Sambar Server Documentation
|
Proxy Functionality |
Proxy Overview The Sambar Server proxy functionality allows many computers on a local network to connect to the Internet from a single (dynamic) IP address. The Sambar Server proxy also provides limited firewalling of the local network systems from the Internet. Note: Attacks based on IP spoofing can penetrate the Sambar Server proxy (in a limited fashion). Packet routing must be used in addition to the Sambar Server to prevent access through the IP network layer.
The Sambar Server proxy functionality includes the following:
If your ISP provides a high-performance caching proxy which you wish to take advantage of, the Sambar Server proxy can be configured to utilize your ISP's proxy for HTTP and HTTPS requests. The Remote Proxy configuration entry can be used to directy Sambar Server proxy requests via your ISPs proxy. In addition to the Remote Proxy configuration parameter, the Remote Proxy Port and Remote Proxy Authorization can be configured for forwarding requests. The Remote Proxy Authorization allows you to specify the username:password that should be forwarded for proxy Basic authentication. The Remote Proxy must be left blank if you are not using your ISPs proxy. The Remote Proxy feature is not available for FTP at this time. Lastly, the Sambar Server proxy provides no caching. All HTTP requests are passed through without interpretation or modification. There are presently no plans to implement a caching engine; I believe the benefits of "sophisticated" cache engines will diminish as web content becomes more dynamic and Secure Sockets Layer sessions become more prevalent. Lastly, I believe web site operators have valid concerns about copyright violations (since caching requires copying the content) and the ability to accurately monitor hit rates when caching proxies are placed between the user and site. Warning! The Sambar Server proxy does not function well on Windows 95. Due to bugs in the TCP/IP stack on this platform the server becomes unstable and stops responding to requests or crashes. It is recommended you upgrade to Windows 98 or NT.
TCP/IP Configuration The Sambar HTTP Server and HTTP Proxy share the same port, so if the HTTP server is changed to run on a port other than 80, the HTTP Proxy will also run on this new port.
Client/Browser Configuration Important: <your machine> refers to the machine on which the Sambar Server is installed. Netscape Version 4
Netscape Version 2 & 3
Microsoft Internet Explorer Version 3
Important: Many users have reported problems using Microsoft Internet Explorer Version 4 with the Sambar Server proxy. Problems include "Bad Gateway" error messages and missing graphics. These problems are being debugged, but appear to be specific to IE4.X browsers. Lastly, if your clients are using the Sambar Proxy Server as well as the Sambar HTTP Server, they must configure the No Proxy for: field of their browser to the Sambar HTTP Server, port 80. For Internet Explorer, the "bypass proxy servre for local internet addresses" should be turned on.
Proxy Filtering If enabled via the config/config.ini, Proxy Word Filter, the HTTP Proxy can be used to block inappropriate sites via either the config/wordlist.ini word filter or the config/urllist.ini URL filter lists. These lists are loaded at server startup and are used to examine all HTTP proxy activity. The URL list may contain wild-card characters to match a broader range of URLs, i.e. http://www.playboy.com/*. In addition, the config/whitelist.ini can be used to allow access to sites that otherwise might match against the config/wordlist.ini. One side-effect of enabling HTTP proxy filtering is that all HTTP requests sent through the proxy have the header Accept-Encoding stripped. As a result, servers that can send compressed content (currently, the Sambar Server and IIS) will not do so, allowing the resulting content to be word-scanned for inappropriate content. SMTP, POP3 and IMAP4 messages can be forwarded to their respective servers via the Sambar Server. The Sambar Server must first be configured with the appropriate Internet servers (via the browser-based administration interface). Once configured, your mail client must be configured to contact the Sambar Server for SMTP, POP3 and/or IMAP4 requests. In essence, your client mailer believes that the Sambar Server is its mail server (while mail is transparently forwarded via the Internet to the real server (typically on your ISPs machine. The Sambar Server does not act as a native SMTP server. SMTP is not suitable for dial-up lines because computers working as SMTP servers must have a permanent/full-time connection to the Internet to receive e-mail (dynamic IP addresses are not appropriate), and SMTP servers are responsible for message delivery including store and forward should be destination be unreachable for some period. If these obstacles can be overcome, Sambar Technologies hopes to provide SMTP support in a future release. POP3 Proxy Options The POP3 Enhanced mode allows users to over-ride the default POP3 proxy configured in the Sambar Server with one of their own choosing. When enhanced mode is enabled, users can modify their POP3 username to append the # symbol followed by the POP3 server to which their mail request should forwarded.
So by default, if the Sambar Server POP3 Proxy Server is set to
smtp.ix.netcom.com, then a proxy user with an email username of
billybob would be directed to the smtp.ix.netcom.com mail server.
If however, you wished to override the mail server and connect to
an alternate server (i.e. mail.meer.net), you would configure your
mail client with the following username:
billy-bob#mail.meer.net
With the above configuration, when the POP3 Proxy receives the mail
request from billy-bob, it will direct the request to the
mail.meer.net server rather than the default POP3 server.
In addition to over-riding the mail server, you can use the
POP3 Enhanced functionality to over-ride the port number as well.
This feature can be used with products such as Norton AntiVirus 2000
which must run on port 110. To use the Sambar Proxy Server with
a product that runs on port 110, you would run the POP3 proxy on
another port (POP3 Port) and use the POP3 enhanced to connect to
the remote server on port 110.
billy-bob#mail.meer.net:110 Important: In the above example, billy-bob#mail.meer.net will be used as the default return address unless you specify the correct one in your mail client. Make sure to configure your return address as your actual e-mail address>. Note: The enahnced POP3 proxy does not support the AUTH feature of POP3 or IMAP4. So mail authentication mechanisms will be rejected (relatively few mail servers use AUTH-based authentication).
Dial-on-Demand The dial-on-demand configuration allows the user to configure the RAS entry, username, and password to use when connecting via the RAS interface. In addition, a timeout period is defined allowing the dial-up connection to be dropped after a fixed period of inactivity. Note: This feature has only be tested to work with PPP connections. Important! When using both the WWW server and the proxy server, make sure to configure your browser (using the browser's Manual Proxy Settings) to not use the proxy server when accessing local servers. This will prevent the server from auto-dialing out to the internet when only local pages are accessed.
security.ini The HTTP proxy server includes IP security filtering. By default, this security filtering restricts HTTP proxy access to IP addresses in the range 140.175.165.0 to 140.175.165.255. You will receive a FORBIDDEN message if you attempt to connect via the HTTP proxy server from a machine other than one in this range. You should change the [proxyaccept] filter to one appropriate for the machines that will be accessing it.
FTP Proxy The Sambar Server has three FTP features (which can be a bit confusing):
When a browser is told to use a server/port for FTP proxy, it bundles its FTP request in an HTTP stream and forwards it on to the proxy. The browser expects all communication with the proxy to take place in HTTP/HTML. The proxy then translates the request into FTP commands. So the communcation looks like:
browser --> [http + ftp header] PROXY --> [ftp] FTP-Server When no proxy is specified, the browser issues FTP commands directly to the server:
browser --> [ftp] FTP-Server This differs from the HTTP proxy stream which is a "simple" passthrough mechanism:
browser --> [http + proxy header] PROXY --> [http] HTTP-Server In the HTTP proxy case, only the initial proxy header directive is manipulated and then a virtual circuit is formed between the browser and the server for all subsequent communication. The stream ends when either side fails to communicate within the Network Read Timeout duration configured in the server. In the FTP proxy case, the server must translate HTML requests into FTP requests (effectively writting an FTP client for the middle tier). This is considerably more complex code and more error prone. Native FTP Proxy The Sambar server can proxy for FTP clients in addition to browser clients (as outlined in the section above). The native FTP proxy support allows FTP clients that can proxy using the USER user@host proxy capability. The native FTP proxy operates by stripping the host from the USER login field and then connecting to the FTP server at that host site and acting as a proxy between the client and server. The FTP Host being connected to must run on port 21 and can use either standard or PASV transfers.
Bridge Proxy The Bridge Proxy included with the Sambar Server is a relatively simple mechanism to map TCP traffic from one network to another. The Bridge proxy can be configured to listen to traffic destined for a specified TCP port (i.e. 8080) and then forward all requests to the same TCP port of the Bridge Server specified in the config.ini file. For example, to telnet from a machine on one side of the Sambar Server to a remote machine on the other side of the "firewall", you could use the Bridge Proxy to connect the session:
With the above configuration, you would telnet to the machine on which your Sambar Server is running and it would automatically forward your request to www.remotehost.com.
In fact, the NNTP, SMTP, POP3 and IMAP4 proxies operate exactly as the Bridge Proxy does -- for ease of installation and configuration, these three bridge proxies are set aside for various mail protocols. (Note: The FTP proxy does not operate in this manner; it must interpret the FTP protocol).
The Bridge Proxy can be used to trace client/server connections by configuring
the To over-ride the port used by the Bridge Proxy when connecting to the bridge server, you can append a colon (:) followed by the new port to the Bridge Server definition (i.e. localhost:80).
TCP & UDP Proxies
The above directive cause the Sambar Server to establish a TCP listener on port 9000 and forward all TCP requests to port 9000 of the host www.test.com. The second directive results in the server establishing a UDP listener on port 999 and forward all UDP requests to port 69 of the host www.test.com.
|
© 1998-2000 Sambar Technologies. All rights reserved. Terms of Use.