Previous     Contents     Index     DocHome     Next     
iPlanet Web Proxy Server 3.6 Administrator's Guide - Unix Version



Chapter 6   Proxying and Routing URLs


This chapter describes how requests are handled by the proxy server. It also explains how to enable proxying for specific resources and to configure the proxy server to route URLs to different URLs or servers.



Enabling Proxying for a Resource


You can turn proxying on or off for resources. Resources can be individual URLs, groups of URLs with something in common, or an entire protocol. You can control whether proxying is on for the entire server, for various resources, or for resources as specified in a template file. This means you can deny access to one or more URLs by turning off proxying for that resource. This can be a global way to deny or allow all access to a resource. (You can also allow or deny access to resources by using URL filters. For more information on URL filters, see "Filtering URLs" on page 159.)

To enable proxying for a resource:

  1. In the Server Manager, choose Routing|Enable, Disable.

  2. Select the resource you want to configure by either choosing it from the Editing pull-down menu or clicking the Regular Expression button, entering a regular expression, and clicking OK.

  3. You can choose a default setting for the resource you specified. You can choose not to proxy that resource (disable proxying), or you can enable proxying of that resource.

    • Use default setting derived from a more general resource means that the settings for a more general resource that includes this one will be used for this resource.

    • Enable proxying of this resource means the proxy lets clients access this resource (provided they pass the other security and authorization checks). When you enable proxying for a resource, all methods are enabled. The read methods, including GET, HEAD, PUT, INDEX, POST, and CONNECT for SSL tunneling, and the write methods, including PUT, MKDIR, RMDIR, MOVE, and DELETE, are all enabled for that resource. Barring any other security checks, clients all have read and write access.

    • Do not proxy this resource means this resource cannot be reached through the proxy.

  4. Click OK.



Configuring Routing for a Resource

You can configure your proxy server to route certain resources using the derived default configuration or direct connections; or you can configure it to route through proxy arrays, an ICP neighborhood, another proxy server, or a SOCKS server. To configure routing for a resource,

  1. From the Server Manager, choose Routing|Routing.

    The Routing Configuration form appears.

  2. Select the resource you want to configure by either choosing it from the Editing pull-down menu or clicking the Regular Expression button, entering a regular expression, and clicking OK.

  3. Select the radio button for the type of routing you would like for the resource you are configuring. You can choose one of the following:

    • Derived default configuration means the proxy server uses a more general template (that is, one with a shorter, matching regular expression) to determine if it should use the remote server or another proxy. For example, if the proxy routes all http://.* requests to another proxy server and all http://www.* requests to the remote server, you could create a derived default configuration routing for http://www.netscape.* requests, which would then go directly to the remote server because of the setting for the http://www.* template.

    • Direct connections means the request will always go directly to the remote server instead of through the proxy.

    • Route through a SOCKS server means that requests for the specified resource will be routed through a SOCKS server. If you choose this option, you need to specify the name (or IP address) and the port number of the SOCKS server that the proxy server will route through.

    • Route through lets you specify whether you would like to route through a proxy array, ICP neighborhood, parent array, and/or proxy server. If you choose multiple routing methods here, the proxy will follow the hierarchy shown on the form (i.e. proxy array, parent array, ICP, another proxy). For more information on routing through a proxy server, see Chaining Proxy Servers.

      For information on routing through a SOCKS server, see Routing Through a SOCKS Server. For information on routing through proxy arrays, parent arrays, or ICP neighborhoods, see Chapter 9, "Caching."

  4. Click OK.



Chaining Proxy Servers

You can have the proxy access another proxy for some resources instead of accessing the remote server. This means you can chain proxies together. Chaining is a good way to organize several proxies behind a firewall. Chaining also lets you build hierarchical caching.

For example, you can chain departmental proxies within an organization to a main proxy server, as shown in Figure 6-1. In this figure, each proxy server has a small cache to which a specific group of users has access. Each proxy also has access to the proxy with the large cache. You can also set up several proxies in your organization so that each proxy server accesses and caches only specific files, such as one proxy that services HTTP requests and another that services FTP. Or, you might have one server that caches all files from the .com domain and another that caches all other files.

Figure 6-1    Chaining proxies together

To route through another proxy server:

  1. From the Server Manager, choose Routing|Routing.

    The Routing Configuration form appears.

  2. Select the resource you want to route by either choosing it from the Editing pull-down menu or clicking the Regular Expression button, entering a regular expression, and clicking OK.

  3. In the "Routing through another proxy" section of the form, select the radio button next to the text "Route through."

  4. Select the checkbox next to "another proxy."

  5. In the "another proxy" field, enter the name or IP address of the proxy sever that you want to route through.

  6. In the port field, enter the port number for the proxy server you will be routing though

  7. Click OK.



Routing Through a SOCKS Server

If you already have a remote SOCKS server running on your network, you can configure the proxy to connect to it for specific resources.

To route through a SOCKS server,

  1. From the Server Manager, choose Routing|Routing.

    The Routing Configuration form appears.

  2. Select the resource you want to route by either choosing it from the Editing pull-down menu or clicking the Regular Expression button, entering a regular expression, and clicking OK.

  3. Under the heading, "Routing through another proxy," select the radio button for next to "Route through SOCKS server."

  4. Specify the name (or IP address) and the port number of the SOCKS server that the proxy server will route through.

  5. Click OK.


    Note Once you have enabling routing through a SOCKS server, you should create proxy routes using the SOCKS v5 Routing form. Proxy routes identify the IP addresses that are accessible through the SOCKS server your proxy routes through. They also specify whether that SOCKS server connects directly to the host. For more information on creating proxy routes, see "Creating SOCKS v5 Routing Entries" on page 108.




Sending the Client's IP Address to the Server

Normally, the proxy server doesn't send the client's IP address to remote servers when making requests for documents. Instead, the proxy acts as the client and sends its IP address to the remote server. This is good protection if you don't want remote servers to know your internal IP addresses.

However, there are times when you might want to pass on the client's IP address:

  • If your proxy is one in a chain of internal proxies.

  • If your clients need to access servers that depend on knowing the client's IP address. You can use templates to send the client's IP address only to particular servers.

To configure the proxy to send client IP addresses:

  1. In the Server Manager, choose Routing|Client IP Address Forwarding.

  2. Choose the template you want to use, or choose the entire proxy server to always send the client's IP address.

  3. Choose an option to turn on IP address forwarding.

    By default, the proxy server doesn't send IP addresses, but if you have several proxies in a chain and one proxy forwards the IP address to another, the subsequent proxy will also forward the IP address if its option is set to either default or enabled. Choose enabled to have the proxy server forward the client's IP addresses. Choose blocked to never forward the IP address.

  4. You can specify an HTTP header for the proxy to use when forwarding IP addresses.

    The normal HTTP header is named Client-ip, but you can send the IP address in any header you choose.

  5. Click OK. Be sure to save and apply your changes.



Allowing Clients to Check IP Addresses

To maintain your network's security, your client may have a feature that restricts access to only certain IP addresses. So that your clients can use this feature, the proxy server provides support for Java IP Address Checking. This support enables your clients to query the proxy server for the IP address used to retrieve a resource. When this feature is enabled, a client can request that the proxy server send the IP address of the origin server, and the proxy server will attach the IP address in a header. Once the client knows the IP address of the origin server, it can explicitly specify that the same IP address be used for future connections.


Note Versions of Netscape Navigator prior to 5.0 do not support this feature.


To use Java IP address checking:

  1. From the Server Manager, choose Routing|Java IP Address Check. The Java IP Address Check form appears.

  2. Select the resource you want to apply IP address checking to by either choosing it from the Editing pull-down menu or clicking the Regular Expression button, entering a regular expression, and clicking OK.

  3. Select the radio button to either enable, disable or use the default configuration for Java IP address checking.


    Note The default option uses a derived default configuration from a more general template (that is, one with a shorter, matching regular expression) to determine whether Java IP address checking should be enabled or disabled.


  4. Click OK.



Disconnecting the Proxy from the Network

You can connect or disconnect the proxy server machine from the network. This feature makes it convenient to install the proxy on a portable machine that you can use for demonstrations.

When the proxy is disconnected from the network, documents are returned directly from the cache—the proxy can't do up-to-date checks, so the documents are retrieved very quickly (the documents might not be up to date; see Chapter  for more information on caching).

Also, if you are not connected to a network, connections never hang because the proxy server is aware that there is no network and never tries to connect to a remote server. You can use this no-network setting when the network is down but the proxy server machine is running.


Note Keep in mind that running the proxy disconnected from the network means that you will eventually be accessing stale data from the cache. Also, running without the network makes the proxy security features unnecessary.


iPlanet Web Proxy Server offers four network connectivity modes:

Default mode is derived from the configuration of the most general matching object.

Normal mode is the normal operating mode for the proxy. The proxy retrieves documents from the content server if they are not already in the cache. If they are in the cache, they may be checked against the content server to determine if they are up to date. If a cached file has changed, it is replaced with the current copy.

Fast-demo mode is intended for giving smooth demonstrations when the network is available. If a document is found in the cache, the content server is not contacted, not even to find out if the document has changed. This mode gets rid of any latency created by waiting for the content server to respond. If a document is not in the cache, it is retrieved from the content server and cached. The fast-demo mode has less latency than the normal mode, but can occasionally return stale data, because once it has a copy of a document, it doesn't do up-to-date checks on it.

No-network mode is designed for portable machines during the time they are not connected to the network. The proxy returns the document if it is in the cache or returns an error if it isn't. The proxy never tries to contact the content server, which prevents the proxy from hanging and timing out while trying to get a connection that doesn't exist.

To change the running mode for the proxy server:

  1. In the Server Manager, choose Routing|Connectivity Mode.

  2. Choose the template you want to use or choose to change the mode for the entire proxy server.

  3. Select the mode you want

  4. Click OK.

Be sure to save and apply your changes.



Changing the Default FTP Transfer Mode


FTP has two different ways to establish a data connection between the FTP server and the client (the proxy acts as a client). The two modes are referred to as PASV (Passive) and PORT (Active) mode FTP.

  • PASV Mode (the default) means the data connection is initiated from the proxy server, and the FTP server accepts the connection. This is safer for the site running the proxy server because it doesn't have to accept inbound connections.

  • PORT Mode means the data connection is initiated by the remote FTP server, and the proxy accepts the incoming connection. If the proxy server is within a firewall, the firewall might block the incoming FTP data connection from the FTP server, which means the PORT mode might not work.

Some FTP sites run a firewall, which makes PASV mode non-functional for proxy servers. Because of this, the proxy server can be configured to use the PORT mode FTP. You can turn on PORT mode for the entire server, or you can turn it on only for specific FTP servers.


Note Even when PASV mode is on, the proxy server will use PORT mode if the remote FTP server doesn't support PASV mode.


If the proxy server is behind a firewall that makes the PORT mode FTP non-functional, you can't enable PORT mode. If default is selected for the resource, the proxy server uses the mode from a more general resource. If none is specified, PASV mode will be used.



Using Remote Access


Remote access allows sites that are connected to the Internet via a modem to use a proxy server between their internal networks and the Internet. The proxy server must be running on an NT server that is connected to the Internet via a modem and has an installed and configured RAS server running on it.


Note If you are using remote access and your proxy server is configured to use an LDAP server, the proxy server cannot start if the LDAP server is outside the local network.

SOCKS requests cannot trigger remote access.


To use remote access with your proxy server:

  1. Install and configure your RAS server. For instructions on installing and configuring a RAS server, see the online help for Windows NT.

  2. Configure remote access for the proxy server.

  3. Enable remote access.


Configuring Remote Access

To configure remote access for your proxy server:

  1. From the proxy server's Server Manager, choose Routing|Remote Access.

    The Remote Access form appears.

  2. In the User name field, enter the user name assigned by your Internet Service Provider that you use to dial out to the Internet.

  3. In the Password field, enter the password of the user specified in the User name field.

  4. In the Dial entry field, enter the name of the phonebook entry that you specified when configuring your RAS server.

  5. In the Minimum connect time field, enter the minimum number of minutes that the proxy should stay up once it is connected.

  6. In the Schedule section of the form, choose the days and times when the proxy server is allowed to dial out to the Internet. Use military time to specify the times. To specify a time range, place a hyphen between the start and end times (i.e. 1000-2400).

  7. Click OK.


Enabling Remote Access

To enable remote access:

  1. From the Server Manager, choose Server Preferences|System Specifics.

    The System Specifics form appears.

  2. In the "Enable Remote Access" section of the form, select the Yes radio button.

  3. Click OK.



Mapping URLs to Other URLs

The Server Manager lets you map URLs to another server, sometimes called a "mirror" server. When a client accesses the proxy with a mirrored URL, the proxy retrieves the requested document from the mirrored server and not from the server specified in the URL. The client is never aware that the request is going to a different server. You can also redirect URLs; in this case, the proxy returns only the redirected URL to the client (and not the document), so the client can then request the new document. Mapping also allows you to map URLs to a file, as in PAC and PAT mappings.

To map a URL, you specify a URL prefix and where to map it. The following sections describe the various types of URL mappings.


Creating a URL Mapping

You can create four types of URL mappings:

  • Regular mappings map a URL prefix to another URL prefix. For example, you can configure the proxy to go to a specific URL anytime it gets a request that begins http://www.netscape.com.

  • Reverse mappings map a redirected URL prefix to another URL prefix. These are used with reverse proxies when the internal server sends a redirected response instead of the document to the proxy. See Chapter , "," for more information.

  • Regular expressions map all URLs matching the expression to a single URL. For example, you can map all URLs matching .*sex.* to a specific URL (perhaps one that explains why the proxy server won't let a user go to a particular URL). For more information on regular expressions, see "Understanding Regular Expressions" on page 44.

  • Client autoconfiguration maps URLs to a specific .pac file stored on the proxy server. For more information on autoconfiguration files, see Chapter , "."

  • Proxy array table (PAT) maps URLs to a specific .pat file stored on the proxy server. You should only create this type of mapping from a master proxy. For more information on PAT files and proxy arrays, see "Routing through Proxy Arrays" on page 138.

Clients accessing a URL are sent to a different location on the same server or on a different server. This is useful when a resource has moved or when you need to maintain the integrity of relative links when directories are accessed without a trailing slash.

For example, suppose you have a heavily loaded web server called hi.load.com that you want mirrored to another server called mirror.load.com. For URLs that go to the hi.load.com computer, you can configure the proxy server to use the mirror.load.com computer.

The source URL prefix must be unescaped, but in the destination (mirror) URL, only characters that are illegal in HTTP requests need to be escaped.


Caution

Do not use trailing slashes in the prefixes!


To create a URL mapping:

  1. In the Server Manager, choose URLs|Create Mappings.

  2. Choose the type of mapping you want to create.

  3. Type the URL prefix. For regular and reverse mappings, this should be the part of the URL you want to substitute.

    For regular expression mappings, the URL prefix should be a regular expression that for all the URLs you want to match. If you also choose a template for the mapping, the regular expression will work only for the URLs within the template's regular expression. For more information on regular expressions, see "Understanding Regular Expressions" on page 44.

    For client autoconfiguration mappings and proxy array table mappings, the URL prefix should be the full URL the client accesses.

  4. Type a map destination.

    For all mapping types except client autoconfiguration and proxy array table, this should be the full URL to which to map. For client autoconfiguration mappings, this value should be the absolute path to the .pac file on the proxy server's hard disk. For proxy array table mappings, this value should be the absolute path to the .pat file on the master proxy's local disk.

  5. Click OK to create the mapping.


Editing Existing Mappings

To change your existing mappings,

  1. In the Server Manager, choose URLs|View/Edit Mappings.

    The View, Edit, or Remove URL Mappings form appears. You can edit the prefix, the mapped URL, and template that are affected by the mapping.

  2. To remove a mapping, click the mapping you want to change, then click the Remove link at the top of the form.

  3. Click OK to confirm your changes, or click Reset to undo them.


Redirecting URLs

You can configure the proxy server to return a redirected URL to the client instead of getting and returning the document. With redirection, the client is aware that the URL originally requested has been redirected to a different URL. The client usually requests the redirected URL immediately. Netscape Navigator automatically requests the redirected URL—the user doesn't have to explicitly request the document a second time.

URL redirection is useful when you want to deny access to an area because you can redirect the user to a URL that explains why access was denied.

To redirect one or more URLs,

  1. In the Server Manager, choose URLs|Redirections.

  2. Enter a source URL. Your source URL can be either a URL prefix or a regular expression.

    If you choose to use a URL prefix as the source, select the radio button next to the URL prefix field and enter a URL prefix. If you choose to use a regular expression as the source, you should select the radio button next to the Reg. expr. field and then enter a regular expression.


    Note If you use a regular expression as the source URL, you must use a fixed URL as the URL to which requests will be redirected.


  3. Enter a URL to redirect to. This URL can either be a URL prefix or a fixed URL. However, if your source URL is a regular expression, you must use a fixed URL as the URL to which to redirect.

    If you choose to use a URL prefix as the URL to redirect to, select the radio button next to the URL prefix field and enter a URL prefix. If you choose to use a fixed URL, select the radio button next to the Fixed URL field and enter a fixed URL.

  4. Click OK to create the mapping.



Specifying the SOCKS Name Server IP Address

If your proxy is configured to make its outbound connections through a SOCKS server, you may need to explicitly specify the IP address for the name server to be used with SOCKS.

You should specify the name server IP address if you are resolving outside host names with a DNS server other than an internal DNS service that is inside the firewall.

To specify the SOCKS name server IP address,

  1. In the Server Manager, choose Routing|SOCKS Name Server. The SOCKS Name Server Setting form appears.

  2. Enter the IP address of the DNS name server in text field.

  3. Click OK.


    Note The feature that allows you to specify the SOCKS name server IP address used to only be accessible via the SOCKS_NS environment variable. If you set the environment variable and use the SOCKS Name Server Setting form to specify the name server IP address, the proxy will use the IP address specified on the form instead of the environment variable.




Client Autoconfiguration

If your proxy server supports many clients, you can use a client autoconfiguration file to configure all of your Netscape Navigator clients. The autoconfiguration file contains a JavaScript function that determines which proxy, if any, Navigator uses when accessing various URLs. For more information on this feature, see Chapter 11, "Using the Client Autoconfiguration File."


Previous     Contents     Index     DocHome     Next     
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.

Last Updated September 27, 2001