SUSE Conversations


Configuring Apache on SLES 10 for Proxy Services

mfaris01

By: mfaris01

February 6, 2008 9:17 am

Reads:710

Comments:0

Rating:0

While BorderManager is an excellent solution for proxy services, it doesn’t run on Linux. As part of a transition from NetWare to an OES 2 Linux environment, an alternative to BorderManager needed to be found.

Knowing BorderManager’s features, I needed the solution to have at least the following features.

  • Security
  • Caching
  • Filtering – Rules
  • Pass through Authentication – eDirectory

Because BorderManager is a full featured solution, this alternative lacks the following features.

  • User interface – You must manually edit the configuration.
  • Filter Defaults – BM has predefined “deny any any” filters.
  • Client Trust for End Users – Manual Authentication

Considerations

Security - We need to ensure that we can redirect requests, enforce authentication and prevent direct access to the Internet.

Caching - Act as a cache, storing frequently used and accessed sites, graphics, and other data to improve performance and lower bandwidth requirements.

Filtering - Because all http requests will go through the proxy server, set filters to determine which sites are deemed “unauthorized” to users. Whether they be inappropriate or potentially threatening.

Pass through Authentication – Authenticate clients via LDAP and eDirectory and verify limits of Internet access, if any. Thus preventing unauthorized users, i.e., vendors, contractors, from accessing the Internet.

Overview

You must have a firm understanding of Apache 2 to ensure your configuration is secure.

NOTE: Do not enable any proxy features until you have secured your server.

Apache 2 has a robust variety of modules that can be incorporated into it’s running configuration.

The additional modules we will use in this example are listed below.

mod_proxy – Main module for proxy services.

mod_proxy_http – Required module for mod_proxy.

mod_cache – Module for caching.

mod_disk_cache – Module for caching to disk.

mod_proxy_connect – Required module for mod_proxy.

mod_ssl – Needed for SSL/TLS connections.

mod_authnz_ldap – Module for LDAP authentication to eDirectory.

mod_ldap – Module for LDAP.

A full list of all Apache 2 modules can be found here:

http://httpd.apache.org/docs/2.0/mod/

Procedure

The above modules are already included by default but we’ll need to add mod_authnz_ldap, mod_proxy_connect and mod_cache to the /etc/apache2/sysconfig.d/loadmodules.conf file.

Add these lines at the end of the file.

LoadModule authnz_ldap_module  /usr/lib/apache2-worker/mod_authnz_ldap.so
LoadModule proxy_connect_module  /usr/lib/apache2-worker/mod_proxy_connect.so
LoadModule cache_module  /usr/lib/apache2-worker/mod_cache.so
LoadModule disk_cache_module  /usr/lib/apache2-worker/mod_disk_cache.so

Apache2 on SLES is very organized and non-intrusive with the way it is configured. Basically, if you want to add a configuration file to be included with Apache startup, create a new .conf file and place it in the /etc/apache2/conf.d/ directory and it will be loaded automatically. This means you don’t have to edit /etc/apache2/httpd.conf and convolute the base configuration.

Create a new .conf file. We’ll call it /etc/apache2/conf.d/proxy.conf

# Listen on internal interface only.  On port 8080
Listen 192.168.10.10:8080
User nobody
Group nobody
ProxyRequests On

# Allow requests only from your internal subnet

<Proxy *>
  Order Deny, Allow 
  Deny from all 
  Allow from 192.168.10 .mydomain.com
</Proxy>
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog /logs/access_log common
# Cache Settings
CacheRoot "/cache/"  		# Cache files location
CacheSize 5			# CacheSize x number_of_clients = total cache size
				# Ex:    5      x 100 clients   = 500MB cache
CacheGcInterval 4		# Number of hours to wait before cleaning out 
				# unused objects from the cache
CacheMaxExpire 86400		# Number of seconds for an object to be cached w/o 
				# checking the origin to determine if the 
				# document has been updated.
CacheLastModifiedFactor 0.1	# Defines a value that will be used to calculate if 
				# an item in cache should be expired if the object
				# hasn't explicitly been marked with an expire date. 
CacheDefaultExpire 1		# Number of seconds after which an object will be 
				# expired if no specific data is supplied about the 
				# expiration date or period from the original server. 
# LDAP authentication to eDirectory and allow access if user is a member of the #designated group
AuthLDAPURL ldap://[your_edirectory_server]/o=[Org]?uid
Require group cn=[Internet_Access_group], o=[Org]
# End of /etc/apache2/conf.d/proxy.conf

The CacheMaxFileSize and CacheMinFileSize directives are also useful, as they set the maximum and minimum file size parameters for files to be retained in the cache. The defaults are 100,000 bytes and 1 byte, respectively. Normally, you will want to prevent very large files from being retained in a cache. This is dependent on you own organization’s requirements.

You can prevent the caching of information from certain sites by using the NoCache directive, which accepts the name of a domain or host or IP Address.

Example:

NoCache www.myfirstbank.com
You can add more sites, separate by spaces.

Filtering

Apache supports very basic filtering when using the proxy feature. It enables the you to block access to specific sites or domains explicitly within the configuration file through the ProxyBlock directive. This will block specific hosts, domains, or fragments of names.

For easier maintenance, I recommend a secondary .conf file in /etc/apache2/conf.d We’ll call this one pfilter.conf

# Start of /etc/apache2/conf.d/pfilter.conf

# to block a specific site
ProxyBlock www.myotherspace.com

# To block a whole domain
ProxyBlock myotherspace.com

# To block any name within a string
ProxyBlock myotherspace

# End of /etc/apache2/conf.d/pfilter.conf

Be careful to monitor how large this list gets. The larger the list, the slower Apache starts.

Conclusion

Using Apache2 is one way to utilize proxy services on Linux. If you are a BorderManager user, you can even change your logging options to mirror the output of BM’s proxy logs.

Or you could just use one of the built in packages, such as Squid.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags: ,
Categories: SUSE Linux Enterprise Server, Technical Solutions

Disclaimer: As with everything else at SUSE Conversations, this content is definitely not supported by SUSE (so don't even think of calling Support if you try something and it blows up).  It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.

Comment

RSS