is started from command line.

Problem 4934926. Proxy 3.63 adds its own headers when routing another proxy.

Problem 4915592. ns-proxy will consume large amounts memory & cpu time handling a specific request.

Problem 4915520. Cache batch updates fail: no matter how the batch updates function is configured, the cache is never filled.

Problem 4956514. SOAP Request with attachment causes SIGSEGV in Proxy Server.

Problem 4925353. ConnAddress is not recognized for CONNECT requests using forward-proxy (SP3).

Problem 4869733. Bug in perl script |newgc.conf|.

Problem 4949315. Proxy worker process can hang & consume CPU when processing bad "chunked" data.

Problem 4961917. Secure reverse proxy sends back unencrypted response when the content's web server is down and a secure reverse proxy receives a request from the client,.

Problem 4972842, 4976734. Proxy tries to send 400 response through closed connection.

Problem 4973816. Multiple buffer management issues in proxy admin.

Problem 4982616. Reverse proxy: 3.6sp4 - gets SIGSEGV.

Problem 5006186. The proxy server on Solaris platforms receives a SIGSEGV when a long user id and password combination is supplied to the server.

This occurs when an ACL is set for the proxy allowing only certain users access thorugh the forward proxy.

Issues Resolved in 3.6 SP4

This section lists issues resolved in Sun Java System Web Proxy Server 3.6 SP4:

Problem 4759526. Proxy does not restart when ACL is turned on

If ACL is turned on for a proxy server using LDAP, the proxy server restarts when saving the changes through the admin interface.

Problem 4760268. Proxy server core dumps if LDAP is unavailable

When an ACL is configured with an available LDAP server, the proxy server no longer crashes during startup if the LDAP server becomes unavailable.

Problem 4767237. SOCKS server does not work if LDAP is unavailable

If the proxy server is configured with an available LDAP server, the SOCKS server starts successfully if the LDAP server becomes unavailable.

Problem 4860988. Proxy gives SIGSEGV for long URI

The proxy server is now able to handle long URIs.

Problem 4880031. Performance degradation from Proxy 3.5 to Proxy 3.6

Uploads in Sun Java System Web Proxy Server 3.6 SP3 were slow in comparison to version 3.52. This performance degradation has been resolved in SP4.

Problem 4881014. Proxy Server does not acknowledge FIN packet sent from Directory Server

When the proxy server is configured with an available Directory Server for authentication, and if the connection remains idle for the time specified in the Directory Server configuration or if the Directory Server is restarted, the Directory Server sends a FIN packet to close this connection. In previous releases, the proxy server did not acknowledge this FIN and treated the connection as if it were still be open.

Problem 4891366. ns-proxy stalls some client requests when using HTTP 1.1

In SP3, when a client sent an If-Modified-Since header along with a request, and when the Web Server returned a 304 (Use Local Copy) response, the proxy waited for data to follow the response headers from the Web Server until the Web Server closed the Keep-Alive connection. This issue has been resolved in SP4.

Problem 4906403. Proxy 3.6 SP3 removes &quot;Proxy-authenticate:&quot; HTTP header when forwarding

The proxy server no longer removes the Proxy-authenticate: HTTP header when forwarding requests to clients.

Problem 4936282. Secure Reverse Proxy 3.6 sp3: Problems with POST (only with HTTP 1.1)

In SP3, HTTP 1.1 browsers had problems when sending POST requests to the secure reverse proxy 3.6 sp3 with an IIS server behind the proxy. This issue has been resolved in SP4.

Problem 4957188. Probable DOS attack for proxy server

In previous releases, the proxy server was vulnerable to DOS (denial of service) style attacks with malformed DER certificates in secure reverse proxy mode. This security issue has been resolved in SP4.

Issues Resolved in 3.6 SP3

This section lists issues resolved in Sun Java System Web Proxy Server 3.6 SP3:

Problem 4824133. Keep-Alive does not work on iWPS3.6SP1 in secure mode.

As of Sun Java System Web Proxy Server 3.6 SP3, the keep-alive sub-system is enabled by default, and the proxy supports persistent connections against a secure reverse proxy server.

Problem 4746073. RFE: request to implement a workaround for SSLv3 close_notify problem in MSIE.

The way Microsoft Internet Explorer (MSIE) handles SSL version 3 (SSLv3) and Transport Layer Security (TLS) keep-alive connections causes interoperability problems with non-Microsoft web servers such as Sun Java System Web Proxy Server. When accessing a Web Proxy server over SSL (https://) connections, Internet Explorer may inappropriately display error messages or blank pages.

To resolve the problem, do the following:

  1. Compile the following file in the nsapi/examples directory:
  2. /* Filename: repl.c (to create the repl.so)*/

    #include "base/pblock.h"

    #include "base/session.h"

    #include "frame/req.h"

    #include "frame/log.h" /* log_error */

    /* these strings are part of an hidden API in the proxy */

    #define FILTER_SVR_HDR_STR "filter-srv-hdrs"

    #define FILTER_ACT_STR "filter-act"

    #define FILTER_SUB_STR "filter-sub"

    char *hstr = FILTER_SVR_HDR_STR;

    char *astr = FILTER_ACT_STR;

    char *sstr = FILTER_SUB_STR;

    NSAPI_PUBLIC int replace_response_keep(pblock *pb, Session *sn, Request *rq)

    {

    /* store an action that will be executed by proxy-retrieve */

    /*log_error(LOG_INFORM,"replace_response_keep", sn, rq, "KEEPALIVE"); */

    char *user_agent = pblock_findval("user-agent", rq->headers);

    if (user_agent && strstr(user_agent, "MSIE")) {

    pblock_nvinsert(hstr, "HTTP", rq->vars); /* this string does not have any meaning for "add" but is still required */

    pblock_nvinsert(astr, "add", rq->vars);

    pblock_nvinsert(sstr, "Connection: close\r\n", rq->vars);

    pblock_nvinsert("disable-close-notify", "yes", rq->vars);

    } else {

    pblock_nvinsert(hstr, "Connection: keep-alive", rq->vars);

    pblock_nvinsert(astr, "replace", rq->vars);

    pblock_nvinsert(sstr, "Connection: close\r\n", rq->vars);

    }

    return REQ_NOACTION;

    }

  3. During configuration, add the following object to the obj.conf file:

Problem 4784333. Proxy does not recognize filter rule with '?' that follows URL.

In previous releases, the Web Proxy server failed to process URL filters that contained query strings. As of Sun Java System Web Proxy Server 3.6 SP3, this problem is resolved. The proxy supports filters on query strings.

Problem 4796919. Security Vulnerability in Proxy Admin Server.

Sun Java System Web Proxy Server 3.6 SP3 contains a resolution of the security vulnerability alert published at:

http://www.ngsec.com/docs/whitepapers/Iplanet-NG-XSS-analysis.pdf

Problem 4802826. RFE: increase the uploading file size limit on iWPS3.6.

As of Sun Java System Web Proxy Server 3.6 SP3, you can upload files larger than 10MB in size by configuring the proxy server. To do so, you must increase the delay allowed between consecutive network packets received from the remote server. If the delay exceeds the timeout, the connection is dropped. Edit the obj.conf file to increase the timeout and ssl-tunnel-timeout parameters in the init-proxy function. Example:

Problem 4842033. RFE: proxy can't connect to webserver in specific case on Dual-Host Architechture.

Sun Java System Web Proxy Server 3.6 SP3 introduces a new magnus.conf directive ConnAddress.

The syntax of this directive is similar to the Address directive in magnus.conf.

Syntax:

ConnAddress xxx.xxx.xxx.xxx

By default, ConnAddress is not enabled in magnus.conf.

When ConnAddress is enabled, proxy will bind all connect sockets (sockets used to connect to the web server) to the IP address specified in the directive.

If ConnAddress is "0.0.0.0", then proxy does not perform any bind operation and lets the operating system handle the binding of socket when connect() is called.

Problem 4856215. Proxy server does not support HTTP/1.1.

As of Sun Java System Web Proxy Server 3.6 SP3, the HTTP/1.1 protocol is supported.

Problem 4856218. Proxy server does not support WebDAV methods.

As of Sun Java System Web Proxy Server 3.6 SP3, the WebDAV protocol is supported.

Issues Resolved in 3.6 SP2

This section lists issues resolved in Sun Java System Web Proxy Server 3.6 SP2:

Problem 4728221. Cannot customize error message for 404 and 500

The iPlanet Web Proxy Server 3.6 Administrator's Guide incorrectly states that the 404 and 500 error messages can be customized. Because these error messages are not generated by proxy server this in fact is not possible. For a list of error messages you can customize, see Sun Java System Web Proxy Server 3.6 SP2 Administrator's Guide.

Problem 4627087. urldbgen not supported on NT.

The iPlanet Web Proxy Server 3.6 Administrator's Guide - NT Version incorrectly states that the urldbgen  utility is supported by proxy server on the Windows NT platform. This utility is supported only on the UNIX platform. The Sun Java System Web Proxy Server 3.6 SP2 Administrator's Guide - NT Version has been updated to correct the error.

Problem 4767765. Doc bug in admin guide on evaluating template.

The iPlanet Web Proxy Server 3.6 SP1 Administrator's Guide states that templates follow a hierarchy according to which the longest regular expression that matches the URL takes precedence over other regular expressions. In fact, the proxy server does not provide for hierarchies of templates. As of Sun Java System Web Proxy Server 3.6 SP2, the Administrator's Guide has been updated to remove this incorrect information.

Problem 4710423. Proxy logs incorrect content length.

Sun Java System Web Proxy Server 3.6 SP2 logs the content length that is sent by the content server in the response headers and not the exact amount of bytes transferred.

Problem 4636517. Documentation of sitemon command required.

As of Sun Java System Web Proxy Server 3.6 SP2, the Administrator's Guide - UNIX Version carries a complete description of the sitemon  command.

Problem 4539177. Doc & Code differences to add a customized header in the request.

As of Sun Java System Web Proxy Server 3.6 SP2, a new section titled "Appending Customized Outgoing Headers" has been added to the Administrator's Guide - UNIX Version.

Problem 4703051. A new configuration variable in socks5.conf will be added to provide tuning.

As of Sun Java System Web Proxy Server 3.6 SP2, a new tuning parameter is available in the server-root/proxy-id/config/socks5.conf file called SOCKS5_TIMEOUT. This specifies the idle period that the SOCKS server will keep a connection alive between a client and a remote server before dropping the connection. For more details, see the Sun Java System Web Proxy Server 3.6 SP2 Administrator's Guide.

Problem 4537443. Proxy doesn't allow ServerID name to include dots in it.

As of Sun Java System Web Proxy Server 3.6 SP2, a new section titled "Creating a New Proxy Server Instance" has been added to the Sun Java System Web Proxy Server 3.6 SP2 Administrator's Guide, that specifies the characters you can use while naming the Server Identifier.

Problem 4657410. Performance affected on HP-UX when modifying ACL.

This problem was specific to the HP-UX platform. When attempting to set an ACL by specifying a large group (over 500 members), the response slowed down significantly. This problem has been corrected, and access control can now be specified for large groups without any performance overhead.

Problem 4707469. ACL file gets corrupted if user or group specified in ACL doesn't exist.

In previous releases, if you restricted access control (ACL) for a resource, and subsequently, deleted all the user or group entries from the directory server database who were restricted by that ACL restriction, you would encounter future problems with enabling access restrictions for any other resource. In addition, the following error message would be generated: "System Error: Unable to create write ACL. An error occurred while trying to create the ACL structures."

As of Sun Java System Web Proxy Server 3.6 SP2, this problem has been corrected. If none of the user or group entries pertaining to an ACL exists on the directory server, the corresponding entry is replaced by "all" in the genwork.proxy-id.acl file, as shown below:

Default deny anyone;

Default authenticate in {

Database "default";

Method basic;

};

Default allow all;

Further, the administrator is sent a notification containing a reference to the corresponding ACL.

Problem 4643838. KeepAlive on Reverse Proxy Server does not work correctly.

Problem 4645900. After logging into a secure site, and entering search criteria, results do not get displayed.

Problem 4701070. Performance problem of the secure reverse proxy.

Problem 4725149. Sometimes, accept failed occurs if client stops the request.

Problem 4727882. An instance configured to use a second IP address configured on the host uses the first one.

Problem 4752175. Cache Policy default status should be "automatic" instead of "disabled."

Problem 4531117. Some log entries are missing "HTTP/1.0."

Problem 4540845. During FTP upload, a file name, if it contains spaces, is shortened.

Problem 4692843. Cannot migrate from Proxy 3.5x to Proxy 3.6 SP1.

Problem 4724289. SOCKS server tries to access an invalid socket.

Problem 4713948. Cannot specify mime filter with some mime type combination.

Problem 4715263. Failing to enable ACL in admin server on IE5.0.

Problem 4539858. SNMP agent does not work when secure reverse proxy enabled.

Problem 4540506. Proxy.txt contains reference to the Proxy 3.6 CD layout.

Problem 4621701. Proxy reported hostname as not existing even though it did.

Problem 4672205. Only the necessary partitions should be cleaned by the newgc script.

Issues Resolved in 3.6 SP1

This section lists problems corrected in iPlanet Web Proxy Server 3.6 SP1:

Proxy Crashes with very long URLs. (4563178)

In previous releases, when a request was bigger than 4118 bytes, Proxy Server would crash due to a problem with buffers in the flexlog. This problem has been corrected.

Proxy processes consumed 100 CPU after executing log rotate command. (4621100)

Unable to configure ACL with large groups via HP-UX admin server. (4624955)

This problem was specific to the HP-UX platform. When attempting to set an ACL by specifying a large group (over 500 members) it failed with the message "Incorrect usage: Bad user or group, this users/groups were not in the database" (although they were in the database). This problem has been corrected and an HP-UX proxy admin can hold large groups without problems.

Error occurs when adding/modifying ACL if there are many ACLs. (4646267)

When adding or modifying a number of ACLs with specific large groups, the following error occurred and inconsistencies occurred between genworks.*.acl  and  generated.*acl. "System Error: Unable to create write ACL." This problem was HP-UX specific and has been corrected.

Clients are requested to input UID & PASSWORD. (4550626)

When using client authentication through a secure reverse proxy, a temporary failure or a crash on the LDAP directory caused a prompt (repeatedly asking users for authentication).

A new magnus variable (LdapCheckUp) has been created to correct this problem. In explanation, the proxy recycles child processes when they reach a limit of having served 128 requests (ProcessLife). When a child process reaches this limit, it sends a SIGCHLD signal to the daemon. When the daemon receives this signal, it recycles the child process (respawns a new process) and simultaneously calls a callback function that checks the sanity of the LDAP connections. That is, the frequency of calls made by the daemon is a function of the number of processes (ns-proxy), the value of the ProcessLife variable and the load supported by the proxy. This function simply compares dates from the present to the last call made. If the time frame is bigger than LdapCheckUp, a sanity check is performed.

In summary, the time is now a parameter, set through the new LdapCheckUp variable in magnus.conf. The default value of this variable is 30 seconds. Example:

LdapCheckUp 20 => This line in the magnus.conf  file means that the variable has been set to 20 seconds.

KeepAlive on Reverse Proxy does not work correctly. (4537319)

This fix enables you to establish persistent connections against a non-secure reverse proxy if the keep-alive feature is enabled in the Proxy and the client browser sends an http header indicating a persistent connection. This fix applies only to UNIX platforms.

Can't cache some URLs. (4562322)

Requests with an erroneous content-length header were not cached by the proxy (the error log showed messages such as "incomplete cache file removed for..."). This was a UNIX-specific problem (Win32 platforms were not affected).

LANG="ja" prevents log rotation. (4550628)

Proxy 3x/NT treats only last reverse mapping. (4539371)

This was a Win32 platform specific problem (UNIX platforms were not affected).

Unable to upload file size more than 4Mb under reverse proxy. (4538211)

Proxy was unable to upload (http method POST) a file bigger than 4 Mb using reverse proxy under SSL.

Note: Uploading files larger than 10Mb is not supported by iPlanet Web Proxy Server 3.6.

POST with enctype="multipart/form-data" fails sometimes. (4536787)

A problem existed when uploading files (http method POST) through proxy in secure mode from a WAN network. A new magnus.conf variable (NetBufferSize) has been incorporated in the magnus.conf file to control the network buffer size. This variable prevents the error log message "cannot buffer client data" from occurring. The syntax of the variable is as follows:

NetBufferSize 4096 => This line in the magnus.conf file indicates that the network buffer has been set to 4096 bytes. The maximum value is 100000 bytes. If NetBufferSize is set to higher than 100000 bytes, Proxy Server uses its maximum size (100000 bytes).

In addition, a problem was detected with certain versions of Microsoft IIS which returned a keep-alive header when the http request explicitly meant a non-persistent connection. To solve this problem (which indirectly affects proxy behavior) the following sample plugin can be used:

/*

* Copyright %G% Sun Microsystems, Inc. All Rights Reserved

#include "base/pblock.h"

#include "base/session.h"

#include "frame/req.h"

#include "frame/log.h" /* log_error */

#include

#ifndef XP_WIN32

#include /* sleep */

#define NSAPI_PUBLIC

#else /* XP_WIN32 */

#include

#define NSAPI_PUBLIC __declspec(dllexport)

#endif /* XP_WIN32 */

/* these strings are part of an hidden API in the proxy */

#define FILTER_SVR_HDR_STR "filter-srv-hdrs"

#define FILTER_ACT_STR "filter-act"

#define FILTER_SUB_STR "filter-sub"

char *hstr = FILTER_SVR_HDR_STR;

char *astr = FILTER_ACT_STR;

char *sstr = FILTER_SUB_STR;

NSAPI_PUBLIC int replace_response_keep(pblock *pb, Session *sn, Request *rq)

{

/* store an action that will be executed by proxy-retrieve" */

/*log_error(LOG_INFORM,"replace_response_keep", sn, rq, "KEEPALIVE"); */

pblock_nvinsert(hstr, "Connection: Keep-Alive", rq->vars);

pblock_nvinsert(astr, "replace", rq->vars);

pblock_nvinsert(sstr, "Connection: close\r\n", rq->vars);

return REQ_NOACTION;

}

At configuration time, the following object must be added to the  obj.conf  file:

# Sun Microsystem - obj.conf

# You can edit this file, but comments and formatting changes

# might be lost when the admin server makes changes.

Init funcs="replace-response-keep" shlib="/usr/iplanet/suitespot/plugins/repl.so" fn="load-modules"

<Object name="default">

NameTrans fn="map" from="file:" to="ftp:" cont="yes"

....

Filter fn="replace-response-keep"

....

</Object>

For more information, see the iPlanet Web Proxy Server 3.6 Administrator's Guide.

3.5x->3.6 migration breaks ACL. (4551161)

Sagt process fails to respond. (4546947)

The SNMP sagt process in Proxy Server did not respond properly if the octet number of an interface was larger than 2^31. In addition, the sagt process sometimes crashed. This problem has been fixed for all supported platforms.

OULU encode test cause SNMP agent core dump. (4532320)

The c06-snmpv1-req-enc-pr1 test suite from OULU caused the Admin Server SNMP master agent magt to core dump. (For more information, see http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/0100.html.)

Instability of SOCKS daemon. (4535931)

The SOCKS daemon stopped every time an attempt was made to load a large picture from the webserver through the proxy, when the client connected to the server through a modem line.

Failure: can't stat() cache partition. (4558738)

Proxy Server did not disable partitions or urldbgen databases when global caching was disabled within the proxy.

Web Proxy 3.6 (reg) - No performance object for the Proxy in win perf monitor. (4615444)

accon and accallow become very slow and unable to control ACL. (4639459)

This problem occurred only on the HP-UX platform. When setting approximately 40 ACLs with groups that had several unique members, the Proxy Admin Server was unable to control the ACL. The following error occurred: "Internal error: The administration server was unable to fulfill your request."

Error 7024 and authentication problem. (4539275)

When using a local LDAP database for users and groups within Proxy an "Error 7024" sometimes appeared in the error log, followed by the error "password did not match directory." Clients were rejected (they could not go through the proxy) although the credentials they provided were correct. This was a file descriptor problem (a consequence of the use of the local database). I/O functions "fopen" and "open" have a limitation on the maximum number of file descriptors. To overcome this problem, check the current system settings (see the ulimit command).

After a new OS patch, the proxy server hangs. (4552944)

This was a SOLARIS-specific problem. After updating the OS from release 11 to release 26, Proxy Server hung during peak hours generating several defunct processes. This problem was a consequence of a bug in the Solaris OE libthread library. The problem is corrected by applying a Solaris OE patch (see iPlanet knowledge base (article 7531) and SunSolve).

Proxy on NT permanently restarts. (4538284)

Limitations on the local LDAP Proxy database under heavy loads caused the proxy to restart frequently. To avoid this problem, it is highly recommended that you use an external directory server.

Default proxy timeout (4548270)

The Administrator's Guide and the Online help state that the default value of a Proxy timeout is 20 minutes. The correct value is 5 minutes.

Multiple calls in the icp.conf file (4559457)

The Administrator's Guide and the Online help state that multiple calls can be made to the "server" function via the icp.conf  file. This is true only for the following functions: add_parent, and add_sibling.

In the case of the "server" function, only the last call is taken into account. The server function stands for the configuration of the local proxy and there is only one.

Doc & Code differ to add header in the response (4539178)

The Administrator's Guide erroneously states that "the Request->srvhdrs  parameter block is the set of HTTP headers for the server to send back. This parameter block can be modified by any function." This does not work. A Proxy retrieve is mono-block and completely opaque. Content adaptation is not possible. The solution is to add a header in the response, to use the filter mechanisms (either pre-posted actions or a "pre-filter" forked process), or to rewrite service_proxy_retrieve. Note: The only pre-posted filter actions supported by Proxy 3.x are replace, remove, and reject. There is no "add" action that can be used as a workaround. However, a workaround has been coded that enables a custom plugin to add a header in the response. The filter action API has been extended with an "add" action.

Document bug for Proxy Server Cache erase (4547222)

The iPlanet Web Proxy Server 3.6 Administrator's Guide provides the incorrect syntax for the following command:

cd proxy directory/cache

find s* -type f -exec rm {} \.;

This should be:

cd proxy directory/cache

find s* -type f -exec rm {} \;

On Windows platforms:

From a DOS prompt: cd <server_root>\cache

In addition, note the difference in the following command syntax:

del *. /s /p (--> will prompt for delete confirmation)

del *. /s /q (--> will not prompt for delete confirmation)

Issues Resolved in 3.6

iPlanet Web Proxy Server 3.6 includes fixes to the following known problems that occurred in earlier releases:

Proxy Server appends LF instead of CRLF to host header. (4588536)

Proxy Server was only adding LF (\n) to the end of the host header when it should have been adding CRLF (\r\n).

Proxy Server does not establish a secure connection with sites. (4588536)

If the SSL server certificate used by CMS was signed with a key longer than 1024 bits, Proxy Server was unable to verify the SSL server certificate's digital signature.

Proxy Server does not load group attributes only to check existence. (4575103)

When Proxy Server starts, it checks that the groups used in the ACL exist. To do so, Proxy Server searches for the LDAP entry corresponding to each group. This search no longer returns all the group attribute values, because the values can be large for a group containing many members.

Proxy Server does not generate an error message when using "Unverified User from client". (4580723)

When going through Proxy Server to a site that requires authentication, the error "...remote-auth reports:missing parameter to remote-auth (need type)" is not shown in the error log when you check "Unverified User from client" under Server Status|Log Preferences|Only log.

Proxy Server remains bound to LDAP server on default DN. (4586796)

After each bind to the LDAP server for user authentication, Proxy Server makes sure that it binds again as the default DN. This prevents erroneous cases of authentication failure.

Proxy Server changes the case of additional characters, and as a result changes cookie content, when cookie text size is greater than 595 characters. (4572215)

Proxy Server cannot upload to root directory. (4608854)

It is now possible to upload a file to the root directory through Proxy Server.

Socks Server hangs. (4576106)

Socks Server no longer hangs when the administrator changes default settings to increase the number of worker threads or posted accepts.

Proxy Server on NT constantly restarts under heavy CPU load. (4579465)

Proxy Server on NT sends extra <CR<LF in POST request. (4568138)

Proxy Server does not free 3 file descriptors at restart. (4561522)

The keep-alive HTTP header is taken into account by the CONNECT method. (4562943)

Socks Server crashes when requests require LDAP authentication. (4559696)

Socks Server cannot restart because bind to LDAP fails. (4540806)


Known Problems and Solutions

This section lists known problems with this release of Sun Java System Web Proxy Server 3.6 SP12. Information is organized into the following areas:

General



Note

The proxy does not cache content for a URL if the URL length is greater than 128 bytes.


There is a problem in TCP communication when the IE browser is used to connect to an IIS 6 server through Proxy Server 3.6 SP6. (6178476)

Workaround

Disable HTTP Keep-alive in the obj.conf file.

Proxy restarts constantly when LDAP server not available. (4537829)

On the Windows platform, if you start the proxy server before the LDAP server is started, the proxy server will constantly stop and restart.

Workaround

Make sure that the LDAP server is up and running before you start the proxy server.

Migration from earlier version of proxy to 3.6SP2 fails. (4766480)

If you migrate a proxy instance running on a previous version of the proxy server on which access control is enabled, to the Sun Java System Web Proxy Server 3.6 SP2 release, you might receive the following error message: "Expected entry in the ACL file not found."

Workaround

When you import a server from an earlier version, be sure to assign the same Server Identifier as was originally used to identify the server, otherwise you will experience problems with existing access control settings.

Traces in access logfile are not chronologically ordered. (4540631)

On the Windows platform, log file entries do not appear in chronological order.

Access control to log files on UNIX systems.

Workaround

Proxy access log files and error log files are regular UNIX files. These files belong to the UNIX user account that Proxy Server uses. If your log file content is highly confidential, use a dedicated UNIX user to run Proxy Server and set the proper permission mode to log files.

Change the log file permission mode to deny access to anybody but the owner:

$ chmod 600 access errors

$ ls -l access errors

-rw-------   1 <owner><group>      327 Apr  9 15:10 access

-rw-------   1 <owner><group>      258 Apr  9 16:29 errors

Admin GUI does not incorporate the newly introduced WebDAV methods. (4909301)

WebDAV support does not work properly when Access Control is turned On.

Workaround

Manually update the ACL file with the WebDAV method. The steps are as follows:

  1. Turn ACL On.
  2. Give permissions to read/write ACLs as required, and save.
  3. Open installation_directory/httpacl/generated_instance_name.acl.
  4. Include the WebDAV method in the respective ACLs (read methods in read ACLs and write methods in write ACLs).
  5. Save the file and restart the proxy instance.

HP-UX Platform Only

Problem 4954328. Proxy dumps core during stress test on HP-UX.

The proxy server crash is caused by insufficient configuration of the Operating System kernel tunable parameters. As of Sun Java System Web Proxy Server 3.6 SP4, the consumption of the file descriptors has increased because of the upgrade to LDAP C SDK 4.0.

Workaround

Increase the HP-UX Operating System kernel tunable parameters maxfiles and maxfiles_lim to 60000 or above.

Problem 4960127. Performance degradation from Sun Java System Web Proxy Server 3.6 SP3 to SP4.

This occurs with Sun Java System Web Proxy Server 3.6 SP4 when the SOCKS server is configured to use the local database. The use of this configuration is not recommended in production environments on HP-UX, but is fine in development environments, if desired.

Documentation Errors

Problem 6516290.

The following page has typographical errors.

http://docs.sun.com/source/816-6143-10/template.htm

The errors are in the examples provided in the section "Understanding Regular Expressions".

Workaround

The first example in the section "Understanding Regular Expressions" should be [a-z]*://[^:/]*\xfa abc\xfa com.* and not [a-z]*://[^:/]*\xfa abc\xfa com.*>.

The second example in the section Understanding Regular Expressions should be [a-z]*://([^.:/]*[:/]|.*\xfa local\xfa com).* and not [a-z]*://([^.:/]*[:/]|.*\xfa local\xfa com).*".

Problem 5001755.

The following page has incorrect directory names.

http://docs.sun.com/source/816-6143-10/start.htm

The incorrect directory paths are under the section "Restarting the Proxy Server".

Workaround

  1. The file should be /etc/rc2.d/S99proxy/code> and not /ect/rc2.d/S99proxy (spelling of etc directory).
  2. /etc/rc2.d/S99proxy is a file and not a directory. This line should be changed to just include the /etc/rc2.d directory.
  3. The file is /etc/rc2.d/S99proxy and not /etc/re2.d/S99proxy (spelling of rc2.d directory).

Problem 6667122.

The following page has an enhancement. 

http://docs.sun.com/source/816-6143-10/encrypt.htm#1015838

The section " Tunneling SSL through the Proxy Server " has the below enhancement.

"With SSL, the data stream is encrypted, so the proxy has no access to the actual transaction. Consequently, the access log cannot list the status code or the header length received from the remote server. This also prevents the proxy, or any other third party, from eavesdropping on the transactions."

However, you can still use the following parameters on the service pack 12 with SSL.

Connect wait time %Req->vars.xfer-time-cwait%
Initial wait time %Req->vars.xfer-time-iwait%
Full wait time %Req->vars.xfer-time-fwait%

To install this, %Req->vars.xfer-time-total% is required. Using administration server select, Server Settings -> Log Preferences -> Only log ->In milliseconds, and also log:. The server automatically adds the entries to log preferences.


How to Report Problems

If you have problems with Sun Java System Web Proxy Server, contact customer support at the following location:

http://www.sun.com/service/sunone/software/index.html

So that we can best assist you in resolving problems, please have the following information available when you contact support:


For More Information

For more information on Sun Java System Web Proxy Server, refer to the following:

http://docs.sun.com/app/docs/prod/webproxys#hic

- and -

http://www.sun.com/software/products/web_proxy/ds_web_proxy.html

Useful Sun Java System information can be found at the following locations:


Copyright © 2009 Sun Microsystems, Inc. All rights reserved.

Sun, Sun Microsystems, the Sun logo, Solaris, iPlanet, Java and the Java Coffee Cup logo are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. Use of Web Proxy Server is subject to the terms described in the license agreement accompanying it.

Netscape Navigator is a trademark or registered trademark of Netscape Communications Corporation in the United States and other countries.