|   | 
| Sun ONE Web Proxy Server 3.6 SP3 Administrator's Guide - NT Version | 
Appendix C Proxy Configuration Files
This appendix describes the directives and functions in the configuration files that iPlanet Web Proxy Server uses. You can configure iPlanet Web Proxy Server manually by editing the files directly.
The files that you use to configure the proxy are in a directory called server-root\proxy-id\config in your server root directory. Here's a brief description of each file described in this appendix:
- magnus.conf is the server's main technical configuration file. It controls aspects of the server operation not related to specific resources or documents, such as host name and port.
- obj.conf is the server's object configuration file. It controls access to the proxy server, and determines how documents are proxied and cached.
- socks5.conf is a file that contains the SOCKS server configuration. The SOCKS daemon is a generic firewall daemon that controls point-to-point access through the firewall.
- bu.conf is an optional file that contains batch update directives. You can use these to update many documents at once. You can time batch updates; for example, you can have them occur during off-peak hours to minimize the effect on the efficiency of the server.
- icp.conf is the Internet Cache Protocol (ICP) configuration file. It identifies the information about the parent and sibling servers in a proxy array that uses ICP.
- ras.conf is an optional file that contains information about how your proxy server uses remote access.
Other files that affect the proxy are explained elsewhere in this book:
- mime.types is the file the server uses to convert filename extensions such as .GIF into a MIME type like image/gif. This file is described in Chapter 17 "Configuring the Proxy Manually."
- admpw is the administrative password file. Its format is user:password. The password is DES-encrypted just like /etc/passwd. This file is described in Chapter 17 "Configuring the Proxy Manually." The admpw file is located in the server-root\admin-serv\config directory.
- autoconfig is a file in Netscape Navigator 2.0 JavaScript software that enables you to specify when to use the proxy. This file is described in Chapter 12 "Using the Client Autoconfiguration File."
- parray.pat is the Proxy Array Table file. The PAT file is an ASCII file used in proxy to proxy routing. It contains information about a proxy array; including the members' machine names, IP addresses, ports, load factors, cache sizes, etc. For more information on the syntax of the parray.pat file, see The parray.pat File.
- parent.pat is the Proxy Array Table file that contains information about an upstream proxy array. For more information on the syntax of the parent.pat file, see The parent.pat File.
The magnus.conf File
For each directive, this section provides the directive's characteristics, including the directive name, description, format for the value string, default value if the directive is omitted, and how many times the directive can be in the file. The directives are:
- Ciphers specifies which ciphers are enabled for your server.
- DNS specifies if the server does DNS lookups on clients who access the server.
- ErrorLog specifies the directory where the server logs its errors.
- LDAPConnPool specifies the number of persistent connections to the LDAP directory.
- LoadObjects specifies a startup object configuration file.
- Port defines the TCP port to which the server listens.
- RootObject defines the default server object.
- Security specifies whether SSL is enabled or disabled.
- ServerName defines the proxy host name.
- SSL3Ciphers specifies which encryption schemes are enabled.
- User specifies the proxy's Unix user account.
Ciphers
The Ciphers directive specifies the ciphers enabled for your server.
Syntax
Ciphers +rc4 +rc4export -rc2 -rc2export +idea +des +desede3
A + means the cipher is active, and a - means the cipher is inactive.
Valid ciphers are rc4, rc4export, rc2, rc2export, idea, des, desede3. Any cipher with export as part of its name is not stronger than 40 bits.
DNS
The DNS directive specifies whether the server performs DNS lookups on clients accessing the server. When a client connects to your server, the server knows the client's IP address but not its host name (for example, it knows the client as 198.95.251.30, rather than its host name www.a.com). The server will resolve the client's IP address into a host name for operations like access control, CGI, error reporting, and access logging.
If your server responds to many requests per day, you might want (or need) to stop host name resolution; doing so can reduce the load on the DNS or NIS server.
Syntax
DNS [on|off]
Default
DNS host name resolution is on as a default.
ErrorLog
The ErrorLog directive specifies the directory where the server logs its errors. You can also use the syslog facility. If errors are reported to a file (instead of syslog), then the file and directory in which the log is kept must be writable by whatever user account the server runs as.
Syntax
ErrorLog logfile
logfile can be a full path and filename or the keyword SYSLOG (which must be in all capital letters).
LDAPConnPool
The LDAPConnPool Directive specifies the number of persistent connections to maintain to the LDAP directory server. Creating these connections and binding to the directory on each one is an expensive operation. This setting establishes a reasonably sized pool of connections that will be shared among the proxy's request handler threads. Increase this value to allow more connections and to improve proxy performance if your directory server is not overloaded. Decrease the value if your directory server is very busy.
The default value for LDAPConnPool is 5.
LoadObjects
The LoadObjects directive specifies one or more object configuration files to use on startup; these files tell the server the kinds of URLs to proxy and cache. If any User directive is in the magnus.conf file, it must appear before the LoadObjects directive.
Although you can have more than one object configuration file, the proxy's administration forms work with only one file and assume that it is in the server root in server-root\proxy-id\config\obj.conf. If you use the online forms (or plan to), don't put the obj.conf file in any other directory and don't rename it.
Syntax
LoadObjects filename
filename is either the full pathname or a relative pathname. Relative pathnames are resolved from the directory specified with the -d command line flag. If no -d flag is given, the server looks in the current directory.
Port
The Port directive controls to which TCP port the server listens. If you choose a port number less than 1024, the server must be started as root or superuser. The port you choose also affects how the proxy users configure their browsers (they must specify the port number when accessing the proxy server). There should be only one Port directive in magnus.conf.
There are no official port numbers for proxy servers, but two commonly used numbers are 8080 and 8000.
Syntax
Port number
number is a whole number between 0 and 65535.
Default
Port 8080
RootObject
The RootObject directive tells the server which object loaded from an object file is the server default. The default object is expected to have all of the name translation directives for the server; any server behavior that is configured in the default object affects the entire server.
If you specify an object that doesn't exist, the server doesn't report an error until a client tries to retrieve a document.
Syntax
RootObject name
name is the name of an object defined in one of the object files loaded with a LoadObjects directive.
Default
There is no default if you do not specify a root object name; even if it is the "default" named object, you must specify "default." The administration forms assume you will use the default named object. Don't deviate from this convention if you plan to use the online forms.
Security
The Security directive tells the server whether encryption (Secure Sockets Layer version 2 or version 3 or both) is enabled or disabled.
If Security is set to on, and both SSL2 and SSL3 are enabled, then the server tries SSL3 encryption first. If that fails, the server tries SSL2 encryption.
Syntax
Security on|off
Default
By default, security is off.
ServerName
The ServerName directive tells the server what to put in the host name section of any URLs it sends back to the client. This affects redirections that you have set up using the online forms. Combined with the port number, this name is what all clients use to access the server.
You can have only one ServerName directive in magnus.conf.
Syntax
ServerName host
host is a fully qualified domain name such as myhost.iplanet.com.
Default
If ServerName isn't in magnus.conf, the proxy server attempts to derive a host name through system calls. If they don't return a qualified domain name (for example, they get myhost instead of myhost.iplanet.com), the proxy server won't start, and you'll get a message telling you to set this value manually, meaning put a ServerName directive in your magnus.conf file.
SSLClientAuth
The SSLClientAuth directive causes SSL3 client authentication on all requests.
Syntax
SSL3ClientAuth on|off
on directs that SSL3 client authentication be performed on every request, independent of ACL-based access control.
SSL2
The SSL2 directive tells the server whether Secure Sockets Layer, version 2 encryption is enabled or disabled. The Security directive dominates the SSL2 directive; if SSL2 encryption is enabled but the Security directive is set to off, then it is as though SSL2 were disabled.
Syntax
SSL2 on|off
Default
By default, security is off.
SSL3
The SSL3 directive tells the server whether Secure Sockets Layer, version 3 security is enabled or disabled. The Security directive dominates the SSL3 directive; if SSL3 security is enabled but the Security directive is set to off, then it is as though SSL3 were disabled.
Syntax
SSL3 on|off
Default
By default, security is off.
SSL3Ciphers
The SSL3Ciphers directive specifies the SSL3 ciphers enabled for your server.
Syntax
SSL3Ciphers +rc4 +rc4export -rc2 -rc2export +idea +des +desede3
A + means the cipher is active, and a - means the cipher is inactive.
Valid ciphers are rsa_rc4_128_md5, rsa3des_sha, rsa_des_sha, rsa_rc4_40_md5, rsa_rc2_40_md5, and rsa_null_md5. Any cipher with 40 as part of its name is 40 bits.
The obj.conf File
This section defines the obj.conf directives and describes their characteristics, including the directive name and description, format for the function string, default value if the directive is omitted, and how many instances of the directive can be in the file. The directives are:
- AddLog adds log entries to any log files.
- AuthTrans protects server resources from specific users.
- Connect provides a hook for you to call a custom connection function.
- DNS calls a custom DNS function you specify.
- Error sends customized error messages to clients.
- Init (a special directive) initializes server subsystems.
- NameTrans maps URLs to mirror sites and the local file system.
- ObjectType tags additional information to requests.
- PathCheck checks URLs after NameTrans.
- Service sends data and completes the requests.
AddLog
After the request is finished and the proxy server has stopped sending to and receiving from the client, the proxy server logs the transaction. The proxy server records information about every time a client tries to gain access to the content server through the proxy, and it records information about the client making the request.
Only one log file may be active at a time. The log file is created with the flex-init function. Options for the log many only be specified on the default object. All other objects may only specify status=on or status=off to indicate whether the object should be logged.
To log only the IP address of the client, and not the DNS name, the AddLog fn-flex-log function takes one more optional parameter: iponly=1. This optional parameter saves CPU cycles because the DNS name of the client host doesn't have to be resolved by contacting the DNS server:
AddLog fn=proxy-log name=access iponly=1
flex-log (starting proxy logging)
The flex-log function is an AddLog function that records request-specific data in the flexible, common, extended (used by most HTTP servers), or extended-2 log format. There are a number of free statistics generators for the common format, but the extended format gives more detailed information about the bytes transferred and the time elapsed. The extended-2 format provides as much information as the extended format, with additional kinds of information: the route through which the document was received as well as the finish status for the remote connection, the client connection, and the cache.
The log format is specified by the flex-init function call, described in "init-proxy (starting the network software for proxy)".
Syntax
AddLog fn=proxyflex-log
name=name status=on/offParameters
name (optional) gives the name of a log file, which must have been given as a parameter to the flex-init function of the Init directive.
iponly (optional) instructs the server not to look up the host name of the remote client but to record the IP address instead. The value of iponly can be anything, as long as it exists; the online forms set iponly="1". iponly is only valid on a default object.
Example
# Log all accesses to the central log file
AddLog fn=flex-log
# Log non-local accesses to another log file
<Client ip=*~198.93.9[2345].*>
AddLog fn=flex-log name=nonlocal
</Client>AuthTrans
AuthTrans is the Authorization Translation directive. Server resources can be protected so that accessing them requires the client to provide certain information about the person using the client program. This authorization information is "encoded" to prevent clients from authorizing themselves as different users.
The server analyzes the authorization of client users in two steps. First, it translates authorization information sent by the client, and then it requires that such authorization information be present. This is done in the hope that multiple translation schemes can be easily incorporated, as well as providing the flexibility to have resources that record authorization information but do not require it.
If there is more than one AuthTrans directive in an object, all functions will be applied. The AuthTrans directive has a function called proxy-auth.
proxy-auth (translating proxy authorization)
The proxy-auth function of the AuthTrans directive translates authorization information provided through the basic proxy authorization scheme. This scheme is similar to the HTTP authorization scheme but doesn't interfere with it, so using proxy authorization doesn't block the ability to authenticate to the remote server.
This function is usually used with the PathCheck fn=require-proxy-auth function.
Syntax
AuthTrans fn=proxy-auth auth-type=basic
dbm=full path nameAuthTrans fn=proxy-auth auth-type=basic
userfile=full path name
grpfile=full path nameParameters
auth-type specifies the type of authorization to be used. The type should be "basic".
dbm specifies the full path and base filename of the user database in the server's native format. The native format is a system DBM file, which is a hashed file format allowing instantaneous access to billions of users. If you use this parameter, don't use the userfile parameter.
userfile specifies the full pathname of the user database in the NCSA-style httpd user file format. This format consists of name:password lines where password is encrypted. If you use this parameter, don't use dbm.
grpfile (optional) specifies the NCSA-style httpd group file to be used. Each line of a group file consists of group:user1 user2...userN, where each user is separated by spaces.
Example
A Unix example:
AuthTrans fn=proxy-auth auth-type=basic
dbm=/usr/ns-home/proxy-EXAMPLE/userdb/rsA Windows NT example:
AuthTrans fn=proxy-auth auth-type=basic
userfile=\iplanet\server\proxy-EXAMPLE\.htpasswd
grpfile=\iplanet\server\proxy-EXAMPLE\.grpfileIt is possible to have authentication be performed by a user-provided function by passing the user-fn parameter to the proxy-auth function.
Syntax
AuthTrans fn=proxy-auth auth-type=basic
user-fn=your function
userdb=full path nameConnect
The Connect directive calls the connect function you specify.
Syntax
Connect fn=your-connect-function
Only the first applicable Connect function is called, starting from the most restrictive object. Occasionally it is desirable to call multiple functions (until a connection is established). The function returns REQ_NOACTION if the next function should be called. If it fails to connect, the return value is REQ_ABORT. If it connects successfully, the connected socket descriptor will be returned.
The Connect function must have this prototype:
int your_connect_function(pblock *pb, Session *sn, Request *rq);
Connect gets its destination host name and port number from:
rq->host (char *)
rq->port (int)The host can be in a numeric IP address format.
To use the NSAPI custom DNS class functions to resolve the host name, make a call to this function:
struct hostent *servact_gethostbyname(char *host name, Session *sn, Request *rq);
Example
This example uses the native connect mechanism to establish the connection:
#include "base/session.h"
#include "frame/req.h"
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
int my_connect_func(pblock *pb, Session *sn, Request *rq)
{
struct sockaddr_in sa;
int sd;
memset(&sa, 0, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_port = htons(rq->port);
/* host name resolution */
if (isdigit(*rq->host))
sa.sin_addr.s_addr = inet_addr(rq->host);
else
{
struct hostent *hp = servact_gethostbyname(rq->host, sn, rq);
if (!hp)
return REQ_ABORTED; /* can't resolv */
memcpy(&sa.sin_addr, hp->h_addr, hp->h_lenght);
}
/* create the socket and connect */
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sd == -1)
return REQ_ABORTED; /* can't create socket */
if (connect(sd, (struct sockaddr *)&sa, sizeof(sa)) == -1) {
close(sd);
return REQ_ABORTED; /* can't connect */
}
return sd; /* ok */
}DNS
The DNS directive calls either the dns-config built-in function or a DNS function that you specify.
dns-config (suggest treating certain host names as remote)
Syntax
DNS fn=dns-config local-domain-levels=<n>
local-domain-levels specifies the number of levels of subdomains that the local network has. The default is 1.
Sun ONE Web Proxy Server optimizes DNS lookups by reducing the times of trying to resolve hosts that are apparently fully qualified domain names but which DNS would otherwise by default still try to resolve relative to the local domain.
For example, suppose you're in the iplanet.com domain, and you try to access the host www.xyzzy.com. At first, DNS will try to resolve:
www.xyzzy.com.iplanet.com
and only after that the real fully-qualified domain name:
www.xyzzy.com
If the local domain has subdomains, such as corp.iplanet.com, it would do the two additional lookups:
www.xyzzy.com.corp.iplanet.com
www.xyzzy.com.iplanet.comTo avoid these extra DNS lookups, you can suggest to the proxy that it treat host names that are apparently not local as remote, and it should tell DNS immediately not to try to resolve the name relative to the current domain.
If the local network has no subdomains, you set the value to 0. This means that only if the host name has no domain part at all (no dots in the host name) will it be resolved relative to the local domain. Otherwise, DNS should always resolve it as an absolute, fully qualified domain name.
If the local network has one level of subdomains, you set the value to 1. This means that host names that include two or more dots will be treated as fully qualified domain names, and so on.
An example of one level of subdomains would be the iplanet.com domain, with subdomains:
corp.iplanet.com
engr.iplanet.com
mktg.iplanet.comThis means that hosts without a dot, such as step would be resolved with respect to the current domain, such as engr.iplanet.com, and so the dns-config function would try this:
step.engr.iplanet.com
If you are on corp.iplanet.com but the destination host step is on the engr subdomain, you could say just:
step.engr
instead of having to specify the fully qualified domain name:
step.engr.iplanet.com
your-dns-function (a plug-in dns function you create)
This is a DNS-class function that you define.
Syntax
DNS fn=your-dns-function
Only the first applicable DNS function is called, starting from the most restrictive object. In the rare case that it is desirable to call multiple DNS functions, the function can return REQ_NOACTION.
The DNS function must have this prototype:
int your_dns_function(pblock *pb, Session *sn, Request *rq);
The DNS function looks for its parameter host name from:
rq->host (char *)
and it should place the resolved result into:
rq->hp (struct hostent *)
The struct hostent * will not be freed by the caller but will be treated as a pointer to a static area, as with the gethostbyname call. It is a good idea to keep a pointer in a static variable in the custom DNS function and on the next call either use the same struct hostent or free it before allocating a new one.
The DNS function returns REQ_PROCEED if it is successful, and REQ_NOACTION if the next DNS function (or gethostbyname, if no other applicable DNS class functions exist) should be called instead. Any other return value is treated as failure to resolve the host name.
Example
This example uses the normal gethostbyname call to resolve the host name:
#include "base/session.h"
#include "frame/req.h"
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
int my_dns_func(pblock *pb, Session *sn, Request *rq)
{
rq->hp = gethostbyname(rq->host);
if (rq->hp)
return REQ_PROCEED;
else
return REQ_ABORTED;}
Error
At any time during a request, conditions can occur that cause the server to stop fulfilling a request and to return an error to the client. When this happens, the server can send a short HTML page to the client, very generically describing the error.
To help you make error handling more user friendly, the proxy server lets you intercept certain errors and send a file with your customized error message in place of the server's default error message. You can create an HTML file containing the error message you want to send and associate that message with an error.
Syntax
Error fn=send-error code=code path=path
code is the error code for the default error message, as listed below.
path is the full path to the HTML file containing the message you want to send.
The following are errors returned by the server. Each error has a three-digit HTTP code that designates it, followed by a short description of the error. The description might help you write your custom error message, in some of the cases below:
- 401 Unauthorized (for administration forms only). The server requires HTTP user authorization to allow access to the administration forms, and either the client provided none or its HTTP authorization was insufficient. You can customize this error message only when you use Sun ONE Web Proxy Server as a reverse proxy.
- 403 Forbidden. The server tried to access a file or directory and found that the user it was running as didn't have sufficient permission to access the file. You can customize this error message.
- 404 Not Found. The client asked for a file system path that doesn't exist or the server was configured to tell the client that it doesn't exist. Since message this is not generated by proxy server, it cannot be customized.
- 407 Proxy Authorization Required. The proxy requires proxy authorization, and either the client didn't provide any or it was insufficient. Also, the client software might not support proxy authorization. Netscape Navigator version 1.1 or newer supports this authorization. This error message can be customized.
- 500 Server Error. Server errors mean that an error has occurred in the server that prevents it from finishing the request. Server errors mainly happen because of misconfiguration or machine resources such as swap space being exhausted. Since this message is not generated by proxy server, it cannot be customized.
Example
Error fn=send-error Code=403
path=/usr/ns-home/proxy-EXAMPLE/errors/403.htmlInit
Init is a special directive that initializes certain proxy subsystems such as the networking library, caching module, and access logging. The functions referenced with the Init directive load data for specific subsystems once on server startup and keep that data internally until the server is shut down.
Init lines can contain spaces at the beginning of the line and between the directive and value, but you shouldn't have spaces after the value because they might confuse the server. Long lines (although probably not necessary) can be continued with a backslash (\) continuation character before the line feed.
Caution!
If you are using iPlanet Web Proxy Server Manager online forms, you shouldn't use continuation lines in the obj.conf file. Instead, put each Init configuration entirely on a single line. If you are absolutely sure you will never use the online forms to edit the obj.conf file, you can use the \ character.
Syntax
Init fn=function-name [parm1=value1]...[parmN=valueN]
function-name identifies the server initialization function to call. These functions shouldn't be called more than once.
parm=value pairs are values for function-specific parameters. The number of parameters depends on the function you use. The order of the parameters doesn't matter. The functions of the Init directive listed here are described in detail in the following sections.
- flex-init initializes the flex-log flexible access logging feature
- icp-init initializes the ICP feature.
- init-batch-update initializes the batch update feature.
- init-cache enables and initializes caching.
- init-proxy initializes the networking code used by the proxy.
- init-ras initializes the remote access feature.
- init-urldb initializes the URL database that you specify.
- load-modules tells the server to load functions from a shared object file.
- load-types maps file extensions to MIME types.
Init function order in obj.conf
The Init functions are a series of steps that the server has to follow in order for the proxy to run. Each function depends on the results of the one before it:
- Start the proxy.
- Start the proxy's cache.
- Initialize the partitions inside the cache.
- Initialize the batch update process (which might be updating what's inside the partitions).
Calling Init functions
Some functions of the Init directive are crucial to proxy functioning and must be called once and only once. Others are optional but must be called no more than once, and some are optional and can be called many times. They are shown in Table 18-3
flex-init (starting the flex-log access logs)
The flex-init function initializes the flexible logging system. It opens the log file whose name is passed as a parameter and establishes a record format that is passed as another parameter. The log file stays open until the server is shut down, (at which time all logs are closed and reopened).
You use flex-init to specify a log filename then you use that name with the flex-log function in the obj.conf file to add a log entry to the file (such as AddLog fn=flex-log name=loghttp).
Note You can use AddLog to store transactions in more than one log file.
If you move, remove, or change the log file without shutting down or restarting the server, client accesses might not be recorded. To save or back up a log file on a Windows NT proxy server, you need to rename the file and then restart the server. The server uses the inode number, but when you do a soft restart, the server first looks for the filename, and if it doesn't find the log file, it creates a new one (the renamed original log file is left for you to use).
Parameters
The flex-init function recognizes two possible parameters: one that names the log file and one that specifies the components of a record in that file.
The flex-init function recognizes anything contained between percent signs (%) as the name portion of a name-value pair stored in a parameter block in your program. (The one exception to this rule is the %SYSDATE% component, which delivers the current system date.)
Any additional text is treated as literal text, so you can add to the line to make it more readable. Typical components of the formatting parameter are listed in Table 18-4. Certain components might contain spaces, so they should be bounded by escaped quotes (/")..
Example
This example for a Unix proxy server initializes flexible logging in to the file
/usr/ns-home/proxy-NOTES/logs/access:Init fn=flex-init access="" format.access=
"%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] /"%Req->reqpb.proxy-request%/"
%Req->srvhdrs.clf-status% %Req->vars.p2c-c1%"This example for a Windows NT proxy server initializes flexible logging in to the file iplanet\server\proxy-NOTES\logs\access:
Init fn=flex-init access="\iplanet\server\proxy1\logs\access" format.access=
"%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] /"%Req->reqpb.proxy-request%/"
%Req->srvhdrs.clf-status% %Req->vars-p2c-c1%"This will log the following items:
- IP or host name, followed by the three characters " - "
- the user name, followed by the two characters " ["
- the system date, followed by the two characters "] "
- the full request, followed by a single space
- the full status, followed by a single space
- the content length
This is the default format, which corresponds to the Common Log Format (CLF).
The first six elements of any log should always be in exactly this format, because a number of log analyzers expect that as output.
icp-init (initializes ICP)
The icp-init function enables and initializes ICP. ICP (Internet Cache Protocol) is an object location protocol that enables caches to communicate with one another. Caches can use ICP to send queries and replies about the existence of cached URLs and about the best locations from which to retrieve those URLs.
Syntax
Init fn="icp.init"
config_file="file name"
status="on|off"Parameters
config_file is the name of the ICP configuration file.
status specifies whether ICP is enabled or disabled. Possible values are:
- on means that ICP is enabled.
- off means that ICP is disabled.
Example
Init fn="icp.init"
config_file="icp.conf"
status="on"init-batch-update (starting batch updates)
The init-batch-update function starts and specifies a configuration file for batch updating. Batch updating (or similarly, autoloading) is the process of loading frequently requested objects into the proxy cache in anticipation of those requests.
Batch updating is useful for a number of tasks. A proxy administrator might want to perform up-to-date checks during low-usage hours on all the cached objects to avoid doing these checks when usage is heavier. If a site has heavy daytime usage but little in the evening, the batch update could run in the evening. The process can converse with remote servers and update any objects that have been modified.
At larger sites with a network of servers and proxies, you, as the administrator, might want to use autoloading to "inhale" (pre-load into the cache) a given area of the web. You provide an initial URL, and the batch process does a recursive ("worm") descent across links in the document. Because this function can be a burden on remote servers, be careful when using it. Measures are taken to keep the process from performing recursion indefinitely, and the parameters in bu.conf give you some control of this process. You could also use this functionality to update proxies to compensate for any unexpected changes in a company-wide directory index.
Syntax
Init fn=init-batch-update
status=on|off
conf-file="absolute filename"Parameters
status enables or disables batch updating.
- on means batch updating will be started, and the update function expects to find a configuration file (otherwise it will abort).
- off means no batch updating or autoloading activity will occur.
conf-file is the pathname to the batch update (autoload) configuration file.
Example
A Unix example:
Init fn=init-batch-update
status=on
conf-file=""A Windows NT example:
Init fn=init-batch-update
status=on
conf-file="\iplanet\server\java-proxy\config\bu.conf"init-cache (starting the caching system)
The init-cache function enables and initializes the cache and starts the caching system. Calling this function is crucial if you want to use caching; otherwise it is optional and must be called only once.
Syntax
For Windows NT version:
Init fn=init-cache
status=on|offParameters
status enables or disables caching.
- on enables caching
- off disables caching
Example
Init fn=init-cache
status=on
dir=/usr/ns-home/cache
ndirs=8init-proxy (starting the network software for proxy)
The init-proxy function initializes the networking software used by the proxy. Calling this function in obj.conf is crucial (even though it is called automatically, you should call it manually as a safety measure).
Syntax
Init fn=init-proxy
timeout=seconds
sig="Some readable name"
anon-pw="e-mail address"
java-ip-check=yes|noParameters
timeout is the number of seconds of delay allowed between consecutive network packets received from the remote server. If the delay exceeds the timeout, the connection is dropped. The default is 120 seconds (2 minutes). This is not the maximum time allowed for an entire transaction, but the delay between the packets. For example, the entire transaction can last 15 minutes, as long as at least one packet of data is received before each timeout period.
sig is the signature (trailer) that the proxy appends to its error messages. By default, it contains the proxy host name and the port number. If your site does not want to send that information out or perhaps gives more descriptive names to proxies, you can use sig to do that.
anon-pw is the email address to send to anonymous FTP servers as the password. This information can be used by FTP sites to later send notifications to people who downloaded files from their FTP site. Using this option overrides the default that the proxy will derive from its current execution environment (which could be, for example, "nobody@your.site").
java-ip-check specifies whether Java IP address checking is enabled for your proxy server. Java IP address checking allows your clients to query the proxy server for the IP address used to retrieve a resource. When this parameter is set to "yes," a client can request that the proxy server send the IP address of the origin server, and the proxy server will attach the IP address in a header. Once the client knows the IP address of the origin server, it can explicitly specify that the same IP address be used for future connections.
Note Versions of Netscape Navigator prior to 5.0 do not support this feature.
Example
Init fn=init-proxy
log-format=extended-2
timeout=120
sig="Main proxy gateway"
anon-pw="webmaster@your.site"
java-ip-check=noinit-proxy-auth (specifying the authentication strategy)
The init-proxy-auth function tells the proxy server whether it should require authentication from clients as a proxy, or reverse proxy (web server). If the obj.conf file does not call this function, the server will automatically act as a proxy requiring authentication.
Syntax
Init fn=init-proxy-auth
pac-auth=on|offParameters
pac-auth specifies whether local files (PAC files, local icons, etc.) are password-protected.
- on means that local files are password-protected and require authentication. This setting has no effect if access control is not enabled for your proxy server. If you set pac-auth to yes, and proxy authentication is enabled, users will be prompted for their password twice.
- off means that local files do not require authentication.
Example
Init fn=init-proxy-auth
pac-auth=yesinit-ras (starting remote access)
The init-ras function enables and initializes the remote access feature of Sun ONE Web Proxy Server. This function only needs to be in the obj.conf file if you are using remote access.
Syntax
Init fn="init-ras"
ras-conf-file="file name"
instance="server name"Parameters
ras-conf-file is the name of the remote access configuration file. If your remote access file is in the config directory, you can just specify the file name. If it is not in the config directory, you must specify the full path of the file.
instance is the name of the server instance.
Example
Init fn="init-ras"
ras-conf-file="ras.conf"
instance="proxy1"load-modules (loading shared object modules)
You can use the load-modules function to tell the server to load the functions you need from the shared object. Calling the load-modules function is crucial to proxy function.
Unix allows shared libraries, which are archives of multiple functions packed into a single file (with a .so suffix). If you want to link in functions from shared libraries you have created, use this function to pass required information to the server. To do this, you have to tell the main executable where the shared library file resides and the names of the functions to be loaded (which are indexed by name in the .so file).
Binaries referring to functions in the shared libraries you specify dynamically load the individual functions at runtime (without loading the entire library).
To register SAF classes with the server you could use this:
Init fn=load-modules shlib=/your/lib.so funcs=alpha,beta,alpha-beta
where alpha, beta, and alpha-beta represent the functions alpha(), beta(), and alpha_beta() from the shared library /your/lib.so. Note the correlation between hyphens and underscores (where the configuration files use hyphens, C code uses underscores).
You can call those functions as you normally would; for example, to call the C function alpha_beta() you would use:
Connect fn=alpha-beta
Syntax
Init fn=load-modules
shlib=[path]filename.so
funcs="function1, function2, ..., functionN"Parameters
shlib is the full path and filename of the shared object library containing the functions of interest.
funcs is a list of functions in the shared library to be dynamically loaded.
Example
A Unix example:
Init fn=load-modules
shlib=
funcs="func1, func2"A Windows NT example:
Init fn=load-modules
shlib=C:\Iplanet\server\myfolder\func.so
funcs="func1, func2"load-types (loading MIME-type mappings)
The load-types function scans a file that tells it how to map filename extensions to MIME types. MIME types are essential for network navigation software like Netscape Navigator to tell the difference between file types. For example, they are used to tell an HTML file from a GIF file. See The mime.types File for more information.
Calling this function is crucial if you use iPlanet Web Proxy Server Manager online forms or the FTP proxying capability.
Syntax
Init fn=load-types
mime-types="mime.types"This function loads the MIME type file mime.types from the configuration directory (the same directory as magnus.conf and obj.conf). This function call is mandatory and in practice is always as shown in the syntax.
Parameters
mime-types specifies either the full path to the global MIME types file or a filename relative to the server configuration directory. The proxy server comes with a default file called mime.types.
local-types is an optional parameter to a file with the same format as the global MIME types file, but it is used to maintain types that are applicable only to your server.
Example
Init fn=load-types mime-types=mime.types
Init fn=load-types mime-types=/tp/mime.types \
local-types=local.typespa-init-parent-array (initializing a parent array member)
The pa-init-parent-array function initializes a parent array member and specifies information about the PAT file for the parent array of which it is a member.
Note The load modules directive should come before the pa-init-proxy-array function in the obj.conf file.
Syntax
Init fn=pa-init-parent-array
set-status-fn=pa-set-member-status
poll="yes|no"
file="absolute filename"
pollhost="host name"
pollport="port number"
pollhdrs="absolute filename"
pollurl="url"
status="on|off"Parameters
set-status-fn specifies the function that sets the status for the member.
poll tells the array member whether or not it needs to poll for a PAT file.
- yes means that the member should poll for the PAT file. A member should only poll for a PAT file if it is not the master proxy. The master proxy has a local copy of the PAT file, and therefore, does not need to poll for it.
- no means that the member should not poll for the PAT file. A member should not poll for the PAT file if it is the master proxy.
file is the full pathname of the PAT file.
pollhost is the host name of the proxy to be polled for the PAT file. This parameter only needs to be specified if the poll parameter is set to yes, meaning that the member is not the master proxy.
pollport is the port number on the pollhost that should be contacted when polling for the PAT file. This parameter only needs to be specified if the poll parameter is set to yes, meaning that the member is not the master proxy.
pollhdrs is the full pathname of the file that contains any special headers that must be sent with the HTTP request for the PAT file. This parameter is optional and should only be specified if the poll parameter is set to yes, meaning that the member is not the master proxy.
pollurl is the URL of the PAT file to be polled for. This parameter only needs to be specified if the poll parameter is set to yes, meaning that the member is not the master proxy.
status specifies whether the parent array member is on or off.
- on means that the member is on.
- off means that the member is off.
Example
The following example tells the member not to poll for the PAT file. This example would apply to a master proxy.
Init fn=pa-init-parent-array
poll="no"
file="c:/iplanet/server/bin/proxy/pa1.pat"The following example specifies that the member should poll for a PAT file. This member is not the master proxy.
Init fn=pa-init-parent-array
poll="yes"
file="c:/iplanet/server/bin/proxy/pa2.pat"
pollhost="proxy1"
pollport="8080"
pollhdrs="c:/iplanet/server/proxy-name/parray/pa2.hdr"
status="on"
set-status-fn=set-member-status
pollurl="/pat"pa-init-proxy-array (initializing a proxy array member)
The pa-init-proxy-array function initializes a proxy array member and specifies information about the PAT file for the array of which it is a member.
Note The load modules directive should come before the pa-init-proxy-array function in the obj.conf file.
Syntax
Init fn=pa-init-proxy-array
set-status-fn=pa-set-member-status
poll="yes|no"
file="absolute filename"
pollhost="host name"
pollport="port number"
pollhdrs="absolute filename"
pollurl="url"
status="on|off"Parameters
set-status-fn specifies the function that sets the status for the member.
poll tells the array member whether or not it needs to poll for a PAT file.
- yes means that the member should poll for the PAT file. A member should only poll for a PAT file if it is not the master proxy. The master proxy has a local copy of the PAT file, and therefore, does not need to poll for it.
- no means that the member should not poll for the PAT file. A member should not poll for the PAT file if it is the master proxy.
file is the full pathname of the PAT file.
pollhost is the host name of the proxy to be polled for the PAT file. This parameter only needs to be specified if the poll parameter is set to yes, meaning that the member is not the master proxy.
pollport is the port number on the pollhost that should be contacted when polling for the PAT file. This parameter only needs to be specified if the poll parameter is set to yes, meaning that the member is not the master proxy.
pollhdrs is the full pathname of the file that contains any special headers that must be sent with the HTTP request for the PAT file. This parameter is optional and should only be specified if the poll parameter is set to yes, meaning that the member is not the master proxy.
pollurl is the URL of the PAT file to be polled for. This parameter only needs to be specified if the poll parameter is set to yes, meaning that the member is not the master proxy.
status specifies whether the parent array member is on or off.
- on means that the member is on.
- off means that the member is off.
Example
The following example tells the member not to poll for the PAT file. This example would apply to a master proxy.
Init fn=pa-init-proxy-array
poll="no"
file="c:/iplanet/server/bin/proxy/pa1.pat"The following example specifies that the member should poll for a PAT file. This member is not the master proxy.
Init fn=pa-init-proxy-array
poll="yes"
file="c:/iplanet/server/bin/proxy/pa2.pat"
pollhost="proxy1"
pollport="8080"
pollhdrs="c:/iplanet/server/proxy-name/parray/pa2.hdr"
status="on"
set-status-fn=set-member-status
pollurl="/pat"NameTrans
NameTrans is the name translation directive, which maps URLs to mirror sites and to the local file system (for the online forms). NameTrans directives should appear in the root object (the "default" object), although you can put them elsewhere. If an object has more than one NameTrans directive, the server applies each name translation function until one succeeds and then modifies the URL to either a mirror site URL or to a full file system path.
assign name (associating templates with path)
The assign-name function associates the name of a configuration object with a path specified by a regular expression. It always returns REQ_NOACTION.
Syntax
NameTrans fn=assign-name
from=regular expression
name=named objectParameters
from specifies a pattern, presented as a regular expression,. that specifies a path to be affected.
name is the name of the configuration object to associate with the path.
Example
NameTrans fn=assign-name
name=personnel from=/httpd/docs/pers*map (mapping URLs to mirror sites)
The map function of the NameTrans directive looks for a certain URL prefix in the URL that the client is requesting. If map finds the prefix, it replaces the prefix with the mirror site prefix. When you specify the URL, don't use trailing slashesthey cause "Not Found" errors.
Syntax
NameTrans fn=map
from="site prefix"
to="site prefix"
name="named object"Parameters
from is the prefix to be mapped to the mirror site.
to is the mirror site prefix.
name (optional) gives a named object from which to derive the configuration for this mirror site.
Example
# Map site http://home.iplanet.com/ to mirror site http://mirror.com
NameTrans fn=map from="http://home.iplanet.com"
to="http://mirror.com"pac-map (mapping URLs to a local file)
The pac-map function maps proxy-relative URLs to local files that are delivered to clients who request configuration.
Syntax
NameTrans fn=pac-map
from=URL
to=prefix
name=named objectParameters
from is the proxy URL to be mapped.
to is the local file to be mapped to.
name (optional) gives a named object (template) from which to derive configuration.
Example
NameTrans fn=pac-map
from=http://home.iplanet.com
to=index.html
name=filepat-map (mapping URLs to a local file)
The pat-map function maps proxy-relative URLs to local files that are delivered to proxies who request configuration.
Syntax
NameTrans fn=pat-map
from=URL
to=prefix
name=named objectParameters
from is the proxy URL to be mapped.
to is the local file to be mapped to.
name (optional) gives a named object (template) from which to derive configuration.
Example
NameTrans fn=pat-map
from=http://home.iplanet.com
to=index.html
name=filepfx2dir (replacing path prefixes with directory names)
The pfx2dir function looks for a directory prefix in the path and replaces the prefix with a real directory name. Don't use trailing slashes in either the prefix or the directory.
Syntax
NameTrans fn=pfx2dir
from=prefix
dir=directory
name=named objectParameters
from is the prefix to be mapped.
dir is the directory that the prefix is mapped to.
name (optional) gives a named object (template) from which to derive configuration for this mirror site.
Example
NameTrans fn=pfx2dir
from=/icons
dir=c:/iplanet/suitespot/ns-iconsObjectType
The ObjectType directives tag additional information to the requests, such as caching information and whether another proxy should be used.
If there is more than one ObjectType directive in an object, the directives are applied in the order they appear. If a directive sets an attribute and a later directive tries to set that attribute to something else, the first setting is used and the subsequent one is ignored.
cache-enable (enabling caching)
The cache_enable function tells the proxy that an object is cacheable, based on specific criteria. As an example, if it appears in the object
<Object ppath="http://.*">, then all the HTTP documents are considered cacheable, as long as other conditions for an object to be cacheable are met.Syntax
ObjectType fn=cache-enable
cache-auth=0|1
query-maxlen=number
min-size=number
max-size=number
log-report=feature
cache-local=0|1Parameters
cache-enable tells the proxy that an object is cacheable. As an example, if it appears in the object <Object ppath="http://.*">, then all HTTP documents are considered cacheable (as long as other conditions for an object to be cacheable are met).
cache-auth specifies whether to cache items that require authentication. If set to 1, pages that require authentication can be cached also. If not specified, defaults to 0.
query-maxlen specifies the number of characters in the query string (the "?string" part at the end of the URL) that are still cacheable. The same queries are rarely repeated exactly in the same form by more than one user, and so caching them is often not desirable. That's why the default is 0.
min-size is the minimum size, in kilobytes, of any document to be cached. The benefits of caching are greatest with the largest documents. For this reason, some people prefer to cache only larger documents.
max-size represents the maximum size in kilobytes of any document to be cached. This allows users to limit the maximum size of cached documents, so no single document can take up too much space.
log-report is used to control the feature that reports local cache accesses back to the origin server so that content providers get their true access logs.
cache-local is used to enable local host caching, that is, URLs without fully qualified domain names, in the proxy. If set to 1, local hosts are cached. If not specified, it defaults to 0, and local hosts are not cached.
Example
The following example of cache-enable allows you to enable caching of objects matching the current resource. This applies to normal, non-query, non-authenticated documents of any size. The proxy requires that the document carries either last-modified or expires headers or both, and that the content-type reported by the origin server (if present) is accurate.
ObjectType fn=cache-enable
The example below is like the first example, but it also caches documents that require user authentication, and it caches queries up to five characters long. The cache-auth=1 indicates that an up-to-date check is always required for documents that need user authentication (this forces authentication again).
ObjectType fn=cache-enable
cache-auth=1
query-maxlen=5The example below is also like the first example, except that it limits the size of cache files to a range of 2 KB to 1 MB.
ObjectType fn=cache-enable
min-size=2
max-size=1000cache-setting (specifying caching parameters)
cache-setting is an ObjectType function that sets parameters used for cache control. Defaults for these settings are provided through the init-cache function, described on page 347.
This function is used to explicitly cache (or not cache) a resource, create an object for that resource, and set the caching parameters for the object.
Syntax
ObjectType fn=cache-setting
max-uncheck=seconds
lm-factor=factor
connect-mode=always|fast-demo|neverParameters
max-uncheck (optional) is the maximum time in seconds, allowed between consecutive up-to-date checks. If set to 0 (default), a check is made every time the document is accessed, and the lm-factor has no effect.
lm-factor (optional) is a floating point number representing the factor used in estimating expiration time (how long a document might be up to date based on the time it was last modified). The time elapsed since the last modification is multiplied by this factor, and the result gives the estimated time the document is likely to remain unchanged. Specifying a value of 0 turns off this function, and then the caching system uses only explicit expiration information (rarely available). Only explicit Expires HTTP headers are used. This value has no effect if max-uncheck is set to 0.
connect-mode specifies network connectivity and can be set to these values:
- always (default) connects to remote servers when necessary.
- fast-demo connects only if the item isn't found in the cache.
- never no connection to a remote server is ever made; returns an error if the document is not found in the cache.
term-percent means to keep retrieving if more than the specified percentage of the document has already been retrieved.
Example
<Object ppath="http://.*">
ObjectType fn=cache-enable
ObjectType fn=cache-setting max-uncheck="7200"
ObjectType fn=cache-setting lm-factor="0.020"
ObjectType fn=cache-setting connect-mode="fast-demo"
Service fn=proxy-retrieve
</Object>
# Force check every time
ObjectType fn=cache-setting max-uncheck=0
# Check every 30 minutes, or sooner if changed less than
# 6 hours ago (factor 0.1; last change 1 hour ago would
# give 6-minute maximum check interval).
ObjectType fn=cache-setting max-uncheck=1800 lm-factor=0.1
# Disable caching of the current resource
ObjectType fn=cache-setting cache-mode=nothingforce-type (assigning MIME types to objects)
The force-type function assigns a type to objects that do not already have a MIME type. This is used to specify a default object type.
Syntax
ObjectType fn=force-type
type=text/plain
enc=encoding
lang=languageParameters
type is the type to assign to matching files.
enc (optional) is the encoding given to matching files.
lang (optional) is the language assigned to matching paths.
Example
ObjectType fn=force-type
type=text/plainObjectType fn=force-type
lang=en_UShttp-config (using keep-alive feature)
http-config is an ObjectType function that lets the proxy use the HTTP keep-alive feature between the client and the proxy server, and between the proxy server and the remote server.
Syntax
ObjectType fn=http-config a
keep-alive=on|offParameters
on enables this keep-alive feature.
off disables the keep-alive feature, and is the default.
The keep-alive feature lets several requests be sent through the same connection.
Using this feature could actually degrade performance if the proxy is heavily loaded and it receives a lot of new requests every second and the network can establish connections fairly quickly. The reason for this degradation is that every connection is kept by the server for several seconds after the request processing has finished, even if the client doesn't happen to send a new request.
If connections to the proxy server take a long time to establish, or if the connection simply hangs, this feature should be disabled to reduce the total number of active connections.
Example
ObjectType fn=http-config keep-alive=on
java-ip-check (checking IP addresses)
The java-ip-check function allows clients to query the proxy server for the IP address used to rerouted a resource. Because DNS spoofing often occurs with Java Applets, this feature enables clients to see the true IP address of the origin server. When this features is enabled, the proxy server attaches a header containing the IP address that was used for connecting to the destination origin server.
Syntax
ObjectType fn=java-ip-check
status=on|offParameters
status specifies whether Java IP address checking is enabled or not. Possible values are:
- on means that Java IP address checking is enabled and that IP addresses will be forwarded to the client in the form of a document header. On is the default setting.
- off means that Java IP address checking is disabled.
type-by-extension (determining file information)
The type-by-extension function uses file extensions to determine information about files. (Extensions are strings after the last period in a file name.) This matches an incoming request to extensions in the mime.types file. The MIME type is added to the "content-type" header sent back to the client. The type can be set to internal server types that have special results when combined with function you write using the server plug-in API.
Syntax
ObjectType fn=type-by-extension
Parameters
None.
Example
ObjectType fn=type-by-extension
PathCheck
The PathCheck directives check the URL that is returned after all of the NameTrans directives finish running. Local file paths (with the administration forms) are checked for elements such as ../ and //, and then any access restriction is applied.
If an object has more than one PathCheck directive, all of the directives will be applied in the order they appear.
check-acl (attaching an ACL to an object)
The check-acl function attaches an Access Control List to the object in which the directive appears. Regardless of the order of PathCheck directives in the object, check-acl functions are executed first, and will cause user authentication to be performed if required by the specified ACL, and will also update the access control state.
Syntax
PathCheck fn=check-acl
acl="ACL name"
bong-file=path nameParameters
acl is the name of an Access Control List.
bong-file (optional) is the path name for a file that will be sent if this ACL is responsible for denying access.
Example
PathCheck fn=check-acl
acl="HRonly"deny-service (denying client access)
The deny-service function is a PathCheck function that sends a "Proxy Denies Access" error when a client tries to access a specific path. If this directive appears in a client region, it performs access control on the specified clients.
The proxy specifically denies clients instead of specifically allowing them access to documents (for example, you don't configure the proxy to allow a list of clients). The "default" object is used when a client doesn't match any client region in objects, and because the "default" object uses the deny-service function, no one is allowed access by default.
Syntax
PathCheck fn=deny-service path=.*someexpression.*
Parameters
path is a regular expression representing the path to check. Not specifying this parameter is equivalent to specifying *. URLs matching the expression are denied access to the proxy server.
Example
<Object ppath="http://iplanet/.*">
# Deny servicing proxy requests for fun GIFs
PathCheck fn=deny-service path=.*fun.*.gif
# Make sure nobody except Iplanet employees can use the object
# inside which this is placed.
<Client dns=*~.*.iplanet.com>
PathCheck fn=deny-service
</Client>
</Object>find-index (determining if requested path is a directory)
The find-index function investigates whether the requested path is a directory. If it is, the function searches for an index file in the directory, and then changes the path to point to the index file. If no index file is found, the server generates a directory listing.
Syntax
PathCheck fn=find-index
index-names=index file namesParameters
index-names is a comma-separated list of index file names to look for. Use spaces only if they are part of a file name.
Example
PathCheck fn=find-index
index-names=index.html,home.htmlrequire-proxy-auth (requiring proxy authentication)
The require-proxy-auth function is a PathCheck function that makes sure that users are authenticated and triggers a password pop-up window.
Syntax
PathCheck fn=require-proxy-auth
auth-type=basic
realm=name
auth-group=group
auth-users=nameParameters
auth-type specifies the type of authorization to be used. The type should be "basic" unless you are running a Unix proxy and are going to use your own function to perform authentication.
realm is a string (enclosed in double-quotation marks) sent to the client application so users can see what object they need authorization for.
auth-user (optional) specifies a list of users who get access. The list should be enclosed in parentheses with each user name separated by the pipe | symbol.
auth-group (optional) specifies a list of groups that get access. Groups are listed in the password-type file.
Example
PathCheck fn=require-auth
auth-type=basic
realm="Marketing Plans"
auth-group=mktg
auth-users=(jdoe|johnd|janed)unix-uri-clean (denying access to certain URLs)
The unix-uri-clean function denies access to any requested URL that contains
/./, /../ or // (these URLs are potential security problems). If you use scripts with these elements in paths, use the find-pathinfo function (described in the next section) before unix-uri-clean.Syntax
PathCheck fn=unix-uri-clean
Parameters
None.
Example
PathCheck fn=unix-uri-clean
url-check (checking URL syntax)
The url-check function checks the validity of URL syntax.
Route
The Route directive specifies information about where the proxy server should route requests.
icp-route (routing with ICP)
The icp-route function tells the proxy server to use ICP to determine the best source for a requested object whenever the local proxy does not have the object.
Syntax
Route fn=icp-route
redirect=yes|noParameters
redirect specifies whether the proxy server will send a redirect message back to the client telling it where to get the object.
- yes means the proxy will send a redirect message back to the client to tell it where to retrieve the requested object.
- no means the proxy will not send a redirect message to the client. Instead it will use the information from ICP to get the object.
pa-enforce-internal-routing (enforcing internal distributed routing)
The pa-enforce-internal-routing function enables internal routing through a proxy array. Internal routing occurs when a non PAC-enabled client routes requests through a proxy array.
Syntax
Route fn="pa_enforce_internal_routing"
redirect="yes|no"Parameters
redirect specifies whether or not client's requests will be redirected. Redirecting means that if a member of a proxy array receives a request that it should not service, it tells the client which proxy to contact for that request.
Warning
Redirect is not currently supported by any clients, so you should not use the feature at this time.
pa-set-parent-route (setting a hierarchical route)
The pa-set-parent-route function sets a route to a parent array.
Syntax
Route fn="pa_set_parent_route"
set-proxy-server (using another proxy to retrieve a resource)
The set-proxy-server function directs the proxy server to connect to another proxy for retrieving the current resource. It also sets the address and port number of the proxy server to be used.
Syntax
Route fn=set-proxy-server
host name=otherhost name
port=numberParameters
host name is the name of the host on which the other proxy is running.
port is the port number of the remote proxy.
Example
Route fn=set-proxy-server
host name=proxy.iplanet.com
port=8080set-socks-server (using a SOCKS server to retrieve a resource)
The set-socks-server directs the proxy server to connect to a SOCKS server for retrieving the current resource. It also sets the address and port number of the SOCKS server to be used.
Syntax
Route fn=set-socks-server
host name=sockshost name
port=numberParameters
host name is the name of the host on which the SOCKS server runs.
port is the port on which the SOCKS server listens.
Example
ObjectType fn=set-socks-server
host name=socks.iplanet.com
port=1080unset-proxy-server (unsetting a proxy route)
The unset-proxy-server function tells the proxy server not to connect to another proxy server to retrieve the current resource. This function nullifies the settings of any less specific set-proxy-server functions.
Syntax
Route fn=unset-proxy-server
unset-socks-server (unsetting a SOCKS route)
The unset-socks-server function tells the proxy server not to connect to a SOCKS server to retrieve the current resource. This function nullifies the settings of any less specific set-socks-server functions.
Syntax
Route fn=unset-socks-server
Service
Once the other directives have done all the necessary checks and translations, the functions of the Service directive send the data (first receiving it from a remote server when necessary) and complete the request. Most of the time, the Service directive connects to a remote server, making the request for the client and then passing the results back to the client.
Parameters
Service directives support these optional parameters to help determine if the directive is used:
method specifies a regular expression that indicates which HTTP methods the client must be using to have the directive applied. Valid HTTP methods include GET, HEAD, POST, and INDEX (CONNECT through SSL tunneling is also available). Multiple values are enclosed in parentheses and separated by the pipe (|) symbol.
type (not with proxy-retrieve) specifies a regular expression that indicates the MIME types to which to apply the directive. The proxy server defines several MIME types internally that are used only to select a Service function that translates the internal type into a form presentable to the client.
If an object has more than one Service directive, the first applicable directive is used and the rest are ignored.
proxy-retrieve (retrieving documents with the proxy)
The proxy-retrieve function retrieves a document from a remote server and returns it to the client. It manages caching if it is enabled. The proxy-retrieve function also lets you configure the proxy to allow or block arbitrary methods.
Syntax
Service fn=proxy-retrieve
method=GET|HEAD|POST|INDEX|CONNECT...allow|block=<List-of-comma-separated-methods>
Parameters
method lets you specify a retrieval method.
allow configures the proxy to allow specified arbitrary methods.
block configures the proxy to block specified arbitrary methods.
Note allow takes precedence over block.
Examples
# Normal proxy retrieve
Service fn=proxy-retrieve
# Proxy retrieve with POST method disabled
Service fn=proxy-retrieve
method=(POST)
# Proxy retrieve allows methods FOO and BAR to pass through
Service fn=proxy-retrieve
allow="FOO,BAR"
# Proxy retrieve blocks methods MKCOL,DELETE,LOCK,UNLOCK
Service fn=proxy-retrieve
block="MKCOL,DELETE,LOCK,UNLOCK"send-file (sending text file contents to client)
The send-file function sends the contents of a plain text file to the client. If this function finds any extra path information, it doesn't send the text file to the client.
Syntax
Service fn=send-file
method=GET|HEAD|POST|INDEX|CONNECT...
type=MIME typeParameters
method lets you specify a retrieval method. By default, all methods are allowed unless the method parameter is given.
type specifies a regular expression that indicates the MIME types to which to apply the directive.
Example
Service fn=send-file
method=(GET|HEAD)
type=*~magnus-internal/*deny-service (denying access to a resource)
The deny-service function is the only function that belongs to two classes: PathCheck and Service. It prevents access to the requested resource.
The socks5.conf File
The proxy uses the file server-root\proxy-id\config\socks5.conf to control access to the SOCKS proxy server SOCKD and its services. Each line defines what the proxy does when it gets a request that matches the line.
When SOCKD receives a request, it checks the request against the lines in
server-root\proxy-id\config\socks5.conf. When it finds a line that matches the request, the request is permitted or denied based on the first word in the line (permit or deny). Once it finds a matching line, the daemon ignores the remaining lines in the file. If there are no matching lines, the request is denied. You can also specify actions to take if the client's identd or user ID is incorrect by using #NO_IDENTD: or #BAD_ID as the first word of the line. Each line can be up to 1023 characters long.There are five sections in the socks5.conf file. These sections do not have to appear in the following order. However, because the daemon uses only the first line that matches a request, the order of the lines within each section is extremely important. The five sections of the socks5.conf file are:
- ban host/authentication - identifies the hosts from which the SOCKS deamon should not accept connections and which types of authentication the SOCKS daemon should use to authenticate these hosts
- routing - identifies which interface the SOCKS deamon should use for particular IP addresses
- variables and flags - identifies which logging and informational messages the SOCKS daemon should use
- proxies - identifies the IP addresses that are accessible through another SOCKS server and whether that SOCKS server connects directly to the host
- access control - specifies whether the SOCKS daemon should permit or deny a request
When the SOCKS daemon receives a request, it sequentially reads the lines in each of these five sections to check for a match to the request. When it finds a line that matches the request, it reads the line to determine whether to permit or deny the request. If there are no matching lines, the request is denied.
Each line in this file can be up to 1023 characters long and in order for a line to match a request, each entry in the line must match.
Authentication/Ban Host Entries
There are two lines in authentication/ban host entries. The first is the authentication line.
Syntax
auth source-hostmask source-portrange auth-methods
Parameters
source-hostmask identifies which hosts the SOCKS server will authenticate.
source-portrange identifies which ports the SOCKS server will authenticate.
auth-methods are the methods to be used for authentication. You can list multiple authentication methods in order of your preference. In other words, if the client does not support the first authentication method listed, the second method will be used instead. If the client does not support any of the authentication methods listed, the SOCKS server will disconnect without accepting a request. If you have more than one authentication method listed, they should be separated by commas with no spaces in between. Possible authentication methods are:
- n (no authentication required)
- u (user name and password required)
- - (any type of authentication)
The second line in the authentication/ban host entry is the ban host line.
Syntax
ban source-hostmask source-portrange
Parameters
source-hostmask identifies which hosts are banned from the SOCKS server.
source-portrange identifies from which ports the SOCKS server will not accept requests.
Example
auth 127.27.27.127 1024 u,-
ban 127.27.27.127 1024Routing Entries
Syntax
route dest-hostmask dest-portrange interface/address
Parameters
dest-hostmask indicates the hosts for which incoming and outgoing connections must go through the specified interface.
dest-portrange indicates the ports for which incoming and outgoing connections must go through the specified interface.
interface/address indicates the IP address or name of the interface through which incoming and outgoing connections must pass. IP addresses are preferred.
Example
route 127.27.27.127 1024 le0
Variables and Flags
Syntax
set variable value
Parameters
variable indicates the name of the variable to be initialized.
value is the value to set the variable to.
Example
set SOCKS5_BINDPORT 1080
Available Settings
The following settings are those that can be inserted into the variables and flags section of the SOCKS5.conf file. These settings will be taken from the administration forms, but they can be added, changed, or removed manually as well.
SOCKS5_BINDPORT
The SOCKS5_BINDPORT setting sets the port at which the SOCKS server will listen. This setting cannot be changed during rehash.
Syntax
set SOCKS5_BINDPORT port number
Parameters
port number is the port at which the SOCKS server will listen.
Example
set SOCKS5_BINDPORT 1080
SOCKS5_PWDFILE
The SOCKS5_PWDFILE setting is used to look up user name/password pairs for user name/password authentication. This setting only applies to situations in which ns-sockd is running separately from the administration server.
Syntax
set SOCKS5_PWDFILE full pathname
Parameters
full pathname is the location and name of the user name/password file.
Example
set SOCKS5_PWDFILE /etc/socks5.passwd
SOCKS5_CONFFILE
The SOCKS5_CONFFILE setting is used to determine the location of the SOCKS5 configuration file.
Syntax
set SOCKS5_CONFFILE full pathname
Parameters
full pathname is the location and name of the SOCKS configuration file.
Example
set SOCKS5_CONFFILE /etc/socks5.conf
SOCKS5_LOGFILE
The SOCKS5_LOGFILE setting is used to determine where to write log entries.
Syntax
set SOCKS5_LOGFILE full pathname
Parameters
full pathname is the location and name of the SOCKS logfile.
Example
set SOCKS-5_LOGFILE /var/log/socks5.log
SOCKS5_NOIDENT
THe SOCKS5_NOIDENT setting disables Ident so that SOCKS does not try to determine the user name of clients. Most servers should use this setting unless they will be acting mostly as a SOCKS4 server. (SOCKS4 used ident as authentication.)
Syntax
set SOCKS5_NOIDENT
Parameters
None.
SOCSK5_DEMAND_IDENT
The SOCKS5_DEMAND_IDENT setting sets the Ident level to "require an ident response for every request". Using Ident in this way will dramatically slow down your SOCKS server. If neither SOCKS5_NOIDENT or SOCKS5_DEMAND_IDENT is set, then the SOCKS server will make an Ident check for each request, but it will fulfill requests regardless of whether an Ident response is received.
Syntax
set SOCSK5_DEMAND_IDENT
Parameters
None.
SOCKS5_DEBUG
The SOCKS5_DEBUG setting causes the SOCKS server to log debug messages. You can specify the type of logging your SOCKS server will use.
If it's not a debug build of the SOCKS server, only number 1 will work.
Syntax
set SOCSK5_DEBUG number
Parameters
number determines the number of the type of logging your server will use. Possible values are:
- 1 - log normal debugging messages. This is the default.
- 2 - log extensive debugging (especially related to configuration file settings).
- 3 - log all network traffic.
Example
set SOCKS5_DEBUG 2
SOCKS5_USER
The SOCKS5_USER setting sets the user name to use when authenticating to another SOCKS server.
Syntax
set SOCKS5_USER user name
Parameters
user name is the user name the SOCKS server will use when authenticating to another SOCKS server.
Example
set SOCKS5_USER mozilla
SOCKS5_PASSWD
The SOCKS5_PASSWD setting sets the password to use when authenticating to another SOCKS server. It is possible for a SOCKS server to go through another SOCKS server on its way to the Internet. In this case, if you define SOCKS5_USER, ns-sockd will advertise to other SOCKS servers that it can authenticate itself with a user name and password.
Syntax
set SOCKS5_PASSWD password
Parameters
password is the password the SOCKS server will use when authenticating to another SOCKS server.
Example
set SOCKS5_PASSWD m!2@
SOCKS5_NOREVERSEMAP
The SOCKS5_NOREVERSEMAP setting tells ns-sockd not to use reverse DNS. Reverse DNS translates IP addresses into host names. Using this setting can increase the speed of the SOCKS server.
If you use domain masks in the configuration file, the SOCKS server will have to use reverse DNS, so this setting will have no effect.
Syntax
set SOCKS5_NOREVERSEMAP
Parameters
None.
SOCKS5_HONORBINDPORT
The SOCKS5_HONORBINDPORT setting allows the client to specify the port in a BIND request. If this setting is not specified, the SOCKS server ignores the client's requested port and assigns a random port.
Syntax
set SOCKS5_HONORBINDPORT
Parameters
None.
SOCKS5_ALLOWBLANKETBIND
The SOCKS5_ALLOWBLANKETBIND setting allows the client to specify an IP address of all zeros (0.0.0.0) in a BIND request. If this setting is not specified, the client must specify the IP address that will be connecting to the bind port, and an IP of all zeros is interpreted to mean that any IP address can connect.
Syntax
set SOCKS5_ALLOWBLANKETBIND
Parameters
None.
SOCKS5_STATSFILE
The SOCKS5_STATSFILE setting identifies a different file for storing running statistics about the SOCKS server.
Syntax
set SOCKS5_STATSFILE full pathname
Parameters
full pathname is the location and name of the statistics file.
Example
set SOCKS5_STATSFILE /tmp/socksstat.any.1080
SOCSK5_QUENCH_UPDATES
The SOCKS5_QUENCH_UPDATES setting tells the SOCKS server not to write a line to the logfile every hour. This line, if written, provides a brief summary of statistics. The following is a sample line:
[04/aug/1997:21:00:00] 000 info: 78 requests,
78 successful: connect 77, bind 1, udp 0Syntax
set SOCKS5_QUENCH_UPDATES
Parameters
None.
SOCKS5_WORKERS
The SOCKS5_WORKERS setting tunes the performance of the SOCKS server by adjusting the number of worker threads. Worker threads perform authentication and access control for new SOCKS connections. If the SOCKS server is too slow, you should increase the number of worker threads. If it is unstable, decrease the number of worker threads.
The default number of worker threads is 40, and the typical number of worker threads falls between 20 and 150.
Syntax
set SOCKS5_WORKERS number
Parameters
number is the number of worker threads the SOCKS server will use.
Example
set SOCKS5_WORKERS 40
SOCKS5_ACCEPTS
The SOCKS5_ACCEPTS setting tunes the performance of the SOCKS server by adjusting the number of accept threads. Accept threads sit on the SOCKS port listening for new SOCKS requests. If the SOCKS server is dropping connections, you should increase the number of accept threads. If it is unstable, decrease the number of accept threads.
The default number of accept threads is 40, and the typical number of accept threads falls between 20 and 60.
Syntax
set SOCKS5_ACCEPTS number
Parameters
number is the number of accepts threads the SOCKS server will use.
Example
set SOCKS5_ACCEPTS 40
LDAP_URL
The LDAP-URL setting sets the URL for the LDAP server.
Syntax
set LDAP-URL URL
Parameters
URL is the URL for the LDAP server used by SOCKS.
Example
set LDAP-URL ldap://name:8180/0=iPlanet,c=US
LDAP_USER
The LDAP-USER setting sets the user name that the SOCKS server will use when accessing the LDAP server.
Syntax
set LDAP-USER user name
Parameters
user name is the user name SOCKS will use when accessing the LDAP server.
Example
set LDAP-USER admin
LDAP_PASSWD
The LDAP-PASSWD setting sets the password that the SOCKS server will use when accessing the LDAP server.
Syntax
set LDAP-PASSWD password
Parameters
password is the password SOCKS will use when accessing the LDAP server.
Example
set LDAP-PASSWD T$09
SOCKS5_TIMEOUT
The SOCKS5-TIMEOUT setting specifies the idle period that the SOCKS server will keep a connection alive between a client and a remote server before dropping the connection.
Syntax
set SOCKS5_TIMEOUT time
Parameters
time is the time, in minutes, SOCKS will wait before timing out. The default value is 10. The value can range from 10 to 60, including both these values.
Example
set SOCKS5_TIMEOUT 30
Proxy Entries
Syntax
proxy-type dest-hostmask dest-portrange proxy-list
Parameters
proxy-type indicates the type of proxy server. This value can be:
- socks5 - SOCKS version 5
- socks4 - SOCKS version 4
- noproxy - a direct connection
dest-hostmask indicates the hosts for which the proxy entry applies.
dest-portrange indicates the ports for which the proxy entry applies.
proxy-list contains the names of the proxy servers to use.
Example
socks5 127.27.27.127 1080 proxy1
Access Control Entries
Syntax
permit|deny auth-type connection-type source-hostmask dest-hostmask source-portrange dest-portrange [LDAP-group]
Parameters
auth-type indicates the authentication method for which this access control line applies.
connection-type indicates the type of command the line matches. Possible command types are:
- c (connect)
- b (bind; open a listen socket)
- u (UDP relay)
- - (any command)
source-hostmask - indicates the hosts for which the access control entry applies.
dest-hostmask indicates the hosts for which the access control entry applies.
source-portrange indicates the ports for which the access control entry applies.
dest-portrange is the port number of the destination.
LDAP-group is the group to deny or permit access to. This value is optional. If no LDAP group is identified, the access control entry applies to everyone.
Example
permit u c - - - [0-1023] group1
Specifying Ports
You will need to specify ports for many entries in your socks5.conf file. Ports can be identified by a name, number, or range. Ranges that are inclusive should be surrounded by brackets (i.e. [ ]). Ranges that are not inclusive should be in parentheses.
The bu.conf File
The optional bu.conf file contains batch update directives. You can use these directives to update many documents at once. You can time these updates to occur during off-peak hours to minimize the effect on the efficiency of the server. The format of this file is described in this section.
Accept
A valid URL Accept filter consists of any POSIX regular expression. It is used as a filter to test URLs for retrieval in the case of internal updates, and determines whether branching occurs for external updates.
This directive may occur any number of times, as separate Accept lines or as comma or white space delimited entries on a single Accept line and is applied sequentially. Default behavior is .*, letting all URLs pass.
Syntax
Accept regular expression
Connections
For the Connections directive, n is the number of simultaneous connections to be used while retrieving. This is a general method for limiting the load on your machine and, more importantly, the remote servers being contacted.
This directive can occur multiple times in a valid configuration, but only the smallest value is used.
Syntax
Connections n
Count
The argument n of the Count directive specifies the total maximum number of URLs to be updated via this process. This is a simple safeguard for limiting the process and defaults to a value of 300. This directive can occur multiple times in a valid configuration, but only the smallest value is used.
Syntax
Count n
Days
The Days directive specifies on which days you want to allow the starting of batch updates. You can specify this by naming the days of the week (Sunday,..., Saturday), and you can use three-letter abbreviations (Sun, Mon, Tue, Wed, Thu, Fri, Sat).
This directive can occur multiple times in a valid configuration, but only the first value is used. The default is seven-day operation.
Syntax
Days day1 day2...
Depth
The Depth directive lets you ensure that, while enumerating, all collected objects are no more than a specified number of links away from the initial URL. The default is 1.
Syntax
Depth depth
Object boundaries
The Object wrapper signifies the boundaries between individual configurations in the bupdate.conf file. It can occur any number of times, though each occurrence requires a unique name.
All other directives are only valid when inside Object boundaries.
Syntax
<Object name=name>
...
</Object>Reject
A valid URL Reject filter consists of any POSIX regular expression. It is used as a filter to test URLs for retrieval in the case of internal updates, and determines whether branching occurs for external updates.
This directive may occur any number of times, as separate Reject lines or as comma or white space delimited entries on a single Reject line, and is applied sequentially. Default behavior is no reject for internal updates and .* (no branching, get single URL) for recursive updates.
Syntax
Reject regular expression
Source
In the Source directive, if the argument is the keyword internal, it specifies batch updates are to be done only on objects currently in the cache (and a directive of Depth 1 is assumed); otherwise, you specify the name of a URL for recursive enumeration.
This directive can occur only once in a valid configuration.
Syntax
Source internal
Source URL
Time
The Time directive specifies the time to start and stop updates. Valid values range from 00:00 to 24:00 (24-hour "military" time).
This directive can occur multiple times in a valid configuration, but only the first value will be used.
Syntax
Time start - end
Type
This function lets you control the updating of mime types that the proxy caches. This directive can occur any number of times, in any order.
Syntax
Type ignore
Type inline
Type mime_type
Parameters
ignore means that updates will act on all MIME types that the proxy currently caches. This is the default behavior and supersedes all other Type directives if specified.
inline means that in-lined data is updated as a special type, regardless of any later MIME type exclusions, and are meaningful only when doing recursive updates.
mime-type is assumed to be a valid entry from the system mime-types file, and is included in the list of MIME types to be updated. If the proxy doesn't currently cache the given MIME type, the object may be retrieved but is not cached.
The icp.conf File
This file is used to configure the Internet Cache Protocol (ICP) feature of your server. There are three functions in the icp.conf file, and each can be called as many times as necessary. Each function should be on a separate line. The three functions are add_parent, add_sibling, and server.
add_parent (adding parent servers to an ICP neighborhood)
The add_parent function identifies and configures a parent server in an ICP neighborhood.
Syntax
add_parent name=name icp_port=port number
proxy_port=port number mcast_address=IP address ttl=number round=1|2
Note The above text should all be on one line in the icp.conf file.
Parameters
name specifies the name of the parent server. It can be a dns name or an IP address.
icp_port specifies the port on which the parent listens for ICP messages.
proxy_port specifies the port for the proxy on the parent.
mcast_address specifies the multicast address the parent listens to. A multicast address is an IP address to which multiple servers can listen. Using a multicast address allows a proxy to send one query to the network that all neighbors listening to that multicast address can receive, therefore eliminating the need to send a query to each neighbor separately.
ttl specifies the time to live for a message sent to the multicast address. ttl controls the number of subnets a multicast message will be forwarded to. If the ttl is set to 1, the multicast message will only be forwarded to the local subnet. If the ttl is 2, the message will go to all subnets that are one hop away.
round specifies in which polling round the parent will be queried. A polling round is an ICP query cycle. Possible values are:
- 1 means that the parent will be queried in the first query cycle with all other round one neighbors.
- 2 means that the parent will only be queried if none of the neighbors in polling round one return a "HIT."
Example
add_parent name=proxy1 icp_port=5151 proxy_port=3333 mcast_address=189.98.3.33 ttl=3 round=2
add_sibling (adding sibling servers to an ICP neighborhood)
The add_sibling function identifies and configures a sibling server in an ICP neighborhood.
Syntax
add_sibling name=name icp_port=port number proxy_port=port number mcast_address=IP address ttl=number round=1|2
Note The above text will all be on one line in the icp.conf file.
Parameters
name specifies the name of the sibling server. It can be a dns name or an IP address.
icp_port specifies the port on which the sibling listens for ICP messages.
proxy_port specifies the port for the proxy on the sibling.
mcast_address specifies the multicast address the sibling listens to. A multicast address is an IP address to which multiple servers can listen. Using a multicast address allows a proxy to send one query to the network that all neighbors listening to that multicast address can receive, therefore eliminating the need to send a query to each neighbor separately.
ttl specifies the time to live for a message sent to the multicast address. ttl controls the number of subnets a multicast message will be forwarded to. If the ttl is set to 1, the multicast message will only be forwarded to the local subnet. If the ttl is 2, the message will go to all subnets that are one hop away.
round specifies in which polling round the sibling will be queried. A polling round is an ICP query cycle. Possible values are:
- 1 means that the sibling will be queried in the first query cycle with all other round one neighbors. This is the default polling round value.
- 2 means that the sibling will only be queried if none of the neighbors in polling round one return a "HIT."
Example
add_sibling name=proxy2 icp_port=5151 proxy_port=3333 mcast_address=190.99.2.11 ttl=2 round=1
Note The above text will all be on one line in the icp.conf file.
server (configuring the local proxy in an ICP neighborhood)
The server function identifies and configures the local proxy in an ICP neighborhood.
Syntax
server bind_address=IP address mcast=IP address num_servers=number icp_port=port number default_route=name default_route_port=port number no_hit_behavior=fastest_parent|default timeout=seconds
Note The above text should all be on one line in the icp.conf file.
Parameters
bind_address specifies the IP address to which the server will bind. For machines with more than one IP address, this parameter can be used to determine which address the ICP server will bind to.
mcast the multicast address to which the neighbor listens. A multicast address is an IP address to which multiple servers can listen. Using a multicast address allows a proxy to send one query to the network that all neighbors who are listening to that multicast address can see, therefore eliminating the need to send a query to each neighbor separately.
If both a multicast address and bind address are specified for the neighbor, the neighbor uses the bind address to communicate with other neighbors. If neither a bind address nor a multicast address is specified, the communication subsystem will decide which address to use to send the data.
num_servers specifies the number of processes that will service ICP requests.
icp_port specifies the port number to which the server will listen.
default_route tells the proxy server where to route a request when none of the neighboring caches respond. If default_route and default_route_port are set to "origin," the proxy server will route defaulted requests to the origin server. The meaning of default_route is different depending on the value of no_hit_behavior. If no_hit_behavior is set to default, the default_route is used when none of the proxy array members return a hit. If no_hit behavior is set to fastest_parent, the default_route value is used only if no parent responds.
default_route_port specifies the port number of the machine specified as the default_route. If default_route and default_route_port are set to "origin," the proxy server will route defaulted requests to the origin server.
no_hit_behavior specifies the proxy's behavior whenever none of the neighbors returns a "HIT" for the requested document. Possible values are:
- fastest_parent means the request is routed through the first parent that returned a "MISS."
- default means the request is routed to the machine specified as the default route.
timeout specifies the maximum number of milliseconds the proxy will wait for an ICP response.
Example
server bind_address=198.4.66.78 mcast=no num_servers=5 icp_port=5151 default_route=proxy1 default_route_port=8080 no_hit_behavior=fastest_parent timeout=2000
Note The above text will all be on one line in the icp.conf file.
The ras.conf File
The ras.conf file is used to configure the remote access feature of your proxy server. This file contains information that the proxy server needs in order to dial out to the Internet via a modem.
Syntax
UserName name
Password password
Domain
DialEntry entry
MaximumIdleTime minutes
Schedule day:hour;day:hourParameters
UserName is the user name assigned by your Internet Service Provider that you use to dial out to the Internet.
Password is the password of the user.
Domain is the name of the domain against which the user is validated. If the user does not belong to a domain, leave this parameter blank.
DialEntry is the name of the phonebook entry that you specified when configuring your RAS server.
MaximumIdleTime is the maximum amount of time the remote connection can be idle. If the connection remains idle past this time, the proxy server will disconnect from the remote Internet service provider. A maximum idle time of -1 will keep the connection open.
Schedule is a list of the days and times when the proxy server is allowed to dial out to the Internet. The day must be abbreviated into the first three letters of the word (i.e. sun, mon, tue, wed, thu, fri, sat). Use military time to specify the times. To specify a time range, place a hyphen between the start and end times (i.e. 1000-2400). Each day:hour pair must be separated by a semicolon.
Example
UserName user1
Password pwd
Domain
DialEntry RASEntry
MaximumIdleTime 15
Schedule mon:1200-2400;wed:1200-2400;fri:1200-2400