SOCKS clients make an HTTP CONNECT request to the
proxy server. Many caching proxy configurations do not account for CONNECT
requests.
In order to prevent SOCKS clients from bypassing the authentication
process, add a new value in the Protect directive to prompt all traffic to
enter a user ID and password before the request can be forwarded to the
destination server.
For best results, configure the following directives after the ADD
NEW MAPPING RULES HERE area in the ibmproxy.conf file:
- Configure the protection group (the Protection directive)
- Configure the Protect directive as Protect *
<groupID>, where <groupID> is the name of the
protection group that you specified in the Protection directive. This
configuration prompts all requests to the proxy to enter a user ID and
password.
- Configure the Pass directive.
The ibmproxy.conf file example below shows a proxy that is configured to
prompt all incoming traffic to enter a user ID and password.
Pass /pacfiles/* /opt/ibm/edge/cp/server_root/pub/pacfiles/*
# *** ADD NEW MAPPING RULES HERE ***
Protection abc {
GroupFile /opt/ibm/edge/cp/server_root/protect/test.group
PasswdFile /opt/ibm/edge/cp/server_root/protect/test.passwd
PostMask All@(*)
PutMask All@(*)
GetMask All@(*)
Mask All@(*)
AuthType Basic
ServerID abc
}
### the following forces the use of the abc protection method on all
(*) requests ### CONNECT, FTP, HTTP, etc before passing them to their
desired location
Protect * abc
Pass /* opt/ibm/edge/cp/server_root/pub/en_US/*
By configuring the caching proxy in this manner, the following will
occur:
- When launching a browser configured to use the pacfile, the user is
prompted to authenticate against the protection group ID once. The users
in this group cannot access the pages protected by prot-admin.
- When attempting to access the GUI Administration pages, the users are
forced to reauthenticate against "private_authorization" (the default
protection group ID for the Configuration and Administration pages).
|