Configuring Apache on SLES 10 for Proxy Services
While BorderManager is an excellent solution for proxy services, it doesn’t run on Linux. As part of a transition from NetWare to an OES 2 Linux environment, an alternative to BorderManager needed to be found.
Knowing BorderManager’s features, I needed the solution to have at least the following features.
- Filtering – Rules
- Pass through Authentication – eDirectory
Because BorderManager is a full featured solution, this alternative lacks the following features.
- User interface – You must manually edit the configuration.
- Filter Defaults – BM has predefined “deny any any” filters.
- Client Trust for End Users – Manual Authentication
Security – We need to ensure that we can redirect requests, enforce authentication and prevent direct access to the Internet.
Caching – Act as a cache, storing frequently used and accessed sites, graphics, and other data to improve performance and lower bandwidth requirements.
Filtering – Because all http requests will go through the proxy server, set filters to determine which sites are deemed “unauthorized” to users. Whether they be inappropriate or potentially threatening.
Pass through Authentication – Authenticate clients via LDAP and eDirectory and verify limits of Internet access, if any. Thus preventing unauthorized users, i.e., vendors, contractors, from accessing the Internet.
You must have a firm understanding of Apache 2 to ensure your configuration is secure.
Apache 2 has a robust variety of modules that can be incorporated into it’s running configuration.
The additional modules we will use in this example are listed below.
mod_proxy – Main module for proxy services.
mod_proxy_http – Required module for mod_proxy.
mod_cache – Module for caching.
mod_disk_cache – Module for caching to disk.
mod_proxy_connect – Required module for mod_proxy.
mod_ssl – Needed for SSL/TLS connections.
mod_authnz_ldap – Module for LDAP authentication to eDirectory.
mod_ldap – Module for LDAP.
A full list of all Apache 2 modules can be found here:
The above modules are already included by default but we’ll need to add mod_authnz_ldap, mod_proxy_connect and mod_cache to the /etc/apache2/sysconfig.d/loadmodules.conf file.
Add these lines at the end of the file.
LoadModule authnz_ldap_module /usr/lib/apache2-worker/mod_authnz_ldap.so LoadModule proxy_connect_module /usr/lib/apache2-worker/mod_proxy_connect.so LoadModule cache_module /usr/lib/apache2-worker/mod_cache.so LoadModule disk_cache_module /usr/lib/apache2-worker/mod_disk_cache.so
Apache2 on SLES is very organized and non-intrusive with the way it is configured. Basically, if you want to add a configuration file to be included with Apache startup, create a new .conf file and place it in the /etc/apache2/conf.d/ directory and it will be loaded automatically. This means you don’t have to edit /etc/apache2/httpd.conf and convolute the base configuration.
Create a new .conf file. We’ll call it /etc/apache2/conf.d/proxy.conf
# Listen on internal interface only. On port 8080 Listen 192.168.10.10:8080 User nobody Group nobody ProxyRequests On # Allow requests only from your internal subnet <Proxy *> Order Deny, Allow Deny from all Allow from 192.168.10 .mydomain.com </Proxy> LogFormat "%h %l %u %t \"%r\" %>s %b" common CustomLog /logs/access_log common # Cache Settings CacheRoot "/cache/" # Cache files location CacheSize 5 # CacheSize x number_of_clients = total cache size # Ex: 5 x 100 clients = 500MB cache CacheGcInterval 4 # Number of hours to wait before cleaning out # unused objects from the cache CacheMaxExpire 86400 # Number of seconds for an object to be cached w/o # checking the origin to determine if the # document has been updated. CacheLastModifiedFactor 0.1 # Defines a value that will be used to calculate if # an item in cache should be expired if the object # hasn't explicitly been marked with an expire date. CacheDefaultExpire 1 # Number of seconds after which an object will be # expired if no specific data is supplied about the # expiration date or period from the original server. # LDAP authentication to eDirectory and allow access if user is a member of the #designated group AuthLDAPURL ldap://[your_edirectory_server]/o=[Org]?uid Require group cn=[Internet_Access_group], o=[Org] # End of /etc/apache2/conf.d/proxy.conf
The CacheMaxFileSize and CacheMinFileSize directives are also useful, as they set the maximum and minimum file size parameters for files to be retained in the cache. The defaults are 100,000 bytes and 1 byte, respectively. Normally, you will want to prevent very large files from being retained in a cache. This is dependent on you own organization’s requirements.
You can prevent the caching of information from certain sites by using the NoCache directive, which accepts the name of a domain or host or IP Address.
You can add more sites, separate by spaces.
Apache supports very basic filtering when using the proxy feature. It enables the you to block access to specific sites or domains explicitly within the configuration file through the ProxyBlock directive. This will block specific hosts, domains, or fragments of names.
For easier maintenance, I recommend a secondary .conf file in /etc/apache2/conf.d We’ll call this one pfilter.conf
# Start of /etc/apache2/conf.d/pfilter.conf # to block a specific site ProxyBlock www.myotherspace.com # To block a whole domain ProxyBlock myotherspace.com # To block any name within a string ProxyBlock myotherspace # End of /etc/apache2/conf.d/pfilter.conf
Be careful to monitor how large this list gets. The larger the list, the slower Apache starts.
Using Apache2 is one way to utilize proxy services on Linux. If you are a BorderManager user, you can even change your logging options to mirror the output of BM’s proxy logs.
Or you could just use one of the built in packages, such as Squid.