Netscape Proxy Server
Proxy server is no longer offered by SCO. See Squid for a similar product
SCO sells Netscape Proxy Server (part # LA449-XX70-2.5, list
price $525.00) as an add on for the Fastrack and OSR5 releases. A
60 day evaluation is also available on the Optional Services CD's
shipped with current products.
A typical use for Proxy Server is to allow a network of Windows
PC's using false IP addresses to access the Internet through the
SCO Unix server. This is generally more efficient and cost
effective than running multiple phone lines to each PC or getting
real IP addresses for every machine (see Setting up a small office network).
If that's all you need Proxy Server for, the set up and
implementation is probably the most simple of any Unix product
sold: install it, point your Windows browsers at it, and that's
all. The default configuration sets it running on port 8080, and
you really don't need to change anything at all for it to work.
Of course, you do need to have previously set up a PPP
connection (see Quick PPP
setup) or other connection to your ISP from the machine that
will be running Proxy Server, and it's probably going to need to be
up all the time if you have more than a few users on the network.
But configuring the Windows machines is simplicity itself (they
already have to have tcp/ip connectivity, of course). For Internet
Explorer, you can simply choose View-Options-Connection, and then
click on "Connect through a Proxy Server". Then click the
"Settings" button next to that and tell it to use the SCO box
(typing in the IP address is fine) for all protocols, giving it the
port 8080. For Netscape Communicator, it's under Preferences; click
the arrow beside "Advanced" so that its drop-down sub-menus appear,
and choose proxies.
There is one installation error that you will want to fix
(though it does not affect your immediate use): Netscape creates
the directory /usr/usr/internet/ns_proxy/extras. This needs to be
/usr/internet/ns_proxy/extras. To correct that error (it was
Netscape's, not SCO's), simply:
mv /usr/usr/internet/ns_proxy/extras /usr/internet/ns_proxy/extras
You'll probably also find that the installation has temporarily
killed your manual pages and on-line help: just run "scohhtp start"
to fix that.
That's it. Probably as boring as your ever going to get for a
But wait, there's more!
Of course there's more. A whole bunch more. But to get to any of
that, you need to call up the Netscape Administration Server. As
you may know, Netscape administrates all it's servers through the
same general interface. By default, that's on port 446 for Proxy
Server, so you point your browser at http://localhost:446. You'll
be asked for a user name and password. The user name is "admin" and
the password will be whatever the root password was when this was
Prior to 5.0.4, things were a little different. See
If you have changed the password and forgotten it, there is a
manual method of wiping it out detailed at http://aplawrence.com/cgi-bin/ta.pl?arg=105271
You may have an immediate problem where the Administration
Server refuses to let you in, claiming that you are an
"Unauthorized Host". That's because after authorizing you as the
admin user, it translated "localhost" into your actual machine name
and tried to access "http://your_machine:446/admin-serv/bin/index".
Just highlight the machine name and change it back to "localhost"
and you'll be in.
Or, you can fix this by cd'ing to /usr/internet/ns-proxy,
issuing a ./stop-admin, and then editing ./admserv/ns-admin.conf to
comment out the Hosts and Addresses lines. You'll have the
opportunity with the Administration tool to re-specify what
hosts/addresses are allowed to administer the server. In most
cases, you'll want the Server Name and Allowed Hosts to be the
same, because that's usually where you'd be administrating
If you've never had any other Netscape server products installed
on your system, then the only thing offered for administration is
the proxy server you just installed. By default it will show up as
"8080", which is (remember?) the port number it runs on. You can
actually have multiple instances of Proxy Server running on
different ports, each configured for a different purpose. The
license you get says that you can have as many as you want, but
there are, of course, other limitations.
I found it remarkably easy to completely screw up the access
control so that everything was forbidden to everyone. There are
on-line docs that are installed when the product is added (you'll
find them under the "Internet Family Documentation" link) , and
there are help buttons throughout the server administration tools.
I recommend reading this article and the online help files slowly
and completely before messing with a live configuration.
There is also a very nice "roll-back" feature, that lets you
restore configuration files when you do screw up. While certainly
helpful, it's undoubtedly better to understand what you are doing
first. There is also the fact that changes add up faster than you
may at first realize, and the default level of rollback allowed may
get eaten up very quickly, making it impossible for you to get back
to where you really want to be without restoring actual backups or
There are references throughout the documentation and
within the Server Administration to configuring a Socks Server.
However, this is actually not possible: see http://aplawrence.com/cgi-bin/ta.pl?arg=105809
My purpose here is not to debate the wisdom or morality of
censorship. I have my own opinions on that, but my opinions are not
necessarily yours. The Proxy Server does provide for configuration
of access control. Whether or not you choose or even need to use
these features is up to you.
When testing access changes, be aware of your browser's
cache settings. An access that appears to work or not work may be
coming from cache rather than from the Proxy Server. Always choose
Refresh (Internet Explorer) or Reload (Netscape).
Also be sure to stop and restart the server. For some
changes, the Administration Server either does this or specifically
tells you that you need to attend to this yourself, but I've found
it's not always reliable. Although it may not always be necessary,
make it a habit to stop and restart (it's the first option in
Finally, you may find (I did) that the permissions on the
access control files /usr/internet/ns_proxy/httpacl/* were not
correct for the administration server to update them. Running
Software Verification for Proxy Server did not correct this. The
files should be owned by "nouser" (assuming that you haven't
changed the Server User under System Specifics).
For our first restriction, I really can't think of any site I
have less use for than anything at Microsoft. Therefore, let's
restrict it. Start by clicking "Access Control" on the top menu
bar. Click the "Regular Expression" button, and then type in
"http://.*microsoft.*". Click "OK", then click "Turn on Access
Control". Save and apply the changes as directed (and being aware
of possible ownership problems mentioned above). Now go back to
"System Settings", and stop and restart the server.
At this point, you should find that your network browsers that
are pointing at this proxy can longer access anything with
"microsoft" in the name. The default is that they instead get the
normal "Forbidden" screen, but you could customize this to send a
particular text file instead that might explain that the access is
restricted, but that if the person has some real need to visit a
particular site that matches the wildcard in use, the administrator
could allow it (probably by creating a more specific wildcard that
matches the desired site and allowing access to that).
There are other ways to accomplish the same thing. You can
create templates that specify wild cards or urls. After creation,
the template names also appear in the access lists, and you can
turn on or off access control as desired. One advantage to
templates is that they are easy to get rid of; the regular
expressions created directly in Access Control don't seem to have
any method provided for their removal other than hand-editing the
configuration files (not a great idea unless and until you really
understand them). Another is that if the pattern turns out not to
be exactly as desired, you can edit it, which is somewhat easier
than defining an over-riding pattern.
If that isn't good enough, you can set up a file that contains a
list of sites that you WILL allow access to. If you do that, the
links to anything other than what you've specified as OK are dead-
no forbidden, no messages, no errors- they just don't work at all.
This is particularly useful if the management needs to give access
to certain sites, but is afraid that workers will abuse their
internet privileges if they do. By specifying specific sites than
are the only allowed access, the access becomes completely under
The opposite of this is to set up a list of denied sites. Trying
to access one of these will send a "Forbidden" message (or a
specific text file if you wish).
There's quite a bit more to Proxy Server, but you can probably
see that it gives you complete control over browsing. As it is the
lack of such control that is management's typical complaint, Proxy
Server is the answer.
If this page was useful to you, please help others find it:
More Articles by Tony Lawrence
- Find me on Google+
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.