Copyright      Index      Next
Sun Java System Web Proxy Server 4.0.1 Administration Guide

Contents

About This Guide

Who Should Use This Guide

How This Guide is Organized

Documentation Conventions

Using the Documentation

Contacting Sun Technical Support

Feedback

Third-Party Web Site References

Part I Server Basics

Chapter 1   Introducing Sun Java System Web Proxy Server

About Sun Java System Web Proxy Server

New in This Release

Getting Started

Administration Server Overview

Server Manager Overview

Configuration Files

Regular Expressions

Chapter 2   Administering Sun Java System Web Proxy Server

Starting the Administration Server

Stopping the Administration Server

Running Multiple Proxy Servers

Removing a Server Instance

Migrating from Proxy Server 3.6

Part 2 Using the Administration Server

Chapter 3   Setting Administration Preferences

Creating and Managing Listen Sockets

Adding Listen Sockets

Editing Listen Sockets

Deleting Listen Sockets

Changing Superuser Settings

Allowing Multiple Administrators

Specifying Log File Options

Viewing Log Files

The Access Log File

The Error Log File

Using Directory Services

Restricting Server Access

SNMP Master Agent Settings

Chapter 4   Managing Users and Groups

Accessing Information about Users and Groups

About Directory Services

LDAP Directory Services

Key File Directory Services

Digest File Directory Services

Configuring Directory Services

Creating Directory Services

Editing Directory Services

Understanding Distinguished Names (DNs)

Using LDIF

Creating Users

Creating Users in LDAP-based Authentication Databases

Guidelines for Creating LDAP-based User Entries

Creating LDAP-based User Entries

Directory Server User Entries

Creating Users in Key File Authentication Databases

Creating Users in Digest File Authentication Databases

Managing Users

Finding User Information

Building Custom Search Queries

Editing User Information

Managing a User’s Password

Renaming Users

Removing Users

Creating Groups

About Static Groups

Guidelines for Creating Static Groups

Creating Static Groups

About Dynamic Groups

How Dynamic Groups are Implemented

Dynamic Group Impact on Server Performance

Guidelines for Creating Dynamic Groups

Creating Dynamic Groups

Managing Groups

Finding Group Entries

The Find All Groups Whose Section

Editing Group Entries

Adding Group Members

Adding Groups to the Group Members List

Removing Entries from the Group Members List

Managing Owners

Managing See Alsos

Renaming Groups

Removing Groups

Creating Organizational Units

Managing Organizational Units

Finding Organizational Units

The Find All Units Whose Section

Editing Organizational Unit Attributes

Renaming Organizational Units

Removing Organizational Units

Chapter 5   Using Certificates and Keys

Certificate-based Authentication

Creating a Trust Database

Using password.conf

Starting an SSL-enabled Server Automatically

Requesting and Installing a VeriSign Certificate

Requesting a VeriSign Certificate

Installing a VeriSign Certificate

Requesting and Installing Other Server Certificates

Required CA Information

Requesting Other Server Certificates

Installing Other Server Certificates

Migrating Certificates

Using the Built-in Root Certificate Module

Managing Certificates

Installing and Managing CRLs and CKLs

Installing CRLs or CKLs

Managing CRLs and CKLs

Setting Security Preferences

SSL and TLS Protocols

Using SSL to Communicate with LDAP

Tunneling SSL Through the Proxy Server

Configuring SSL Tunneling

Technical Details for SSL Tunneling

Enabling Security for Listen Sockets

Turning Security On

Selecting Server Certificates for Listen Sockets

Selecting Ciphers

Configuring Security Globally

SSLSessionTimeout

SSLCacheEntries

SSL3SessionTimeout

Using External Encryption Modules

Installing the PKCS #11 Module

Using modutil to Install PKCS #11 Modules

Using pk12util

Exporting with pk12util

Importing with pk12util

Starting the Server with an External Certificate

Selecting the Certificate Name for a Listen Socket

FIPS-140 Standard

Setting Client Security Requirements

Requiring Client Authentication

Client Authentication in a Reverse Proxy

Setting Up Client Authentication in a Reverse Proxy

Proxy-Authenticates-Client

Content Server-Authenticates-Proxy

Proxy-Authenticates-Client and Content Server-Authenticates-Proxy

Mapping Client Certificates to LDAP

Using the certmap.conf File

Creating Custom Properties

Sample Mappings

Setting Stronger Ciphers

Other Security Considerations

Limiting Physical Access

Limiting Administration Access

Choosing Strong Passwords

Creating Hard-to-Crack Passwords

Changing Passwords or PINs

Limiting Other Applications on the Server

UNIX and Linux

Windows

Preventing Clients from Caching SSL Files

Limiting Ports

Knowing Your Server’s Limits

Chapter 6   Managing Server Clusters

About Server Clusters

Guidelines for Using Clusters

Setting Up Clusters

Adding Servers to a Cluster

Modifying Server Information

Removing Servers from a Cluster

Controlling Server Clusters

Part 3 Configuring and Monitoring the Proxy Server

Chapter 7   Configuring Server Preferences

Starting the Proxy Server

Starting SSL-enabled Servers

Stopping the Proxy Server

Restarting the Proxy Server

Restarting the Server (UNIX or Linux)

Restarting the Server (Windows)

Setting the Termination Timeout

Viewing Server Settings

Viewing and Restoring Backups of Configuration Files

Configuring System Preferences

Server User

Processes

Listen Queue Size

DNS

ICP

Proxy Array

Parent Array

Proxy Timeout

Tuning the Proxy Server

Adding and Editing Listen Sockets

Adding Listen Sockets

Editing Listen Sockets

Deleting Listen Sockets

MIME Types

Creating a New MIME Type

Editing a MIME Type

Removing a MIME Type

Administering Access Control

Configuring the ACL Cache

Understanding DNS Caching

Configuring the DNS Cache

Configuring DNS Subdomains

Configuring HTTP Keep-Alive

Chapter 8   Controlling Access to Your Server

What is Access Control?

Access Control for User-Group

Default Authentication

Basic Authentication

SSL Authentication

Digest Authentication

Installing the Digest Authentication Plug-in

Other Authentication

Access Control for Host-IP

Using Access Control Files

Configuring the ACL User Cache

Controlling Access with Client Certificates

How Access Control Works

Setting Access Control

Setting Access Control Globally

Setting Access Control for a Server Instance

Selecting Access Control Options

Setting the Action

Specifying Users and Groups

Specifying the From Host

Restricting Access to Programs

Setting Access Rights

Writing Customized Expressions

Turning Access Control Off

Responding When Access is Denied

Limiting Access to Areas of Your Server

Restricting Access to the Entire Server

Restricting Access to a Directory (Path)

Restricting Access to a File Type

Restricting Access Based on Time of Day

Restricting Access Based on Security

Securing Access to Resources

Securing Access to Server Instances

Enabling IP-based Access Control

Creating ACLs for File-based Authentication

Creating ACLs for Directory Services Based on File Authentication

Creating ACLs for Directory Services Based on Digest Authentication

Chapter 9   Using Log Files

About Log Files

Logging on UNIX and Windows Platforms

Default Error Logging

Logging Using syslog

Logging Using the Windows eventlog

Log Levels

Archiving Log Files

Internal-daemon Log Rotation

Scheduler-based Log Rotation

Setting Access Log Preferences

Easy Cookie Logging

Setting Error Logging Options

Configuring the LOG Element

Viewing Access Log Files

Viewing Error Log Files

Working with the Log Analyzer

Transfer Time Distribution Report

Status Code Report

Data Flow Report

Requests and Connections Report

Cache Performance Report

Transfer Time Report

Hourly Activity Report

Viewing Events (Windows)

Chapter 10   Monitoring Servers

Monitoring the Server Using Statistics

Processing Proxy Server Statistics

Restricting Access to the stats-xml Output

Enabling Statistics

Using Statistics

Displaying Statistics in the Server Manager

Monitoring Current Activity Using the perfdump Utility

Enabling the perfdump Utility

Sample perfdump Output

Restricting Access to the perfdump Output

Using Performance Buckets

Configuration

Performance Report

SNMP Basics

Management Information Base

Setting Up SNMP

Using a Proxy SNMP Agent (UNIX)

Installing the Proxy SNMP Agent

Starting the Proxy SNMP Agent

Restarting the Native SNMP Daemon

Reconfiguring the SNMP Native Agent

Installing the SNMP Master Agent

Enabling and Starting the SNMP Master Agent

Starting the Master Agent on Another Port

Manually Configuring the SNMP Master Agent

Editing the Master Agent CONFIG File

Defining sysContact and sysLocation Variables

Configuring the SNMP Subagent

Starting the SNMP Master Agent

Starting the SNMP Master Agent Manually

Starting the SNMP Master Agent Using the Administration Server

Configuring the SNMP Master Agent

Configuring the Community String

Configuring Trap Destinations

Enabling the Subagent

Understanding SNMP Messages

Part 4 Managing the Proxy Server

Chapter 11   Proxying and Routing URLs

Enabling/Disabling Proxying for a Resource

Routing through Another Proxy

Configuring Routing for a Resource

Chaining Proxy Servers

Routing through a SOCKS Server

Forwarding the Client IP Address to the Server

Allowing Clients to Check IP Address

Client Autoconfiguration

Setting the Network Connectivity Mode

Changing the Default FTP Transfer Mode

Specifying the SOCKS Name Server IP Address

Configuring HTTP Request Load Balancing

Managing URLs and URL Mappings

Creating URL Mappings

Viewing, Editing, or Removing Existing URL Mappings

Redirecting URLs

Chapter 12   Caching

How Caching Works

Understanding the Cache Structure

Distributing Files in the Cache

Setting Cache Specifics

Enabling the Cache

Creating a Cache Working Directory

Setting Cache Size

Editing Cache Capacity

Caching HTTP Documents

Setting the HTTP Cache Refresh Interval

Setting the HTTP Cache Expiration Policy

Reporting HTTP Accesses to the Remote Server

Caching FTP and Gopher Documents

Setting FTP and Gopher Cache Refresh Intervals

Creating and Modifying a Cache

Setting Cache Capacity

Managing Cache Sections

Setting the Garbage Collection Preferences

Scheduling Garbage Collection

Configuring the Cache

Caching Configuration Elements

Setting the Cache Default

Caching Pages That Require Authentication

Caching Queries

Setting Minimum and Maximum Cache File Sizes

Setting the Up-to-date Checking Policy

Setting Expiration Policy

Setting Cache Behavior for Client Interruptions

Behaviour On Failure To Connect To Server

Caching Local Hosts

Configuring the File Cache

Viewing the URL Database

Expiring and Removing Files from the Cache

Using Cache Batch Updates

Creating Batch Updates

Editing or Deleting Batch Update Configurations

Using the Cache Command Line Interface

Building the Cache Directory Structure

Managing the Cache URL List

Managing Cache Garbage Collection

Managing Batch Updates

Using the Internet Cache Protocol (ICP)

About ICP

Routing through ICP Neighborhoods

Adding Parents to an ICP Neighborhood

Editing Parent Configurations in an ICP Neighborhood

Removing Parents from an ICP Neighborhood

Adding Siblings to an ICP Neighborhood

Editing Sibling Configurations in an ICP Neighborhood

Removing Siblings from an ICP Neighborhood

Configuring Individual ICP Neighbors

Enabling ICP

Enabling Routing Through an ICP Neighborhood

Using Proxy Arrays

About Proxy Arrays

Routing through Proxy Arrays

Creating a Proxy Array Member List

Editing Proxy Array Member List Information

Deleting Proxy Array Members

Configuring Proxy Array Members

Enabling Routing Through a Proxy Array

Enabling a Proxy Array

Redirecting Requests in a Proxy Array

Generating a PAC File from a PAT File

Manually Generating a PAC File from a PAT File

Automatically Generating a PAC File from a PAT File

Routing through Parent Arrays

Viewing Parent Array Information

Chapter 13   Filtering Content through the Proxy

Filtering URLs

Creating a Filter File of URLs

Setting Default Access for a Filter File

Content URL Rewriting

Restricting Access to Specific Web Browsers

Blocking Requests

Suppressing Outgoing Headers

Filtering by MIME Type

Filtering by HTML Tags

Configuring the Server for Content Compression

Configuring the Server to Compress Content on Demand

Chapter 14   Using a Reverse Proxy

How Reverse Proxying Works

Proxy as a Stand-in for a Server

Secure Reverse Proxying

Proxying for Load Balancing

Setting up a Reverse Proxy

Setting up a Secure Reverse Proxy

Secure Client to Proxy

Secure Proxy to Content Server

Secure Client to Proxy and Secure Proxy to Content Server

Virtual Multihosting in Reverse Proxy

Functional Details of Virtual Multihosting

Important Notes on Virtual Multihosting

Chapter 15   Using SOCKS

About SOCKS

Using the Bundled SOCKS v5 Server

About socks5.conf

Authentication

Access Control

Logging

Tuning

Starting and Stopping the SOCKS v5 Server

Configuring the SOCKS v5 Server

Configuring SOCKS v5 Authentication Entries

Creating Authentication Entries

Editing Authentication Entries

Deleting Authentication Entries

Moving Authentication Entries

Configuring SOCKS v5 Connection Entries

Creating Connection Entries

Editing Connection Entries

Deleting Connection Entries

Moving Connection Entries

Configuring SOCKS v5 Server Chaining

Configuring Routing Entries

Creating SOCKS v5 Routing Entries

Creating SOCKS v5 Proxy Routing Entries

Editing Routing Entries

Deleting Routing Entries

Moving Routing Entries

Chapter 16   Managing Templates and Resources

About Templates

Understanding Regular Expressions

Understanding Wildcard Patterns

Creating New Templates

Applying Templates

Removing Templates

Viewing Templates

Removing Resources

Chapter 17   Using the Client Autoconfiguration File

Understanding Autoconfiguration Files

What the Autoconfiguration File Does

Accessing the Proxy as a Web Server

Using Pac Files with a Reverse Proxy

Using Server Manager Pages to Create Autoconfiguration Files

Creating Autoconfiguration Files Manually

The FindProxyForURL Function

JavaScript Functions and Environment

Hostname-based Functions

Related Utility Functions

URL/host-name-based Condition

Time-based Conditions

Detailed Examples

Part 5 Appendixes

Appendix A   ACL File Syntax

About ACL Files and ACL File Syntax

Authentication Statements

Authorization Statements

Writing Authorization Statements

Hierarchy of Authorization Statements

Attribute Expressions

Operators for Expressions

The Default ACL File

General Syntax Items

Referencing ACL Files in obj.conf

Appendix B   Tuning Server Performance

General Performance Considerations

Access Logging

ACL Cache Tuning

Buffer Size

Connection Timeout

Errors Log Level

Security Requirements

Solaris File System Caching

Timeout Values

init-proxy SAF (obj.conf)

http-client-config SAF (obj.conf)

KeepAliveTimeout (magnus.conf)

Up-to-Date Checks

Last-Modified Factor

DNS Settings

Number of Threads

Inbound Connection Pool

FTP Listing Width

Cache Architecture

Cache Batch Update

Garbage Collection

The gc hi margin percent Variable

The gc lo margin percent Variable

The gc extra margin percent Variable

The gc leave fs full percent Variable

Solaris Performance Tuning

Index

Copyright      Index      Next

---

Part No: 819-3650-10.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.