![]() | |
Sun Java System Web Proxy Server User Interface |
The Routing Tab
The Routing tab contains the following pages:
The Enable/Disable Proxying PageThe Enable/Disable Proxying page can be used to turn proxying on or off for resources. Resources can be individual URLs, groups of URLs with something in common, or an entire protocol. You can control whether proxying is on for the entire server, for various resources, or for resources as specified in a template file. This means you can deny access to one or more URLs by turning off proxying for that resource. This can be a global way to deny or allow all access to a resource.
The following elements are displayed:
Select. Click this button after selecting a resource from the drop-down list.
Regular Expression. Specify a regular expression. For more information, see "Understanding Regular Expressions" in the Proxy Server Administration Guide.
Enabling Proxying. You can select one of the following options for enabling proxy for the resource you specified:
- Use Default Setting Derived From A More General Resource. The settings for a more general resource that includes this one will be used for this resource.
- Do Not Proxy This Resource. This resource cannot be reached through the proxy.
- Enable Proxying Of This Resource. The proxy lets clients access this resource (provided they pass the other security and authorization checks). When you enable proxying for a resource, all methods are enabled. The read methods, including GET, HEAD, PUT, INDEX, POST, and CONNECT for SSL tunneling, and the write methods, including PUT, MKDIR, RMDIR, MOVE, and DELETE, are all enabled for that resource. Barring any other security checks, clients all have read and write access.
OK. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.
The Set Routing Preferences PageThe Set Routing Preferences page is used to configure your Proxy Server to route certain resources using the derived default configuration or direct connections, or through proxy arrays, ICP neighborhood, another proxy server, or a SOCKS server.
The following elements are displayed:
Select. Click this button after selecting a resource from the drop-down list.
Regular Expression. Specify a regular expression. For more information, see "Understanding Regular Expressions" in the Proxy Server Administration Guide.
Routing Through Another Proxy. Select the type of routing you would like for the resource you are configuring from the following:
- Derived Default Configuration. The Proxy Server uses a more general template (that is, one with a shorter, matching regular expression) to determine if it should use the remote server or another proxy. For example, if the proxy routes all http://.* requests to another proxy server and all http://www.* requests to the remote server, you could create a derived default configuration routing for http://www.example.* requests, which would then go directly to the remote server because of the setting for the http://www.* template.
- Direct Connections. The request will always go directly to the remote server instead of through another proxy.
- Route Through SOCKS Server. The requests for the specified resource will be routed through a SOCKS server. If you select this option, you need to specify the name or IP address and the port number of the SOCKS server that the Proxy Server will route through.
- Route Through. Specify whether you would like to route through a proxy array, ICP neighborhood, redirect, parent array, and proxy server by selecting the relevant check boxes. If you select multiple routing methods, the proxy will follow the hierarchy shown on the page (proxy array, parent array, ICP, another proxy). For more information on routing through a proxy server, see “Chaining Proxy Servers” in the Proxy Server Administration Guide.
For information on routing through a SOCKS server, see “Routing Through a SOCKS Server” in the Proxy Server Administration Guide.
OK. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.
The Forward Client Credentials PageThe Forward Client Credentials page is used to configure the proxy to send client credentials to the remote server.
The following elements are displayed:
Select. Click this button after selecting a resource from the drop-down list.
Regular Expression. Specify a regular expression. For more information, see "Understanding Regular Expressions" in the Proxy Server Administration Guide.
Client IP Addressing Forwarding. The Proxy Server does not send the client’s IP address to remote servers when making requests for documents. Instead, the proxy acts as the client and sends its IP address to the remote server. However, there are times when you might want to pass on the client’s IP address:
Select one of the options to configure the proxy to send client IP addresses:
- Default. Enables the Proxy Server to forward the client’s IP addresses.
- Blocked. Does not allow the proxy to forward the client’s IP addresses.
- Enabled Using HTTP Header. You can specify an HTTP header for the proxy to use when forwarding IP addresses. The default HTTP header is named Client-ip, but you can send the IP address in any header you choose.
Client Proxy Authentication Forwarding. Select one of the options to configure the proxy to send the client’s authentication details:
Client Cipher Forwarding. Select one of the options to configure the proxy to send the name of the client’s SSL/TLS cipher suite to remote servers:
- Default. Enables the Proxy Server to forward the name of the client’s SSL/TLS cipher suite to remote servers.
- Blocked. Does not allow the proxy to forward the name of the client’s SSL/TLS cipher suite to remote servers.
- Enabled Using HTTP Header. You can specify an HTTP header for the proxy to use when forwarding the name of the client’s SSL/TLS cipher suite to remote servers. The default HTTP header is named Proxy-cipher, but you can send the name of the client’s SSL/TLS cipher suite in any header you choose.
Client Keysize Forwarding. Select one of the options to configure the proxy to send the size of the client’s SSL/TLS key to remote servers:
- Default. Enables the Proxy Server to forward the size of the client’s SSL/TLS key to remote servers.
- Blocked. Does not allow the proxy to forward the size of the client’s SSL/TLS key to remote servers.
- Enabled Using HTTP Header. You can specify an HTTP header for the proxy to use when forwarding the size of the client’s SSL/TLS key to remote servers. The default HTTP header is named Proxy-keysize, but you can send the size of the client’s SSL/TLS key in any header you choose.
Client Secret Keysize Forwarding. Select one of the options to configure the proxy to send the size of the client’s SSL/TLS secret key to remote servers:
- Default. Enables the Proxy Server to forward the size of the client’s SSL/TLS secret key to remote servers.
- Blocked. Does not allow the proxy to forward the size of the client’s SSL/TLS secret key to remote servers.
- Enabled Using HTTP Header. You can specify an HTTP header for the proxy to use when forwarding the size of the client’s SSL/TLS secret key to remote servers. The default HTTP header is named Proxy-secret-keysize, but you can send the size of the client’s SSL/TLS secret key in any header you choose.
Client SSL Session ID Forwarding. Select one of the options to configure the proxy to send the client’s SSL/TLS session ID to remote servers:
- Default. Enables the Proxy Server to forward the client’s SSL/TLS session ID to remote servers.
- Blocked. Does not allow the proxy to forward the client’s SSL/TLS session ID to remote servers.
- Enabled Using HTTP Header. You can specify an HTTP header for the proxy to use when forwarding the client’s SSL/TLS session ID to remote servers. The default HTTP header is named Proxy-ssl-id, but you can send the client’s SSL/TLS session ID in any header you choose.
Client Issuer DN Forwarding. Select one of the options to configure the proxy to send the distinguished name of the issuer of the client’s SSL/TLS certificate to remote servers:
- Default. Enables the Proxy Server to forward the distinguished name of the issuer of the client’s SSL/TLS certificate to remote servers.
- Blocked. Does not allow the proxy to forward the distinguished name of the issuer of the client’s SSL/TLS certificate to remote servers.
- Enabled Using HTTP Header. You can specify an HTTP header for the proxy to use when forwarding the distinguished name of the issuer of the client’s SSL/TLS certificate to remote servers. The default HTTP header is named Proxy-issuer-dn, but you can send the name of the issuer of the client’s SSL/TLS certificate in any header you choose.
Client User DN Forwarding. Select one of the options to configure the proxy to send the distinguished name of the subject of the client’s SSL/TLS certificate to remote servers:
- Default. Enables the Proxy Server to forward the distinguished name of the subject of the client’s SSL/TLS certificate to remote servers.
- Blocked. Does not allow the proxy to forward the distinguished name of the subject of the client’s SSL/TLS certificate to remote servers.
- Enabled Using HTTP Header. You can specify an HTTP header for the proxy to use when forwarding the distinguished name of the subject of the client’s SSL/TLS certificate to remote servers. The default HTTP header is named Proxy-user-dn, but you can send the name of the subject of the client’s SSL/TLS certificate in any header you choose.
Client SSL/TLS Certificate Forwarding. Select one of the options to configure the proxy to send the client’s SSL/TLS certificate to remote servers:
- Default. Enables the Proxy Server to forward the client’s SSL/TLS certificate to remote servers.
- Blocked. Does not allow the proxy to forward the client’s SSL/TLS certificate to remote servers.
- Enabled Using HTTP Header. You can specify an HTTP header for the proxy to use when forwarding the client’s SSL/TLS certificate to remote servers. The default HTTP header is named Proxy-auth-cert, but you can send the client’s SSL/TLS certificate in any header you choose.
Client Cache Information Forwarding. Select one of the options to configure the proxy to send information about local cache hits to remote servers:
- Default. Enables the Proxy Server to forward the information about local cache hits to remote servers.
- Blocked. Does not allow the proxy to forward the information about local cache hits to remote servers.
- Enabled Using HTTP Header. You can specify an HTTP header for the proxy to use when forwarding information about local cache hits to remote servers. The default HTTP header is named Cache-info, but you can send the information about local cache hits in any header you choose.
Set Basic Authentication Credentials. Select one of the options to configure the proxy to send a HTTP request:
OK. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.
The Check Java IP Address PageThe Check Java IP Address page is used to enable Java IP address checking support for the Proxy Server.
To maintain your network’s security, your client may have a feature that restricts access to only certain IP addresses. The Proxy Server provides support for Java IP Address Checking that enables your clients to query the Proxy Server for the IP address used to retrieve a resource. When this feature is enabled, a client can request the Proxy Server to send the IP address of the origin server, and the Proxy Server will attach the IP address in a header. Once the client knows the IP address of the origin server, it can explicitly specify that the same IP address be used for future connections.
The following elements are displayed:
Select. Click this button after selecting a resource from the drop-down list.
Regular Expression. Specify a regular expression. For more information, see "Understanding Regular Expressions" in the Proxy Server Administration Guide.
Java IP Address Check. Select the radio button to enable, disable, or use the default configuration for Java IP address checking.
OK. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.
The Create/Edit Autoconfiguration File PageThe Create/Edit Autoconfiguration File page is used to create an autoconfiguration file. The page lists any autoconfiguration files you have on your proxy’s machine. You can click the autoconfiguration file to edit it.
The following elements are displayed:
URI (from client). Type an optional URI (the path portion of a URL) that clients will use when getting the autoconfiguration file from the proxy. For example, type / to let clients access the file as the proxy’s main document (similar to an index.html file for a web server). Clients would then use only the domain name when accessing the proxy for the autoconfiguration file. You can use multiple URIs and create separate autoconfiguration files for each URI.
PAC File. Type a name for the autoconfiguration file using the .pac extension. If you have one file, you might call it simply proxy.pac. All autoconfiguration files are ASCII text files with a single JavaScriptTM function. For more information on the syntax of the files, see "Creating the Autoconfiguration Files Manually" in the Proxy Server Administration Guide.
Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.
OK. Another page appears. Use this page to create an autoconfiguration file. The items on the page are followed in order by the client. These are the items on the page:
- Never Go Direct To Remote Server. Tells Netscape Navigator to always use your proxy. You can specify a second proxy server to use in case your Proxy Server isn’t running.
- Go Direct To Remote Server When. Lets you bypass the Proxy Server on certain occasions. Navigator determines those occasions in the order the options are listed on the page:
- Connecting To Non-fully Qualified Domain Name Host Names. Tells Navigator to go to a server directly when the user specifies only the computer name. For example, if there is an internal web server called example.mysite.com, the user might type only http://example instead of the fully qualified domain name. In this case, Navigator goes directly to the web server instead of to the proxy.
- Connecting To A Host In Domain. Lets you specify up to three domain names that Navigator can access directly. When specifying the domains, begin with the dot character. For example, you could type .example.com.
- Connecting To A Resolvable Host. Makes Navigator go directly to the server when the client can resolve the host. This option is typically used when DNS is set to resolve only local (internal) hosts. The clients would use a proxy server when connecting to servers outside of the local network.
- Connecting To A Host In Subnet. Makes Navigator go directly to the server when the client accesses a server in a particular subnet. This option is useful when an organization has many subnets in a geographical area. For example, some companies might have one domain name that applies to subnets around the world, but each subnet is specific to a particular region
- Except When Connecting To Hosts. Specifies exceptions to the rule of going directly to a server. For example, if you type .example.com as a domain to which to go directly, you could make an exception for going to home.example.com. This tells Navigator to use your proxy when going to home.example.com but go directly to any other server in the example.com domain.
- Secondary Failover Proxy. Specifies a second proxy to use if your Proxy Server is not running.
- Failover Direct. Tells Navigator to go directly to the servers if your Proxy Server is not running. If you specify a secondary failover proxy, Navigator tries the second proxy server before going directly to the server.
Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes
OK. Creates the autoconfiguration file. The file is stored in the directory server-root/proxy-id/pac. You will get a confirmation message that the file was created correctly. Repeat the preceding steps to create as many autoconfiguration files as you need.
The Set Connectivity Mode PageThe Set Connectivity Mode page is used to set the connectivity mode of the Proxy Server. This feature makes it convenient to install the proxy on a portable machine that you can use for demonstrations.
When the proxy is disconnected from the network, documents are returned directly from the cache. The proxy cannot do up-to-date checks, so the documents are retrieved very quickly.
Also, if you are not connected to a network, connections never hang because the Proxy Server is aware that there is no network and never tries to connect to a remote server. You can use this no-network setting when the network is down but the Proxy Server machine is running.
Note
Running the proxy disconnected from the network results in accessing stale data from the cache. and also makes the proxy security features unnecessary.
The following elements are displayed:
Select. Click this button after selecting a resource from the drop-down list.
Regular Expression. Specify a regular expression. For more information, see "Understanding Regular Expressions" in the Proxy Server Administration Guide.
Connectivity Mode. There are four network connectivity modes. Select one of the options:
- Default Mode. Derived from the configuration of the most general matching object.
- Normal Mode. Normal operating mode for the proxy. The proxy retrieves documents from the content server if they are not already in the cache. If they are in the cache, they may be checked against the content server to determine if they are up to date. If a cached file has changed, it is replaced with the current copy.
- Fast-demo Mode. Intended for giving effective demonstrations when the network is available. If a document is found in the cache, the content server is not contacted, not even to find out if the document has changed. This mode gets rid of any latency created by waiting for the content server to respond. If a document is not in the cache, it is retrieved from the content server and cached. The fast-demo mode has less latency than the normal mode, but can occasionally return stale data, because once it has a copy of a document, it does not do up-to-date checks on it.
- No-network Mode. Designed for portable machines during the time they are not connected to the network. The proxy returns the document if it is in the cache or returns an error if it is not there. The proxy never tries to contact the content server, which prevents the proxy from hanging and timing out while trying to get a connection that does not exist.
OK. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.
The Set FTP Mode PageThe Set FTP Mode page is used to change the Default FTP Transfer Mode.
File Transfer Protocol (FTP) has two different ways to establish a data connection between the FTP server and the client where the proxy acts as a client. The two modes are referred to as PASV (Passive) and PORT (Active) mode FTP.
Some FTP sites run a firewall, which makes PASV mode non-functional for proxy servers. Because of this, the Proxy Server can be configured to use the PORT mode FTP. You can turn on PORT mode for the entire server, or you can turn it on only for specific FTP servers.
The following elements are displayed:
Select. Click this button after selecting a resource from the drop-down list. Please select an FTP resource to configure the PASV/PORT mode setting.
Regular Expression. Specify a regular expression. For more information, see "Understanding Regular Expressions" in the Proxy Server Administration Guide.
FTP Transfer Mode. There are three transfer modes:
- Default
- Passive Mode (PASV). The data connection is initiated from the Proxy Server, and the FTP server accepts the connection. This is safer for the site running the Proxy Server because it does not have to accept inbound connections.
- Active Mode (PORT). The data connection is initiated by the remote FTP server, and the proxy accepts the incoming connection. If the Proxy Server is within a firewall, the firewall might block the incoming FTP data connection from the FTP server, which means the PORT mode might not work.
OK. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.
The Set SOCKS Name Server PageThe Set SOCKS Name Server page is used to specify the SOCKS name server IP address.
If your proxy is configured to make its outbound connections through a SOCKS server, you may need to explicitly specify the IP address for the name server to be used with SOCKS.
You should specify the name server IP address if you are resolving outside host names with a DNS server other than an internal DNS service that is inside the firewall.
The following elements are displayed:
SOCKS Name Server IP Address. Specify the IP address of the DNS name server.
OK. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.
The Configure HTTP Request Load Balancing PageThe Configure HTTP Request Load Balancing page is used to distribute the load among the specified origin server.
The following elements are displayed:
Select. Click this button after selecting a resource from the drop-down list.
Regular Expression. Specify a regular expression. For more information, see "Understanding Regular Expressions" in the Proxy Server Administration Guide.
Server. Specify the URL of an origin server. If multiple server parameters are given, the Proxy Server will distribute the load among the specified origin server.
Sticky Cookie. Specify the name of the cookie that when present in a response will cause subsequent requests to stick to that origin server. The default value is JSESSIONID.
Sticky Parameter. Specify the name of a URI parameter to inspect for route information. When the URI parameter is present in a request URI and its value contains a colon, followed by a route ID, the request will “stick” to the origin server identified by that route ID. The default value is jsessionid.
Route Header. Specify the name of the HTTP request header used to communicate route IDs to origin servers. The default value is proxy-jroute.
Route Cookie. Specify the name of the cookie generated by the Proxy Server when it encounters a sticky cookie in a response.The default value is JROUTE.
Rewrite Host. Click the appropriate option to indicate whether the Host HTTP request header is rewritten to match the host specified by the server parameter.
Rewrite Location. Click the appropriate option to indicate whether Location HTTP response headers that match the server parameter should be rewritten.
Rewrite Content Location. Click the appropriate option to indicate whether Content-location HTTP response headers that match the server parameter should be rewritten.
Rewrite Header Name. Select the checkbox to indicate whether the headername HTTP response headers that match the server parameter should be rewritten, where headername is a user-defined header name.
OK. Saves your entries.
Reset. Erases your changes and resets the elements in the page to the values that they contained before your changes.