Documentation Home
> Sun Java System Web Proxy Server 4.0.2 2005Q4 Administration Guide
Sun Java System Web Proxy Server 4.0.2 2005Q4 Administration Guide
Book Information
Index
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Preface
Chapter 1 Introducing Sun Java System Web Proxy Server
About Sun Java System Web Proxy Server
New in This Release
Getting Started
Administration Server Overview
To access the Administration Server
Server Manager Overview
To access the Server Manager
Configuration Files
Regular Expressions
Chapter 2 Administering Sun Java System Web Proxy Server
Starting the Administration Server
To start the Administration Server on UNIX or Linux
To start the Administration Server on Windows
Stopping the Administration Server
To stop the Administration Server on UNIX or Linux
To stop the Administration Server on Windows
Running Multiple Proxy Servers
To install multiple server instances
Removing a Server Instance
To remove a server instance
Migrating from Proxy Server 3.6
Chapter 3 Setting Administration Preferences
Creating and Managing Listen Sockets
Adding Listen Sockets
To add listen sockets
Editing Listen Sockets
To edit listen sockets
Deleting Listen Sockets
To delete listen sockets
Changing Superuser Settings
To change superuser settings for the Administration Server
Allowing Multiple Administrators
To enable distributed administration
Specifying Log File Options
Viewing Log Files
The Access Log File
To view the access log file
The Error Log File
To view the error log file
Using Directory Services
Restricting Server Access
SNMP Master Agent Settings
Chapter 4 Managing Users and Groups
Accessing Information about Users and Groups
About Directory Services
LDAP Directory Services
Key File Directory Services
Digest File Directory Services
Configuring Directory Services
Creating Directory Services
To create directory services
Editing Directory Services
To edit directory services
Understanding Distinguished Names (DNs)
Using LDIF
Creating Users
Creating Users in LDAP-based Authentication Databases
Guidelines for Creating LDAP-based User Entries
Creating LDAP-based User Entries
To create users in LDAP-based authentication databases
Directory Server User Entries
Creating Users in Key File Authentication Databases
To create users in key file authentication databases
Creating Users in Digest File Authentication Databases
To create users in digest file authentication databases
Managing Users
Finding User Information
To find user information
Building Custom Search Queries
Editing User Information
To edit user entries
Managing a User’s Password
To change or create user passwords
Renaming Users
To rename user entries
Removing Users
To remove user entries
Creating Groups
About Static Groups
Guidelines for Creating Static Groups
Creating Static Groups
To create static groups
About Dynamic Groups
How Dynamic Groups are Implemented
Dynamic Group Impact on Server Performance
Guidelines for Creating Dynamic Groups
Creating Dynamic Groups
To create dynamic groups
Managing Groups
Finding Group Entries
To find group entries
The Find All Groups Whose Section
Editing Group Entries
To edit group entries
Adding Group Members
To add members to a group
Adding Groups to the Group Members List
Removing Entries from the Group Members List
To remove entries from the group members list
Managing Owners
Managing See Alsos
Renaming Groups
To rename groups
Removing Groups
To remove groups
Creating Organizational Units
To create organizational units
Managing Organizational Units
Finding Organizational Units
To find organizational units
The Find All Units Whose Section
Editing Organizational Unit Attributes
To edit organizational unit entries
Renaming Organizational Units
To rename organizational unit entries
Removing Organizational Units
To delete organizational unit entries
Chapter 5 Using Certificates and Keys
Certificate-based Authentication
Creating a Trust Database
To create a trust database
Using password.conf
Starting an SSL-enabled Server Automatically
To start an SSL-enabled server automatically
Requesting and Installing a VeriSign Certificate
Requesting a VeriSign Certificate
To request a VeriSign certificate
Installing a VeriSign Certificate
To install a VeriSign certificate
Requesting and Installing Other Server Certificates
Required CA Information
Requesting Other Server Certificates
To request other server certificates
Installing Other Server Certificates
To install other server certificates
Migrating Certificates
To migrate a certificate
Using the Built-in Root Certificate Module
Managing Certificates
To manage certificates
Installing and Managing CRLs and CKLs
Installing CRLs or CKLs
To install CRLs or CKLs
Managing CRLs and CKLs
To manage CRLs and CKLs
Setting Security Preferences
SSL and TLS Protocols
Using SSL to Communicate with LDAP
To enable SSL on your Administration Server
Tunneling SSL Through the Proxy Server
Configuring SSL Tunneling
To configure SSL tunneling
Technical Details for SSL Tunneling
Enabling Security for Listen Sockets
Turning Security On
To turn security on when creating listen sockets
To turn security on when editing listen sockets
Selecting Server Certificates for Listen Sockets
To select a server certificate for a listen socket
Selecting Ciphers
To enable SSL and TLS
Configuring Security Globally
To set values for SSL configuration file directives
SSLSessionTimeout
Syntax
SSLCacheEntries
SSL3SessionTimeout
Syntax
Using External Encryption Modules
Installing the PKCS #11 Module
Using modutil to Install PKCS #11 Modules
To install PKCS #11 modules using modutil
Exporting with pk12util
To export a certificate and key from an internal database
Importing with pk12util
To import a certificate and key into an internal or external PKCS #11 module
Starting the Server with an External Certificate
Selecting the Certificate Name for a Listen Socket
To select the certificate name for a listen socket
FIPS-140 Standard
To enable FIPS-140
Setting Client Security Requirements
Requiring Client Authentication
To require client authentication
Client Authentication in a Reverse Proxy
Setting Up Client Authentication in a Reverse Proxy
Proxy-Authenticates-Client
To configure the Proxy-Authenticates-Client scenario
Content Server-Authenticates-Proxy
To configure the Content Server-Authenticates-Proxy scenario
Proxy-Authenticates-Client and Content Server-Authenticates-Proxy
To configure the Proxy-Authenticates-Client and Content Server-Authenticates-Proxy scenario
Mapping Client Certificates to LDAP
Using the certmap.conf File
Creating Custom Properties
Sample Mappings
Example #1
Example #2
Example #3
Setting Stronger Ciphers
To set stronger ciphers
Other Security Considerations
Limiting Physical Access
Limiting Administration Access
Choosing Strong Passwords
Creating Hard-to-Crack Passwords
Changing Passwords or PINs
To change the trust database/key-pair file password
Limiting Other Applications on the Server
UNIX and Linux
Windows
Preventing Clients from Caching SSL Files
Limiting Ports
Knowing Your Server’s Limits
Chapter 6 Managing Server Clusters
About Server Clusters
Guidelines for Using Clusters
Setting Up Clusters
To set up Proxy Server clusters
Adding Servers to a Cluster
To add remote servers to a cluster
Modifying Server Information
To modify information about servers in a cluster
Removing Servers from a Cluster
To remove servers from a cluster
Controlling Server Clusters
To control servers in a cluster
Chapter 7 Configuring Server Preferences
Starting the Proxy Server
To start the Proxy Server from the administration interface
To start the Proxy Server on UNIX or Linux
To start the Proxy Server on Windows
Starting SSL-enabled Servers
To start your SSL-enabled server automatically on UNIX or Linux
Stopping the Proxy Server
To stop the Proxy Server from the administration interface
To stop the Proxy Server on UNIX or Linux
To stop the Proxy Server on Windows
Restarting the Proxy Server
Restarting the Server (UNIX or Linux)
To restart the Proxy Server from the command line
To restart the server using inittab
To restart the server using System RC Scripts
Restarting the Server (Windows)
To restart the server on Windows
Setting the Termination Timeout
Viewing Server Settings
To view the settings for the Proxy Server
Viewing and Restoring Backups of Configuration Files
To view a previous configuration
To restore a backup copy of your configuration files
To set the number of backups displayed
Configuring System Preferences
To modify the system preferences
Server User
Processes
Listen Queue Size
DNS
ICP
Proxy Array
Parent Array
Proxy Timeout
Tuning the Proxy Server
To change the default tuning parameters
Adding and Editing Listen Sockets
Adding Listen Sockets
To add listen sockets
Editing Listen Sockets
To edit listen sockets
Deleting Listen Sockets
To delete listen sockets
MIME Types
Creating a New MIME Type
To create a MIME type
Editing a MIME Type
To Edit a MIME type
Removing a MIME Type
To Remove a MIME type
Administering Access Control
To manage access control lists
Configuring the ACL Cache
To configure the ACL Cache
Understanding DNS Caching
Configuring the DNS Cache
To configure the DNS Cache
Configuring DNS Subdomains
To set the levels of subdomains the proxy traverses
Configuring HTTP Keep-Alive
To configure HTTP Keep-Alive
Chapter 8 Controlling Access to Your Server
What is Access Control?
Access Control for User-Group
Default Authentication
Basic Authentication
SSL Authentication
Digest Authentication
Installing the Digest Authentication Plug-in
Installing the Digest Authentication Plug-in on UNIX
To install the Digest authentication plug-in on UNIX
Installing the Digest Authentication Plug-in on Windows
To install the Digest authentication plug-in on Windows
Setting the Sun Java System Directory Server to Use the DES Algorithm
To set the Directory Server to use the DES algorithm
Other Authentication
Access Control for Host-IP
Using Access Control Files
Configuring the ACL User Cache
Controlling Access with Client Certificates
How Access Control Works
Setting Access Control
Setting Access Control Globally
To set access control for all servers
Setting Access Control for a Server Instance
To set access control for a server instance
Selecting Access Control Options
Setting the Action
Specifying Users and Groups
Specifying the From Host
Restricting Access to Programs
Setting Access Rights
Writing Customized Expressions
Turning Access Control Off
Responding When Access is Denied
To change the Access Denied message
Limiting Access to Areas of Your Server
Restricting Access to the Entire Server
To restrict access to the entire server
Restricting Access to a Directory (Path)
To restrict access to directories
Restricting Access to a File Type
To restrict access to file types
Restricting Access Based on Time of Day
To restrict access based on time of day
Restricting Access Based on Security
To restrict access based on security
Securing Access to Resources
Securing Access to Server Instances
Enabling IP-based Access Control
To enable IP-based access control
Creating ACLs for File-based Authentication
Creating ACLs for Directory Services Based on File Authentication
To create ACLs for directory services based on file authentication
Creating ACLs for Directory Services Based on Digest Authentication
To create ACLs for directory services based on Digest authentication
Chapter 9 Using Log Files
About Log Files
Logging on UNIX and Windows Platforms
Default Error Logging
Logging Using syslog
Logging Using the Windows eventlog
Log Levels
Archiving Log Files
Internal-daemon Log Rotation
Scheduler-based Log Rotation
Setting Access Log Preferences
To set the access log preferences for the Administration Server
To set the access log preferences for the Server Instance
Easy Cookie Logging
Setting Error Logging Options
To set the error logging options
Configuring the LOG Element
Viewing Access Log Files
Viewing Error Log Files
Working with the Log Analyzer
Transfer Time Distribution Report
Data Flow Report
Status Code Report
Requests and Connections Report
Cache Performance Report
Client Cache
Proxy Cache
Proxy Cache Hits Combined
Direct Transactions
Transfer Time Report
Hourly Activity Report
To run the log analyzer from the Server Manager
To run the log analyzer from the command line
Viewing Events (Windows)
To use the Event Viewer
Chapter 10 Monitoring Servers
Monitoring the Server Using Statistics
Processing Proxy Server Statistics
Restricting Access to the stats-xml Output
Enabling Statistics
To enable statistics from the Server Manager
To enable statistics using stats-xml
Using Statistics
To access statistics
Displaying Statistics in the Server Manager
Monitoring Current Activity Using the perfdump Utility
Enabling the perfdump Utility
To enable the perfdump SAF:
Sample perfdump Output
Restricting Access to the perfdump Output
Using Performance Buckets
Configuration
Performance Report
SNMP Basics
Management Information Base
Setting Up SNMP
Using a Proxy SNMP Agent (UNIX)
Installing the Proxy SNMP Agent
To install the Proxy SNMP Agent
Starting the Proxy SNMP Agent
Restarting the Native SNMP Daemon
Reconfiguring the SNMP Native Agent
Installing the SNMP Master Agent
To install the master SNMP agent
Enabling and Starting the SNMP Master Agent
Starting the Master Agent on Another Port
To manually start the master agent on another port
Manually Configuring the SNMP Master Agent
To configure the master SNMP agent manually
Editing the Master Agent CONFIG File
To configure the master SNMP agent manually
Defining sysContact and sysLocation Variables
Configuring the SNMP Subagent
To configure the SNMP subagent
Starting the SNMP Master Agent
Starting the SNMP Master Agent Manually
Starting the SNMP Master Agent Using the Administration Server
To start the SNMP master agent using the Administration Server
Configuring the SNMP Master Agent
Configuring the Community String
Configuring Trap Destinations
Enabling the Subagent
Understanding SNMP Messages
Chapter 11 Proxying and Routing URLs
Enabling/Disabling Proxying for a Resource
To enable proxying for a resource
Routing through Another Proxy
Configuring Routing for a Resource
To configure routing for a resource
Chaining Proxy Servers
To route through another proxy server
Routing through a SOCKS Server
To route through a SOCKS server
Forwarding the Client IP Address to the Server
To configure the proxy to send client IP addresses
Allowing Clients to Check IP Address
To check the Java IP address
Client Autoconfiguration
Setting the Network Connectivity Mode
To change the running mode for the proxy server
Changing the Default FTP Transfer Mode
To set the FTP mode
Specifying the SOCKS Name Server IP Address
To specify the SOCKS name server IP address
Configuring HTTP Request Load Balancing
To configure HTTP request load balancing
Managing URLs and URL Mappings
Creating URL Mappings
To create a URL mapping
Viewing, Editing, or Removing Existing URL Mappings
To change your existing mappings
Redirecting URLs
To redirect one or more URLs
Chapter 12 Caching
How Caching Works
Understanding the Cache Structure
Distributing Files in the Cache
Setting Cache Specifics
To set cache specifics
Enabling the Cache
Creating a Cache Working Directory
Setting Cache Size
Editing Cache Capacity
Caching HTTP Documents
Setting the HTTP Cache Refresh Interval
Setting the HTTP Cache Expiration Policy
Reporting HTTP Accesses to the Remote Server
Caching FTP and Gopher Documents
Setting FTP and Gopher Cache Refresh Intervals
Creating and Modifying a Cache
To add cache partitions
To modify cache partitions
Setting Cache Capacity
To set the cache capacity
Managing Cache Sections
To manage cache sections
Setting the Garbage Collection Preferences
Scheduling Garbage Collection
To schedule garbage collection
Configuring the Cache
To configure the cache
Caching Configuration Elements
Setting the Cache Default
Caching Pages That Require Authentication
Caching Queries
Setting Minimum and Maximum Cache File Sizes
Setting the Up-to-date Checking Policy
Setting Expiration Policy
Setting Cache Behavior for Client Interruptions
Behaviour On Failure To Connect To Server
Caching Local Hosts
To enable the caching of local hosts
Configuring the File Cache
To configure the file cache
Viewing the URL Database
To view the URLs in the database
Expiring and Removing Files from the Cache
To expire or remove cached URLs
Using Cache Batch Updates
Creating Batch Updates
To create a batch update
Editing or Deleting Batch Update Configurations
To edit or delete a batch update configuration
Using the Cache Command Line Interface
To run the command line utilities
Building the Cache Directory Structure
Managing the Cache URL List
Managing Cache Garbage Collection
Managing Batch Updates
Using the Internet Cache Protocol (ICP)
About ICP
Routing through ICP Neighborhoods
To set up ICP
Adding Parents to an ICP Neighborhood
To add parent proxies to an ICP neighborhood
Editing Parent Configurations in an ICP Neighborhood
To edit the parent configuration
Removing Parents from an ICP Neighborhood
To remove parent proxies from an ICP neighborhood
Adding Siblings to an ICP Neighborhood
To add sibling proxies to an ICP neighborhood
Editing Sibling Configurations in an ICP Neighborhood
To edit the sibling configuration
Removing Siblings from an ICP Neighborhood
To remove sibling proxies from an ICP neighborhood
Configuring Individual ICP Neighbors
To configure the local proxy server in your ICP neighborhood
Enabling ICP
To enable ICP
Enabling Routing Through an ICP Neighborhood
To enable routing through an ICP neighborhood
Using Proxy Arrays
About Proxy Arrays
Routing through Proxy Arrays
To set up a proxy array
Creating a Proxy Array Member List
To create a proxy array member list
Editing Proxy Array Member List Information
To edit member list information for any of the members in a proxy array
Deleting Proxy Array Members
To delete members of a proxy array
Configuring Proxy Array Members
To configure each member of the proxy array
Enabling Routing Through a Proxy Array
To enable routing through a proxy array
Enabling a Proxy Array
To enable a proxy array
Redirecting Requests in a Proxy Array
Generating a PAC File from a PAT File
Manually Generating a PAC File from a PAT File
To manually generate a PAC file from a PAT file
Automatically Generating a PAC File from a PAT File
To automatically generate a PAC file from a PAT file each time a change is detected
Routing through Parent Arrays
To configure a proxy or proxy array member to route through a parent array
Viewing Parent Array Information
To view parent array information
Chapter 13 Filtering Content through the Proxy
Filtering URLs
Creating a Filter File of URLs
To create a filter file
Setting Default Access for a Filter File
To set default access for a filter file
Content URL Rewriting
To create a URL rewriting pattern
To edit a URL rewriting pattern
To delete a URL rewriting pattern
Restricting Access to Specific Web Browsers
To restrict access to the proxy based on the client’s web browser
Blocking Requests
To block requests based on MIME type
Suppressing Outgoing Headers
To suppress outgoing headers
Filtering by MIME Type
To filter by MIME type
Filtering by HTML Tags
To filter out HTML tags
Configuring the Server for Content Compression
Configuring the Server to Compress Content on Demand
To configure your server to compress content on demand
Chapter 14 Using a Reverse Proxy
How Reverse Proxying Works
Proxy as a Stand-in for a Server
Secure Reverse Proxying
Proxying for Load Balancing
Setting up a Reverse Proxy
To create regular or reverse mapping
Setting up a Secure Reverse Proxy
Secure Client to Proxy
To set up secure client to proxy
Secure Proxy to Content Server
To set up secure proxy to content server
Secure Client to Proxy and Secure Proxy to Content Server
To set up secure client to proxy and secure proxy to content server
Virtual Multihosting in Reverse Proxy
Functional Details of Virtual Multihosting
To configure virtual multihosting
Important Notes on Virtual Multihosting
Chapter 15 Using SOCKS
About SOCKS
Using the Bundled SOCKS v5 Server
To use the SOCKS
About socks5.conf
Authentication
Access Control
Logging
Tuning
Starting and Stopping the SOCKS v5 Server
To start and stop the SOCKS server from the Server Manager
To start and stop the SOCKS server from the command line
Configuring the SOCKS v5 Server
To configure the SOCKS server
Configuring SOCKS v5 Authentication Entries
Creating Authentication Entries
To create SOCKS authentication entries
Editing Authentication Entries
To edit authentication entries
Deleting Authentication Entries
To delete authentication entries
Moving Authentication Entries
To move authentication entries
Configuring SOCKS v5 Connection Entries
Creating Connection Entries
To create connection entries
Editing Connection Entries
To edit connection entries
Deleting Connection Entries
To delete connection entries
Moving Connection Entries
To move connection entries
Configuring SOCKS v5 Server Chaining
To configure SOCKS server chaining
Configuring Routing Entries
Creating SOCKS v5 Routing Entries
To create routing entries
Creating SOCKS v5 Proxy Routing Entries
To create proxy routing entries
Editing Routing Entries
To edit routing entries
Deleting Routing Entries
To delete routing entries
Moving Routing Entries
To move routing entries
Chapter 16 Managing Templates and Resources
About Templates
Understanding Regular Expressions
Understanding Wildcard Patterns
Creating New Templates
To create a template
Applying Templates
To apply a template
Removing Templates
To remove a template
Viewing Templates
To edit a template
Removing Resources
To remove a resource
Chapter 17 Using the Client Autoconfiguration File
Understanding Autoconfiguration Files
What the Autoconfiguration File Does
Accessing the Proxy as a Web Server
Using Pac Files with a Reverse Proxy
Using Server Manager Pages to Create Autoconfiguration Files
To create an autoconfiguration file using the Server Manager pages
Creating Autoconfiguration Files Manually
The FindProxyForURL Function
JavaScript Functions and Environment
Hostname-based Functions
dnsDomainIs(host, domain)
Parameters:
Returns:
Examples:
isInNet(host, pattern, mask)
Parameters:
Returns:
Examples:
isPlainhost name(host)
Parameters:
Returns:
Example:
isResolvable(host)
Parameters:
Returns:
Example:
localHostOrDomainIs(host, hostdom)
Parameters:
Returns:
Examples:
Related Utility Functions
dnsDomainLevels(host)
Parameters:
Returns:
Examples:
dnsResolve(host)
Parameters:
Returns:
Example:
myIpAddress()
Returns:
Example:
URL/host-name-based Condition
shExpMatch(str, shexp)
Parameters:
Returns:
Examples:
Time-based Conditions
dateRange (day, month, year...)
Parameters:
Examples:
timeRange (hour, minute, second...)
Parameters:
Returns:
Examples:
weekdayRange(wd1, wd2, gmt)
Parameters:
Examples:
Detailed Examples
Example 1: Proxy All Servers Except Local Hosts
Example 2: Proxy Local Servers Outside the Firewall
Example 3: Proxy Only Unresolved Hosts
Example 4: Connect Directly to a Subnet
Example 5: Balance Proxy Load with dnsDomainIs()
Example 6: Balance Proxy Load with shExpMatch()
Example 7: Proxying a Specific Protocol
Chapter 18 ACL File Syntax
About ACL Files and ACL File Syntax
Authentication Statements
Authorization Statements
Writing Authorization Statements
Hierarchy of Authorization Statements
Attribute Expressions
Operators for Expressions
The Default ACL File
General Syntax Items
Referencing ACL Files in obj.conf
Chapter 19 Tuning Server Performance
General Performance Considerations
Access Logging
ACL Cache Tuning
Buffer Size
Connection Timeout
Errors Log Level
Security Requirements
Solaris File System Caching
Timeout Values
init-proxy SAF (obj.conf)
http-client-config SAF (obj.conf)
KeepAliveTimeout (magnus.conf)
Up-to-Date Checks
Last-Modified Factor
DNS Settings
Number of Threads
Inbound Connection Pool
FTP Listing Width
Cache Architecture
Cache Batch Update
Garbage Collection
The gc hi margin percent Variable
The gc lo margin percent Variable
The gc extra margin percent Variable
The gc leave fs full percent Variable
Solaris Performance Tuning
© 2010, Oracle Corporation and/or its affiliates