test

Sun Java System Web Proxy Server 4.0.13 Release Notes

Enhancements in Sun Java System Web Proxy Server Releases

The recent releases of Proxy Server includes the following enhancements.:

Performance Tuning, Sizing, and Scaling guide

A performance tuning, sizing, and scaling guide has been introduced in 4.0.11. This document provides tuning, sizing, and scaling tips and suggestions; possible solutions to common performance problems; and data from scalability studies. It also addresses miscellaneous configuration and platform-specific issues. For more information, see Sun Java System Web Proxy Server 4.0.13 Performance Tuning, Sizing, and Scaling Guide

Transparent Proxy

Proxy Server 4.0 supports transparent proxy for HTTP/1.1 connections. Transparent proxying involves intercepting and processing web requests by using the proxy server, without the knowledge or control of clients. For example, a router for a local network is configured to redirect incoming TCP connections to the local port, in which the proxy server is active.

Add the following directive to the proxy server default object in the obj.conf file:


NameTrans fn="host-map"

This configuration enables the proxy server to use the HTTP Host: header of incoming requests to identify and redirect the request to the target remote server.

Note –

Transparent proxy servers that decide connections based on the HTTP Host: headers are vulnerable to fake HTTP Host: headers forged through the active content. Therefore, suitable ACL configurations must be implemented to prevent connection to web sites that might host malicious content.

URL Mapping

URL Mapping has been implemented in Proxy Server 4.0.8. It enables the Proxy Server to act as a reverse proxy. This feature enables Proxy Server to provide a single front-end hostname for back-end application servers. Based on a requester's URI, access is provided to back-end servers.

For more information about URL Mapping, see Reverse Proxy Scenario in Sun Java System Web Proxy Server 4.0.13 Configuration File Reference.

For information about Server Application Functions (SAFs) used in URL Mapping, see Server Application Functions (SAFs) in Sun Java System Web Proxy Server 4.0.13 Configuration File Reference.

Registration with Sun Connection

You can use the Admin Server to register the Web Proxy Server with Sun Connection. Click the Register with Sun Connection button, a client.jnlp application opens up. Follow the wizard to complete the registration.

By registering the Web Proxy Server with Sun Connection you receive the following benefits:

This feature is supported only on Solaris SPARC, x86 and Linux platforms. To avail this feature on Solaris, you need to install SUNWservicetagr and SUNWservicetagu packages in SPARC and x86 systems.

To avail this feature on Linux, you should install the sun-servicetag-1.0.0-1.0.i386.rpm.

Monitoring Server

The monitoring capabilities of Sun Java System Web Proxy Server provides a detailed list of the server parameters that you can monitor at instance level.

From the Web Proxy Administration Server, you can perform the following actions:

ProcedureMonitoring Server

  1. Access the Administration Server

  2. Click the Instance link from the Manage Servers page

  3. Click the Server Status tab

  4. Click the Monitor Current Activity tab

  5. Set the Monitoring Current Activity to ON to monitor the server

    You can also refresh the server in following intervals 5,10 and 15 seconds and view the statistics of the DNS, Keep-Alive, Cache, Server Requests and Work Thread connections.

Embedded DNS Resolution

The embedded DNS supports the non-default name resolution. The DNS client interacts with a DNS server to perform the name resolution. The new SAF dns-lookup, receives the DNS server's IP address as a server argument. This IP address should be added as a DNS directive in the obj.conf file.

In the following example, IP of the DNS server is specified in the server parameter.

<object>
....
DNS fn="dns-lookup" server="170.168.10.3"
...
</object>

In the following example, you can add multiple DNS server IPs to dns-lookup-init, and it will be used in round robin model. In this scenario, do not add DNS server IP to dns-lookup. If DNS server parameters are added to both dns-lookup and dns-lookup-init, the dns-lookup argument will take the precedence.

...
<Object>
...
DNS fn="dns-lookup"
....
Init fn="dns-lookup-init" servers="170.168.10.3, 170.158.10.4"
</Object>

ACL Cache Tuning

The ACLCacheMax is a magnus.conf parameter that sets a limit to the total number of ACLs stored in the ACL cache. There is no default value for ACLCacheMax and it should be configured for a specific limit.

For example, ACLCacheMax 16384

Note –

The ACL cache in this context does not refer to the ACL user cache. It refers to a cache where ACLs are applicable to specific URLs that are cached for performance reasons.

The GCAtStartup is a magnus.conf parameter that allows boolean value. By default the value is false, if set to true, Cache garbage collector clears the garbage during the server startup. This can increase the server startup time when the cache size is high.

The New Directives in the magnus.conf File

This section lists the newly added parameters in the magnus.conf file.

Table 1 magnus.conf Directives

Parameters 

Valid Values 

Description 

ACLCacheMax

1

Specify a configurable limit for the ACL cache. This directive restricts the size of ACL cache, thus removing old entries from the cache which otherwise contributes significantly to memory usage. 

FtpPoolSize

1 – 65536

Specify the size of the FTP connection pool. The default value is 256. 

FtpPoolLife

1 – 65536

Specify the life of the connection in seconds, that the FTP connection remain unused in the pool before the monitor thread closes it. The default value is 3600. 

FtpPoolMonitorThread

OFF

Specify the boolean value to monitor the FTP thread functionality. The default is ON.

FtpPoolMonitorLevel

0

Specify an integer value. If set to 0 the pool monitor thread checks whether the connection is dead or alive. 

If set to 1, the NOOP command is sent to the connection and awaits for the reply. Failure to get a response will cause the connection to be removed from the pool. The default level is 1.

FtpPoolMonitorInterval

30 – 65536

Specify an integer value in seconds, after which the pool connections are monitored. The default value is 30 

LDAPPoolMonitorThread

Takes a boolean value. 

If set to TRUE, a ldap pool monitor thread would be created which monitors the ldap connection pool at regular intervals. The default value is FALSE.

LDAPPoolMonitorInterval

Takes an integer argument.  

Specifies the interval at which the ldap pool monitor thread inspects the ldap connection pool. The default value is 30.

LDAPPoolRevalidate

Takes a boolean value. 

If set to TRUE, every connection that is picked off the connection pool will be "revalidated" before being passed on to the caller. The default value is FALSE.

PairedConnections

Takes a boolean value 

If set to TRUE, it enables "connection pairing" where a server channel is dedicated, or paired, to a specific client connection. The default value is FALSE.

BufferedLogEnabled

Takes a boolean value 

If set to true, an error that is generated multiple times over a period of time is written only once into the error logs, accompanied by information on the number of times the particular error was actually generated during the specified period. The default value is FALSE.

BufferedLogCountMax

1 – 65536

It specifies the maximum number of times an error can be generated after which it will be flushed out to the error log. The default value is 128. 

BufferedLogSizeMax

1 – 65536

It specifies the maximum number of error messages that the log buffer can contain after which the log messages will be flushed to the error log. The default value is 8192. 

BufferedLogAgeMax

1 - 3600

It specifies the maximum age, in seconds, of a log message in the log buffer after which it will be considered aged and flushed to the error log. The default value is 300. 

BufferedLogFlushInterval

1 - 300

It specifies the time interval, in seconds, during which the log buffer is inspected by the thread responsible for flushing log messages to the error log. The default value is 30. 

Cache PURGE Feature

Proxy Server allows PURGE requests to clear the cached URL. If the requested URL is purged successfully, a response with an HTTP status code of 200 (OK) is sent by the server. If the specified URL is not cached, a 404 (Not Found) response is sent.

In the following example, the server returns the value 200

bash-2.03$ telnet localhost 8088
Trying 172.9.10.1...
Connected to localhost.
Escape character is '^]'.
PURGE http://foo.com/ HTTP/1.0

HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Proxy-Server/4.0
Date: Fri, 26 Oct 2007 08:15:30 GMT
Connection: close

In the following example, the server returns the value 404.

Connection closed by foreign host.
bash-2.03$ telnet localhost 8088
Trying 172.9.10.1...
Connected to localhost.
Escape character is '^]'.
PURGE http://foo.com/ HTTP/1.0

HTTP/1.1 404 Not Found
Server: Sun-Java-System-Web-Proxy-Server/4.0
Date: Mon, 17 Sep 2007 10:13:28 GMT
Content-length: 96
Content-type: text/html
Connection: close

Internet Protocol Version 6 (IPv6) Support

You can connect to an IPv6 enabled Web site through the Proxy Server 4.0.11. Proxy server also supports ftp extension for IPv6 in default (passive) mode.

NSS 3.12.5 and NSPR 4.8.2 Support

Proxy Server 4.0.13 supports Network Security Services (NSS) 3.12.5 and Netscape Portable Runtime (NSPR) 4.8.2.

Modified FTP Transfer Mode

From Proxy Server 4.0.6 release, support for Extended address Passive port (EPSV) mode has been introduced.

Upgrade Support

From Proxy Server 4.0.2 release, the installer supports the upgrade of an existing Proxy Server 4.0 installation to the later version. For the Java Enterprise System installations of Proxy Server 4.0.1, you need to install the patches that correspond to the later release.