Sambar Server Documentation

Proxy Functionality


Proxy Overview
The Sambar Server proxy functionality allows many computers on a local network to connect to the Internet from a single (dynamic) IP address. The Sambar Server proxy also provides limited firewalling of the local network systems from the Internet. Note: Attacks based on IP spoofing can penetrate the Sambar Server proxy (in a limited fashion). Packet routing must be used in addition to the Sambar Server to prevent access through the IP network layer.

The Sambar Server proxy functionality includes the following:

  • Proxy server for HTTP, HTTPS, FTP (via HTTP)
  • Native FTP proxy
  • Gateway for SMTP, POP3 and IMAP4
  • IP address security filtering of connections
  • Remote-proxy utilization (ISP caching proxy)

If your ISP provides a high-performance caching proxy which you wish to take advantage of, the Sambar Server proxy can be configured to utilize your ISP's proxy for HTTP and HTTPS requests. The Remote Proxy configuration entry can be used to directy Sambar Server proxy requests via your ISPs proxy. In addition to the Remote Proxy configuration parameter, the Remote Proxy Port and Remote Proxy Authorization can be configured for forwarding requests. The Remote Proxy Authorization allows you to specify the username:password that should be forwarded for proxy Basic authentication. The Remote Proxy must be left blank if you are not using your ISPs proxy. The Remote Proxy feature is not available for FTP at this time.

Lastly, the Sambar Server proxy provides no caching. All HTTP requests are passed through without interpretation or modification. There are presently no plans to implement a caching engine; I believe the benefits of "sophisticated" cache engines will diminish as web content becomes more dynamic and Secure Sockets Layer sessions become more prevalent. Lastly, I believe web site operators have valid concerns about copyright violations (since caching requires copying the content) and the ability to accurately monitor hit rates when caching proxies are placed between the user and site.

TCP/IP Configuration
To use the Sambar Server proxy functionality, all hosts must be configured with TCP/IP. In addition, DNS and network routing must be properly configured among machines. Contact your System Administrator or network consultant with questions on network setup.

The Sambar HTTP Server and HTTP Proxy share the same port, so if the HTTP server is changed to run on a port other than 80, the HTTP Proxy will also run on this new port.

Client/Browser Configuration

Important: <your machine> refers to the machine on which the Sambar Server is installed.

Netscape Version 4

  1. Open the Netscape Communicator Web Browser.
  2. Select the Edit menu.
  3. Select the Preferences menu item.
  4. Click on the plus (+) in front of the Advancced tree control.
  5. Click the Proxies item.
  6. Select Manual Proxy Configuration radio button and click the view button.
  7. Type <your machine> in the HTTP Proxy: field and 80 in the port field.
  8. Type <your machine> in the Security Proxy: field and 80 in the port field.
  9. Type <your machine> in the FTP Proxy: field and 80 in the port field.
  10. Type <your machine:80> in the No Proxies for: field.
  11. Click the OK button to close the dialog box

Microsoft Internet Explorer

  1. Open the Microsoft Internet Explorer Web Browser.
  2. Open the Tools menu.
  3. Select the Internet Options menu item.
  4. Click on the Connections tab.
  5. Click on the Lan Settings button.
  6. Select Connect through a proxy server.
  7. Click on the Settings button.
  8. Type the following settings in the Servers section:
    HTTP:   <your machine> 	Port:	80
    

    Leave all other field blank.

  9. Click the OK button to close the Proxy Settings dialog box.
  10. Click the OK button to close the Options dialog box.

Note: With version 6.0 beta 5 and later releases, it is recommended you select the "Advanced" tab and check "Use HTTP/1.1 thru Proxy Connections".

Lastly, if your clients are using the Sambar Proxy Server as well as the Sambar HTTP Server, they must configure the No Proxy for: field of their browser to the Sambar HTTP Server, port 80. For Internet Explorer, the "bypass proxy servre for local internet addresses" should be turned on.

Proxy Filtering

If enabled via the config/config.ini, Proxy Word Filter, the HTTP Proxy can be used to block inappropriate sites via either the config/wordlist.ini word filter, config/hostlist.ini host filter, or the config/urllist.ini URL filter lists. These lists are loaded at server startup and are used to examine all HTTP proxy activity. The HOST list filter matches just the IP address or host name from the URL (i.e. playboy.com). The URL list may contain wild-card characters to match a broader range of URLs, i.e. http://www.playboy.com/*. Finally, the config/whitelist.ini can be used to allow access to sites that otherwise might match against the config/wordlist.ini.

One side-effect of enabling HTTP proxy filtering is that all HTTP requests sent through the proxy have the header Accept-Encoding stripped. As a result, servers that can send compressed content (currently, the Sambar Server and IIS) will not do so, allowing the resulting content to be word-scanned for inappropriate content.

Mail

SMTP, POP3 and IMAP4 messages can be forwarded to their respective servers via the Sambar Server. The Sambar Server must first be configured with the appropriate Internet servers (via the browser-based administration interface). Once configured, your mail client must be configured to contact the Sambar Server for SMTP, POP3 and/or IMAP4 requests. In essence, your client mailer believes that the Sambar Server is its mail server (while mail is transparently forwarded via the Internet to the real server (typically on your ISPs machine.

The Sambar Server can act as a native SMTP server, but SMTP is not suitable for dial-up lines because computers working as SMTP servers must have a permanent/full-time connection to the Internet to receive e-mail (dynamic IP addresses are not appropriate), and SMTP servers are responsible for message delivery including store and forward should be destination be unreachable for some period.

POP3 Proxy Options

The POP3 Enhanced mode allows users to over-ride the default POP3 proxy configured in the Sambar Server with one of their own choosing. When enhanced mode is enabled, users can modify their POP3 username to append the # symbol followed by the POP3 server to which their mail request should forwarded.

So by default, if the Sambar Server POP3 Proxy Server is set to smtp.ix.netcom.com, then a proxy user with an email username of billybob would be directed to the smtp.ix.netcom.com mail server. If however, you wished to override the mail server and connect to an alternate server (i.e. mail.meer.net), you would configure your mail client with the following username:

billy-bob#mail.meer.net

With the above configuration, when the POP3 Proxy receives the mail request from billy-bob, it will direct the request to the mail.meer.net server rather than the default POP3 server. In addition to over-riding the mail server, you can use the POP3 Enhanced functionality to over-ride the port number as well. This feature can be used with products such as Norton AntiVirus 2000 which must run on port 110. To use the Sambar Proxy Server with a product that runs on port 110, you would run the POP3 proxy on another port (POP3 Port) and use the POP3 enhanced to connect to the remote server on port 110.

billy-bob#mail.meer.net:110

Important: In the above example, billy-bob#mail.meer.net will be used as the default return address unless you specify the correct one in your mail client. Make sure to configure your return address as your actual e-mail address>.

Note: The enahnced POP3 proxy does not support the AUTH feature of POP3 or IMAP4. So mail authentication mechanisms will be rejected (relatively few mail servers use AUTH-based authentication).

Important! When using both the WWW server and the proxy server, make sure to configure your browser (using the browser's Manual Proxy Settings) to not use the proxy server when accessing local servers.

security.ini

The HTTP proxy server includes IP security filtering. By default, this security filtering restricts HTTP proxy access to IP addresses in the range 140.175.165.0 to 140.175.165.255. You will receive a FORBIDDEN message if you attempt to connect via the HTTP proxy server from a machine other than one in this range. You should change the [proxyaccept] filter to one appropriate for the machines that will be accessing it.

FTP Proxy

The Sambar Server has three FTP features (which can be a bit confusing):

  • FTP browser-based proxy. This is for WWW browsers so that you can type: ftp://www.asite.com/. When configuring your client browser, the FTP browser proxy should be configured to the same port as the HTTP Proxy (port 80 by default).
  • FTP Server. This is off by default but can be used to upload files to the server (on port 21).
  • Native FTP Proxy. This is also off by default and also runs on port 21. Native (as opposed to browser-based) FTP Clients like CuteFTP can be configured to use the Sambar Server FTP Native Proxy to connect to sites on the internet (details below) using the username#remote-site proxy format. When the Sambar Server Native FTP Proxy sees a user request in this format, the request is directed to "remote-site" rather than the local FTP Server.

When a browser is told to use a server/port for FTP proxy, it bundles its FTP request in an HTTP stream and forwards it on to the proxy. The browser expects all communication with the proxy to take place in HTTP/HTML. The proxy then translates the request into FTP commands. So the communcation looks like:

browser --> [http + ftp header] PROXY --> [ftp] FTP-Server

When no proxy is specified, the browser issues FTP commands directly to the server:

browser --> [ftp] FTP-Server

This differs from the HTTP proxy stream which is a "simple" passthrough mechanism:

browser --> [http + proxy header] PROXY --> [http] HTTP-Server

In the HTTP proxy case, only the initial proxy header directive is manipulated and then a virtual circuit is formed between the browser and the server for all subsequent communication. The stream ends when either side fails to communicate within the Network Read Timeout duration configured in the server.

In the FTP proxy case, the server must translate HTML requests into FTP requests (effectively writting an FTP client for the middle tier). This is considerably more complex code and more error prone.

Native FTP Proxy

The Sambar server can proxy for FTP clients in addition to browser clients (as outlined in the section above). The native FTP proxy support allows FTP clients that can proxy using the USER user@host proxy capability.

The native FTP proxy operates by stripping the host from the USER login field and then connecting to the FTP server at that host site and acting as a proxy between the client and server. The FTP Host being connected to must run on port 21 and can use either standard or PASV transfers.

Bridge Proxy

The Bridge Proxy included with the Sambar Server is a relatively simple mechanism to map TCP traffic from one network to another. The Bridge proxy can be configured to listen to traffic destined for a specified TCP port (i.e. 8080) and then forward all requests to the same TCP port of the Bridge Server specified in the config.ini file. For example, to telnet from a machine on one side of the Sambar Server to a remote machine on the other side of the "firewall", you could use the Bridge Proxy to connect the session:

Bridge Port = 23
Act As Bridge Proxy = true
Bridge Server = www.remotehost.com

With the above configuration, you would telnet to the machine on which your Sambar Server is running and it would automatically forward your request to www.remotehost.com.

telnet sambarserver <--> Sambar Server <--> Telnet Daemon
localhost sambarserver www.remotehost.com

In fact, the NNTP, SMTP, POP3 and IMAP4 proxies operate exactly as the Bridge Proxy does -- for ease of installation and configuration, these three bridge proxies are set aside for various mail protocols. (Note: The FTP proxy does not operate in this manner; it must interpret the FTP protocol).

The Bridge Proxy can be used to trace client/server connections by configuring the Trace Bridge property in the config.ini file to true. See the Bridge Proxy Debugging documentation for details on using the Bridge Proxy for debugging.

To over-ride the port used by the Bridge Proxy when connecting to the bridge server, you can append a colon (:) followed by the new port to the Bridge Server definition (i.e. localhost:80).

TCP & UDP Proxies
For Pro Server users who need additional TCP or UDP port forwarding, the TCP Proxy and UDP Proxy directives can be used. The values of the TCP Proxy and UDP Proxy operate just as the Bridge Proxy does, except that the source and destination port must be the same.

TCP Proxy = www.test.com:9000
UDP Proxy = 999 www.test.com:69

The above directive cause the Sambar Server to establish a TCP listener on port 9000 and forward all TCP requests to port 9000 of the host www.test.com. The second directive results in the server establishing a UDP listener on port 999 and forward all UDP requests to port 69 of the host www.test.com.

© 1998-2000 Sambar Technologies. All rights reserved. Terms of Use.