Internet Express Version 6.7 for Tru64 UNIX: Internet Express for Tru64 UNIX Administration Guide

Chapter 10 Proxy Services Administration

  Table of Contents

  Glossary

  Index

The Internet Express Administration utility lets you manage the following Proxy service components:

Dante SOCKS Server Administration

The Dante SOCKS Server is a circuit-level firewall/proxy server that can be used to provide convenient and secure network connectivity to a wide range of hosts. (The system on which the Dante SOCKS Server runs must have external network connectivity.) Once installed, the Dante SOCKS Server can be made transparent to clients (in most cases) and offers the server administrator detailed access control and logging facilities.

SOCKS is a networking proxy protocol that enables hosts on one side of a SOCKS server to gain full access to hosts on the other side of the server, without requiring a direct IP connection. A SOCKS server redirects connection requests from hosts on opposite sides of a SOCKS server, authenticates and authorizes the requests, and establishes a proxy connection to relay data. It is commonly used as a network firewall that enables hosts behind a SOCKS server to gain full access to the Internet, while preventing unauthorized access from the Internet to the internal hosts.

The Dante SOCKS Server implements the SOCKS protocol and can function as a firewall between networks. It includes an extension to the SOCKS Version 4 and Version 5 protocols that provides a more generic bind functionality, similar to functionality that non-SOCKS programs expect. It relays TCP and UDP both from outside the network and from inside the network.

Note:

SOCKS Version 4 does not support authentication nor the UDP proxy. SOCKS Version 5 supports a variety of authentication methods and the UDP proxy.

Controlling the Dante SOCKS Server

The Dante SOCKS Server (/usr/local/sbin/sockd) is a daemon that runs all the time. To control the server, you first stop the running daemon, then proceed to restart the server. To stop and restart the Dante SOCKS Server from the Administration utility:

  1. From the Manage Components menu, under Proxy, choose Dante SOCKS Proxy Server. The Dante SOCKS Server Administration form is displayed, showing that the server is running (the default).

  2. To stop the server, click on Stop. A message is displayed indicating that the Dante SOCKS Server is stopped.

  3. To restart the server, use the navigation bar to return to the Dante SOCKS Server Administration form and click on Start. A message is displayed indicating that the Dante SOCKS Server is running.

In a TruCluster environment, the Dante SOCKS Server Administration form displays all SOCKS servers that are running or stopped. When you click on Stop, all servers are stopped. Similarly, when you click on Start, all servers are started. If several servers are in a started and stopped state, clicking on Start will let the running servers continue running while restarting the stopped server.

For information on controlling the Dante SOCKS Server outside the Administration utility, see the sockd(8) reference page.

Configuring the Dante SOCKS Server

You configure the Dante SOCKS Server by editing the /etc/sockd.conf configuration file. This file controls both access controls and logging and is divided into two parts, server settings and rules.

To use the Dante SOCKS Server, you must specify valid information in the method, client pass, and pass fields in /etc/sockd.conf. For example, to allow all users to connect without authentication, you could specify:

method: none

To allow any connections from area 16 to any other address in area 16, you could specify:

client pass {
          from: 16.0.0.0/255.0.0.0 port 1-65535 to: 0.0.0.0/0
}
pass {
          from: 16.0.0.0/255.0.0.0 to: 16.0.0.0/255.0.0.0
          log: connect error
}
Note:

These code examples are for illustration only. Your actual code would be much more restrictive.

For more information, see the sockd.conf(5) reference page.

The configuration file for the SOCKS client library, /etc/socks.conf, allows control over logging and server selection. It is divided into two parts, miscellaneous settings and routes. See the socks.conf(5) reference page for complete information.

Accessing Dante SOCKS Information

Documentation for the Dante SOCKS Server is available in the /usr/internet/docs/dante/ directory.

Configuration file examples can be found in /usr/internet/docs/dante/example.

Additional information about the Dante SOCKS Server can be found at the following Web site:

http://www.inet.no/dante

Squid Proxy/Caching Server Administration

Squid is a high-performance, proxy/caching server for clients that support FTP, Gopher, and HTTP requests. Because the caching software never needs to fork (or copy) itself (except for FTP), it is faster than most proxy servers. Squid has the following features:

  • Is implemented with nonblocking I/O

  • Caches metadata and hot objects in RAM

  • Supports nonblocking Domain Name System (DNS) lookups

  • Implements negative caching of both objects and DNS lookups

  • Can arrange caches hierarchically, which improves response time and reduces bandwidth consumption

In Internet Express, the Squid subset consists of:

  • Squid and its associated programs.

  • A report-generating tool called Calamaris. Calamaris generates reports by parsing Squid log files.

Squid is derived from the ARPA-funded Harvest project.

Use the Squid Proxy/Caching Server Administration menu to perform the following tasks:

Configuring the Squid Proxy/Caching Server

Because system needs vary, Internet Express does not install a fully configured Squid Proxy/Caching Server. You might need to edit some of the values in the Squid configuration file, /usr/internet/squid/etc/squid.conf, to meet the needs of your system. For example, you might need to edit the cache_mem and cache_swap values in squid.conf and specify the amount of RAM memory and hard disk space, respectively, to devote to caching. You can find guidelines to configure and run Squid on an Internet Express system in the /usr/internet/docs/squid directory. The documentation includes:

  • QUICKSTART—Describes how to specify the values in the squid.conf file that must be set to reflect the needs of your system. The document includes information on configuring a parent cache, the firewall, local domains, cache memory, access control lists, and other information.

Reinitializing the Disk Cache

To reinitialize the disk cache for the Squid Proxy/Caching Server, follow these steps:

  1. From the Administration utility Main menu, choose Manage Components.

  2. Under Proxy on the Manage Components menu, choose Squid Proxy/Caching Server.

  3. From the Squid Proxy/Caching Server Administration menu, choose Reinitialize the Disk Cache.

  4. Click on Submit to remove all pages from the disk cache.

    To cancel this operation, use the navigation bar at the top of the page or the navigation bar at the top of the page.

If the disk cache does not exist, the Reinitialize Disk Cache operation creates it for you. (The disk cache is automatically created when you start the Squid Proxy/Caching Server for the first time.)

Managing the Squid Proxy/Caching Server

To manage the Squid Proxy/Caching Server from the Administration utility, follow these steps:

  1. From the Administration utility Main menu, choose Manage Components.

  2. Under Proxy on the Manage Components menu, choose Squid Proxy/Caching Server.

  3. From the Squid Proxy/Caching Server Administration menu, choose Cache Manager Interface.

  4. On the Cache Manager Interface form, specify the Cache Host, Cache Port, Password, and URL of the cache you will manage.

    A password is required only for the Cache Configuration File, Cache Log, and Shutdown Cache operations. Initially, no passwords are set for these operations; therefore, they are inaccessible. To allow access to any of these operations, edit the squid.conf file and add one or more cachemgr_passwd tags, indicating the password for each operation. A password of none allows unrestricted access to the operation, without a password. For example, the following line specifies the password secret for all three operations:

    cachemgr_passwd  secret  log  shutdown  squid.conf

    See the comments in the squid.conf file for more information on setting passwords for Cache Manager operations.

    A URL is required only for the Refresh Object operation.

  5. Use the Operation list box to select an operation and click on Submit. Only the Shutdown Cache and Refresh Object operations perform an action; the rest display statistical information only.

  6. Restart Squid with the following command line:

    /sbin/init.d/squid_8080 restart
  7. When a Squid Proxy/Caching Server operation completes, a statistics report or status screen appears. Use the Submit button at the top of the page to refresh the statistical information for the current operation (shown in the list box), or request another statistics report by choosing an operation from the list box and clicking on Submit.

    To return to the Cache Manager Interface form, choose Empty Form from the list box and click on Submit.

  8. Click on Reset at the bottom of the Cache Manager Interface form to reset to the default settings on the form.

Rotating Log Files

The Administration utility lets you control whether Squid will rotate the log files (access.log, cache.log, and store.log) once per day. When you rotate the log file s, each log file in the Squid log directory (usr/internet/squid/logs) is renamed with the appropriate .n suffix.

The Rotate Logfiles option lets you specify the maximum number of rotated log files that are saved. Daily and combined status reports are generated after the log files are rotated. You can view these reports using the Display Access Statistics option (see Section : Displaying Access Statistics).

To rotate log files, follow these steps:

  1. From the Administration utility Main menu, choose Manage Components.

  2. Under Proxy on the Manage Components menu, choose Squid Proxy/Caching Server.

  3. From the Squid Proxy/Caching Server Administration menu, choose Rotate log files.

    The Rotate Logfiles page shows the current state of the log files rotation and the number of log files to save.

  4. Choose Enable to rotate the indicated number of log files. When the log files have been successfully rotated, the Administration utility displays a confirmation message.

    To change the number of saved log files, type over the number in the Number of Logfiles to Save box and choose Modify. The next time log files are rotated, the new number of files will be saved.

    Choose Reset to clear the number of log files and Disable to turn off logfile rotation.

Displaying Access Statistics

The Administration utility lets you display a summary of proxy statistics based on data from the current logfile or from data saved when the log files were last rotated (see Section : Rotating Log Files).

To display access statistics, follow these steps:

  1. From the Administration utility Main menu, choose Manage Components.

  2. Under Proxy on the Manage Components menu, choose Squid Proxy/Caching Server.

  3. From the Squid Proxy/Caching Server Administration menu, choose Display Access Statistics.

    A status report named squid_access_log.tcl is displayed providing a summary of proxy statistics.

Controlling the Squid Proxy/Caching Server

To control the Squid Proxy/Caching Server, follow these steps:

  1. From the Administration utility Main menu, choose Manage Components.

  2. Under Proxy on the Manage Components menu, choose Squid Proxy/Caching Server.

  3. From the Squid Proxy/Caching Server Administration menu, choose Start/Stop the Squid Proxy/Caching Server.

    The Start/Stop the Squid Proxy/Caching Server page shows the current state of the server.

  4. If the server is running, you can either stop or restart the server.

    If the server is stopped, your only option is to start the server.