Netscape Proxy Server

© February 1999 Tony Lawrence

Proxy server is no longer offered by SCO. See Squid for a similar product

SCO sells Netscape Proxy Server (part # LA449-XX70-2.5, list price $525.00) as an add on for the Fastrack and OSR5 releases. A 60 day evaluation is also available on the Optional Services CD's shipped with current products.

A typical use for Proxy Server is to allow a network of Windows PC's using false IP addresses to access the Internet through the SCO Unix server. This is generally more efficient and cost effective than running multiple phone lines to each PC or getting real IP addresses for every machine (see Setting up a small office network).

If that's all you need Proxy Server for, the set up and implementation is probably the most simple of any Unix product sold: install it, point your Windows browsers at it, and that's all. The default configuration sets it running on port 8080, and you really don't need to change anything at all for it to work.

Of course, you do need to have previously set up a PPP connection (see Quick PPP setup) or other connection to your ISP from the machine that will be running Proxy Server, and it's probably going to need to be up all the time if you have more than a few users on the network. But configuring the Windows machines is simplicity itself (they already have to have tcp/ip connectivity, of course). For Internet Explorer, you can simply choose View-Options-Connection, and then click on "Connect through a Proxy Server". Then click the "Settings" button next to that and tell it to use the SCO box (typing in the IP address is fine) for all protocols, giving it the port 8080. For Netscape Communicator, it's under Preferences; click the arrow beside "Advanced" so that its drop-down sub-menus appear, and choose proxies.

There is one installation error that you will want to fix (though it does not affect your immediate use): Netscape creates the directory /usr/usr/internet/ns_proxy/extras. This needs to be /usr/internet/ns_proxy/extras. To correct that error (it was Netscape's, not SCO's), simply:

mv /usr/usr/internet/ns_proxy/extras /usr/internet/ns_proxy/extras
 

You'll probably also find that the installation has temporarily killed your manual pages and on-line help: just run "scohhtp start" to fix that.

That's it. Probably as boring as your ever going to get for a Unix install.

But wait, there's more!

Of course there's more. A whole bunch more. But to get to any of that, you need to call up the Netscape Administration Server. As you may know, Netscape administrates all it's servers through the same general interface. By default, that's on port 446 for Proxy Server, so you point your browser at https://localhost:446. You'll be asked for a user name and password. The user name is "admin" and the password will be whatever the root password was when this was installed.

Prior to 5.0.4, things were a little different. See https://aplawrence.com/cgi-bin/ta.pl?arg=105743

If you have changed the password and forgotten it, there is a manual method of wiping it out detailed at https://aplawrence.com/cgi-bin/ta.pl?arg=105271

You may have an immediate problem where the Administration Server refuses to let you in, claiming that you are an "Unauthorized Host". That's because after authorizing you as the admin user, it translated "localhost" into your actual machine name and tried to access "https://your_machine:446/admin-serv/bin/index". Just highlight the machine name and change it back to "localhost" and you'll be in.

Or, you can fix this by cd'ing to /usr/internet/ns-proxy, issuing a ./stop-admin, and then editing ./admserv/ns-admin.conf to comment out the Hosts and Addresses lines. You'll have the opportunity with the Administration tool to re-specify what hosts/addresses are allowed to administer the server. In most cases, you'll want the Server Name and Allowed Hosts to be the same, because that's usually where you'd be administrating from.

If you've never had any other Netscape server products installed on your system, then the only thing offered for administration is the proxy server you just installed. By default it will show up as "8080", which is (remember?) the port number it runs on. You can actually have multiple instances of Proxy Server running on different ports, each configured for a different purpose. The license you get says that you can have as many as you want, but there are, of course, other limitations.

Warning

I found it remarkably easy to completely screw up the access control so that everything was forbidden to everyone. There are on-line docs that are installed when the product is added (you'll find them under the "Internet Family Documentation" link) , and there are help buttons throughout the server administration tools. I recommend reading this article and the online help files slowly and completely before messing with a live configuration.

There is also a very nice "roll-back" feature, that lets you restore configuration files when you do screw up. While certainly helpful, it's undoubtedly better to understand what you are doing first. There is also the fact that changes add up faster than you may at first realize, and the default level of rollback allowed may get eaten up very quickly, making it impossible for you to get back to where you really want to be without restoring actual backups or reinstalling.

There are references throughout the documentation and within the Server Administration to configuring a Socks Server. However, this is actually not possible: see https://aplawrence.com/cgi-bin/ta.pl?arg=105809

Restricting Access

My purpose here is not to debate the wisdom or morality of censorship. I have my own opinions on that, but my opinions are not necessarily yours. The Proxy Server does provide for configuration of access control. Whether or not you choose or even need to use these features is up to you.

When testing access changes, be aware of your browser's cache settings. An access that appears to work or not work may be coming from cache rather than from the Proxy Server. Always choose Refresh (Internet Explorer) or Reload (Netscape).

Also be sure to stop and restart the server. For some changes, the Administration Server either does this or specifically tells you that you need to attend to this yourself, but I've found it's not always reliable. Although it may not always be necessary, make it a habit to stop and restart (it's the first option in System Settings).

Finally, you may find (I did) that the permissions on the access control files /usr/internet/ns_proxy/httpacl/* were not correct for the administration server to update them. Running Software Verification for Proxy Server did not correct this. The files should be owned by "nouser" (assuming that you haven't changed the Server User under System Specifics).

No Microsoft!

For our first restriction, I really can't think of any site I have less use for than anything at Microsoft. Therefore, let's restrict it. Start by clicking "Access Control" on the top menu bar. Click the "Regular Expression" button, and then type in "https://.*microsoft.*". Click "OK", then click "Turn on Access Control". Save and apply the changes as directed (and being aware of possible ownership problems mentioned above). Now go back to "System Settings", and stop and restart the server.

At this point, you should find that your network browsers that are pointing at this proxy can longer access anything with "microsoft" in the name. The default is that they instead get the normal "Forbidden" screen, but you could customize this to send a particular text file instead that might explain that the access is restricted, but that if the person has some real need to visit a particular site that matches the wildcard in use, the administrator could allow it (probably by creating a more specific wildcard that matches the desired site and allowing access to that).

There are other ways to accomplish the same thing. You can create templates that specify wild cards or urls. After creation, the template names also appear in the access lists, and you can turn on or off access control as desired. One advantage to templates is that they are easy to get rid of; the regular expressions created directly in Access Control don't seem to have any method provided for their removal other than hand-editing the configuration files (not a great idea unless and until you really understand them). Another is that if the pattern turns out not to be exactly as desired, you can edit it, which is somewhat easier than defining an over-riding pattern.

If that isn't good enough, you can set up a file that contains a list of sites that you WILL allow access to. If you do that, the links to anything other than what you've specified as OK are dead- no forbidden, no messages, no errors- they just don't work at all. This is particularly useful if the management needs to give access to certain sites, but is afraid that workers will abuse their internet privileges if they do. By specifying specific sites than are the only allowed access, the access becomes completely under management's control.

The opposite of this is to set up a list of denied sites. Trying to access one of these will send a "Forbidden" message (or a specific text file if you wish).

There's quite a bit more to Proxy Server, but you can probably see that it gives you complete control over browsing. As it is the lack of such control that is management's typical complaint, Proxy Server is the answer.

Got something to add? Send me email.

---

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us