Chapter 10 Proxy Services Administration

Table of Contents

The Internet Express Administration utility lets you manage the following Proxy service components:

Dante SOCKS Server – A circuit-level firewall/proxy server that can be used to provide convenient and secure network connectivity to a wide range of hosts (Section : Dante SOCKS Server Administration).
Squid Proxy/Caching Server – A high-performance, proxy/caching server for clients that supports FTP, Gopher, and HTTP requests (Section : Squid Proxy/Caching Server Administration).

Dante SOCKS Server Administration

The Dante SOCKS Server is a circuit-level firewall/proxy server that can be used to provide convenient and secure network connectivity to a wide range of hosts. (The system on which the Dante SOCKS Server runs must have external network connectivity.) Once installed, the Dante SOCKS Server can be made transparent to clients (in most cases) and offers the server administrator detailed access control and logging facilities.

SOCKS is a networking proxy protocol that enables hosts on one side of a SOCKS server to gain full access to hosts on the other side of the server, without requiring a direct IP connection. A SOCKS server redirects connection requests from hosts on opposite sides of a SOCKS server, authenticates and authorizes the requests, and establishes a proxy connection to relay data. It is commonly used as a network firewall that enables hosts behind a SOCKS server to gain full access to the Internet, while preventing unauthorized access from the Internet to the internal hosts.

The Dante SOCKS Server implements the SOCKS protocol and can function as a firewall between networks. It includes an extension to the SOCKS Version 4 and Version 5 protocols that provides a more generic bind functionality, similar to functionality that non-SOCKS programs expect. It relays TCP and UDP both from outside the network and from inside the network.




	Note: SOCKS Version 4 does not support authentication nor the UDP proxy. SOCKS Version 5 supports a variety of authentication methods and the UDP proxy.

Controlling the Dante SOCKS Server

The Dante SOCKS Server (/usr/local/sbin/sockd) is a daemon that runs all the time. To control the server, you first stop the running daemon, then proceed to restart the server. To stop and restart the Dante SOCKS Server from the Administration utility:

From the Manage Components menu, under Proxy, choose Dante SOCKS Proxy Server. The Dante SOCKS Server Administration form is displayed, showing that the server is running (the default).
To stop the server, click on Stop. A message is displayed indicating that the Dante SOCKS Server is stopped.
To restart the server, use the navigation bar to return to the Dante SOCKS Server Administration form and click on Start. A message is displayed indicating that the Dante SOCKS Server is running.

In a TruCluster environment, the Dante SOCKS Server Administration form displays all SOCKS servers that are running or stopped. When you click on Stop, all servers are stopped. Similarly, when you click on Start, all servers are started. If several servers are in a started and stopped state, clicking on Start will let the running servers continue running while restarting the stopped server.

For information on controlling the Dante SOCKS Server outside the Administration utility, see the sockd(8) reference page.

Configuring the Dante SOCKS Server

You configure the Dante SOCKS Server by editing the /etc/sockd.conf configuration file. This file controls both access controls and logging and is divided into two parts, server settings and rules.

To use the Dante SOCKS Server, you must specify valid information in the method, client pass, and pass fields in /etc/sockd.conf. For example, to allow all users to connect without authentication, you could specify:

method: none

To allow any connections from area 16 to any other address in area 16, you could specify:

client pass {
	  from: 16.0.0.0/255.0.0.0 port 1-65535 to: 0.0.0.0/0
}
pass {
	  from: 16.0.0.0/255.0.0.0 to: 16.0.0.0/255.0.0.0
	  log: connect error
}




	Note: These code examples are for illustration only. Your actual code would be much more restrictive.

For more information, see the sockd.conf(5) reference page.

The configuration file for the SOCKS client library, /etc/socks.conf, allows control over logging and server selection. It is divided into two parts, miscellaneous settings and routes. See the socks.conf(5) reference page for complete information.

Accessing Dante SOCKS Information

Documentation for the Dante SOCKS Server is available in the /usr/internet/docs/dante/ directory.

Configuration file examples can be found in /usr/internet/docs/dante/example.

Additional information about the Dante SOCKS Server can be found at the following Web site:

http://www.inet.no/dante

Squid Proxy/Caching Server Administration

Squid is a high-performance, proxy/caching server for clients that support FTP, Gopher, and HTTP requests. Because the caching software never needs to fork (or copy) itself (except for FTP), it is faster than most proxy servers. Squid has the following features:

Is implemented with nonblocking I/O
Caches metadata and hot objects in RAM
Supports nonblocking Domain Name System (DNS) lookups
Implements negative caching of both objects and DNS lookups
Can arrange caches hierarchically, which improves response time and reduces bandwidth consumption

In Internet Express, the Squid subset consists of:

Squid and its associated programs.
A report-generating tool called Calamaris. Calamaris generates reports by parsing Squid log files.
Support for SmartFilter, the Web filtering service from Secure Computing.

Squid is derived from the ARPA-funded Harvest project.

The Internet Express version of the Squid Proxy Server includes support for the URL filtering service, SmartFilter, from Secure Computing . See the following Web site for more information:

http://www.securecomputing.com

See also Section : Using Smartfilter for more information about this service.

Use the Squid Proxy/Caching Server Administration menu to perform the following tasks:

Reinitialize the disk cache (see Section : Reinitializing the Disk Cache)
Manage the Squid Proxy/Caching Server through the Cache Manager Interface (see Section : Managing the Squid Proxy/Caching Server).
Rotate log files (Section : Rotating Log Files).
Display access statistics (Section : Displaying Access Statistics).
Start or stop the Squid Proxy/Caching Server (Section : Controlling the Squid Proxy/Caching Server).

Configuring the Squid Proxy/Caching Server

Because system needs vary, Internet Express does not install a fully configured Squid Proxy/Caching Server. You might need to edit some of the values in the Squid configuration file, /usr/internet/squid/etc/squid.conf, to meet the needs of your system. For example, you might need to edit the cache_mem and cache_swap values in squid.conf and specify the amount of RAM memory and hard disk space, respectively, to devote to caching. You can find guidelines to configure and run Squid on an Internet Express system in the /usr/internet/docs/squid directory. The documentation includes:

QUICKSTART—Describes how to specify the values in the squid.conf file that must be set to reflect the needs of your system. The document includes information on configuring a parent cache, the firewall, local domains, cache memory, access control lists, and other information.

Reinitializing the Disk Cache

To reinitialize the disk cache for the Squid Proxy/Caching Server, follow these steps:

From the Administration utility Main menu, choose Manage Components.
Under Proxy on the Manage Components menu, choose Squid Proxy/Caching Server.
From the Squid Proxy/Caching Server Administration menu, choose Reinitialize the Disk Cache.
Click on Submit to remove all pages from the disk cache.
To cancel this operation, use the navigation bar at the top of the page or the navigation bar at the top of the page.

If the disk cache does not exist, the Reinitialize Disk Cache operation creates it for you. (The disk cache is automatically created when you start the Squid Proxy/Caching Server for the first time.)

Managing the Squid Proxy/Caching Server

To manage the Squid Proxy/Caching Server from the Administration utility, follow these steps:

From the Administration utility Main menu, choose Manage Components.
Under Proxy on the Manage Components menu, choose Squid Proxy/Caching Server.
From the Squid Proxy/Caching Server Administration menu, choose Cache Manager Interface.
On the Cache Manager Interface form, specify the Cache Host, Cache Port, Password, and URL of the cache you will manage.
A password is required only for the Cache Configuration File, Cache Log, and Shutdown Cache operations. Initially, no passwords are set for these operations; therefore, they are inaccessible. To allow access to any of these operations, edit the squid.conf file and add one or more cachemgr_passwd tags, indicating the password for each operation. A password of none allows unrestricted access to the operation, without a password. For example, the following line specifies the password secret for all three operations:
cachemgr_passwd secret log shutdown squid.conf
See the comments in the squid.conf file for more information on setting passwords for Cache Manager operations.
A URL is required only for the Refresh Object operation.
Use the Operation list box to select an operation and click on Submit. Only the Shutdown Cache and Refresh Object operations perform an action; the rest display statistical information only.
Restart Squid with the following command line:
/sbin/init.d/squid_8080 restart
When a Squid Proxy/Caching Server operation completes, a statistics report or status screen appears. Use the Submit button at the top of the page to refresh the statistical information for the current operation (shown in the list box), or request another statistics report by choosing an operation from the list box and clicking on Submit.
To return to the Cache Manager Interface form, choose Empty Form from the list box and click on Submit.
Click on Reset at the bottom of the Cache Manager Interface form to reset to the default settings on the form.

Rotating Log Files

The Administration utility lets you control whether Squid will rotate the log files (access.log, cache.log, and store.log) once per day. When you rotate the log file s, each log file in the Squid log directory (usr/internet/squid/logs) is renamed with the appropriate .n suffix.

The Rotate Logfiles option lets you specify the maximum number of rotated log files that are saved. Daily and combined status reports are generated after the log files are rotated. You can view these reports using the Display Access Statistics option (see Section : Displaying Access Statistics).

To rotate log files, follow these steps:

From the Administration utility Main menu, choose Manage Components.
Under Proxy on the Manage Components menu, choose Squid Proxy/Caching Server.
From the Squid Proxy/Caching Server Administration menu, choose Rotate log files.
The Rotate Logfiles page shows the current state of the log files rotation and the number of log files to save.
Choose Enable to rotate the indicated number of log files. When the log files have been successfully rotated, the Administration utility displays a confirmation message.
To change the number of saved log files, type over the number in the Number of Logfiles to Save box and choose Modify. The next time log files are rotated, the new number of files will be saved.
Choose Reset to clear the number of log files and Disable to turn off logfile rotation.

Displaying Access Statistics

The Administration utility lets you display a summary of proxy statistics based on data from the current logfile or from data saved when the log files were last rotated (see Section : Rotating Log Files).

To display access statistics, follow these steps:

From the Administration utility Main menu, choose Manage Components.
Under Proxy on the Manage Components menu, choose Squid Proxy/Caching Server.
From the Squid Proxy/Caching Server Administration menu, choose Display Access Statistics.
A status report named squid_access_log.tcl is displayed providing a summary of proxy statistics.

Controlling the Squid Proxy/Caching Server

To control the Squid Proxy/Caching Server, follow these steps:

From the Administration utility Main menu, choose Manage Components.
Under Proxy on the Manage Components menu, choose Squid Proxy/Caching Server.
From the Squid Proxy/Caching Server Administration menu, choose Start/Stop the Squid Proxy/Caching Server.
The Start/Stop the Squid Proxy/Caching Server page shows the current state of the server.
If the server is running, you can either stop or restart the server.
If the server is stopped, your only option is to start the server.

Using Smartfilter

Secure Computing's SmartFilter product and subscription service allows you to configure and manage Web site access. The subscription service provides you with a frequently updated database of Web sites that are sorted into various categories. Access to these sites can be allowed or disallowed according to your own site policies.

The SmartFilter documentation set has been included in the /usr/internet/squid/smartfilter directory. Table 10-1 lists the documentation files.

Table 10-1 SmartFilter Documentation Files

Filename	Description
`SFOverview.pdf`	Detailed overview of the SmartFilter product
`ReleaseNotes.pdf`	Release note information
`SFConfig.pdf`	Smartfilter configuration and management information




	Note: You should ignore the installation section of the `SFConfig.pdf` document. These steps have already been included in the Internet Express Version 6.1 kit. Also, no Tru64 UNIX sections have as yet been added to the SmartFilter documentation set. HP recommends following the instructions for Linux or Solaris, substituting the `/usr/internet/squid` directory whenever a root directory for the Squid installation is used.

Enabling SmartFilter

Before enabling SmartFilter, contact Secure Computing and obtain a license. Provide the following information, obtained directly from Secure Computing:

An Activation Key
An FTP User name used for retrieving the URL database
An FTP Password

By default, SmartFilter is disabled. To configure and enable SmartFilter, run the following script:

/usr/internet/squid/smartfilter/configure_sf.sh

After running this script, stop and restart Squid for the changes to take effect:

/sbin/init.d/squid_8080 stop
/sbin/init.d/squid_8080 start

Managing SmartFilter

You can manage the SmartFilter administration manually, using a browser-based interface.

The Administration Agent provides a simple HTTP browser-based interface for reloading the configuration files and initiating a manual download of the SmartFilter Control List. Using this interface, you can manually edit the SmartFilter configuration files and load the revised files to the proxy plug-in software.

To access the HTTP browser-based interface:

If you are using encrypted communications, enter the following string in the address field of your browser:
https://hostname: port
where port is the port you entered when you installed the proxy plug-in software.
If you are not using encrypted communications, enter the following string in the address field of the browser:
http://hostname: port
where port is the port you entered when you installed the proxy plug-in software.

See the Browser Interface information in the SmartFilter Installation and Configuration Guide at the following location:

/usr/internet/squid/smartfilter/SFConfig.pdf

Configuring SmartFilter to Query an OpenLDAP Directory

To configure SmartFilter to query OpenLDAP for user and group information:

Modify the squid.conf file:
1. Uncomment the smartfilter_userinfo_program and smartfilter_userinfo_children options. You can set the value of smartfilter_userinfo_children to suit your environment.
2. Specify a basic authentication scheme and specify the following as the value of the program parameter:
  /usr/internet/squid/libexec/squid_ldap_auth -b <your_base_dn>
Ensure that you have specified user and group information in the /usr/internet/squid/etc/users.txt file. See the /usr/internet/squid/smartfilter/SFConfig.pdf file for more details.
Modify the config.txt file to specify a directory service with ldap_type1 as the type of directory service. See the /usr/internet/squid/smartfilter/SFConfig.pdf file for details on how to do this.
Ensure that the corresponding users and groups are created in your OpenLDAP directory.

Using SmartFilter's Premier Control List

Secure Computing has made available a Premier version of sfcontrol, the SmartFilter Control List. The Premier version is called sfpcontrol. Either of the control lists can be used with the version of SmartFilter packaged with Internet Express.

There are two methods to make use of a list other than sfcontrol. The assumption is that SmartFilter has already been configured using the /usr/internet/squid/smartfilter/configure_sf.sh script. The two methods are:

Copy the list from the SmartFilter ftp site to sfcontrol in /usr/internet/squid/etc/sfcontrol.
If you are downloading the control list via the SmartFilter Administration Tool, edit the /usr/internet/squid/etc/config.txt file to specify the correct file name in the ftp_path option.

In each case, Squid needs to be restarted for the changes to take effect. Restart Squid with the following command:

/sbin/init.d/squid_8080 restart

At SmartFilter configuration time, you can choose to download the control list at SmartFilter Agent startup. You will automatically get the sfcontrol version of the Control List.

If you would like to download the Premier version of the Control List, you must use one of the preceding methods to overwrite the standard version.

For additional information on the Premier Control List, see the following URL:

http://www.securecomputing.com