Revision: 6230
http://ipcop.svn.sourceforge.net/ipcop/?rev=6230&view=rev
Author: eoberlander
Date: 2012-01-15 16:04:10 +0000 (Sun, 15 Jan 2012)
Log Message:
-----------
Add more of Marco's text to Proxy section.
Modified Paths:
--------------
IPCopDoc/trunk/en/admin/xml/proxy.xml
IPCopDoc/trunk/en/admin/xml/services.xml
Modified: IPCopDoc/trunk/en/admin/xml/proxy.xml
===================================================================
--- IPCopDoc/trunk/en/admin/xml/proxy.xml 2012-01-14 10:21:06 UTC (rev
6229)
+++ IPCopDoc/trunk/en/admin/xml/proxy.xml 2012-01-15 16:04:10 UTC (rev
6230)
@@ -11,8 +11,16 @@
<title>Web Proxy Server</title>
<para>
- Content to be written...
-
+ This section describes in more depth the
+ <emphasis>User Authentication</emphasis> methods
+ available under the web proxy's Advanced Options.
+ </para>
+ <para>
+ For educational institutions the Advanced Options also provide the
+ <emphasis>Classroom Extensions</emphasis>, an easy to use
+ administrative interface for teaching staff.
+ </para>
+ <para>
<itemizedlist>
<listitem>
<para>
Modified: IPCopDoc/trunk/en/admin/xml/services.xml
===================================================================
--- IPCopDoc/trunk/en/admin/xml/services.xml 2012-01-14 10:21:06 UTC (rev
6229)
+++ IPCopDoc/trunk/en/admin/xml/services.xml 2012-01-15 16:04:10 UTC (rev
6230)
@@ -356,8 +356,6 @@
submitted via the URL.
</para>
<para>
- <figure id="v2.services.002">
- <title>Web proxy - Cache management Section</title>
<mediaobject>
<imageobject role="fo">
<imagedata fileref="&imagepath;proxy1.&imageext;"
@@ -371,7 +369,6 @@
<phrase>HTTP Web Proxy Page</phrase>
</textobject>
</mediaobject>
- </figure>
</para>
<warning>
<para>
@@ -387,24 +384,213 @@
cache.
</para>
</warning>
- </sect3>
- <sect3 id="services-webproxy-destports">
- <title>Destination ports</title>
- <formalpara>
- <title><guilabel>Allowed standard ports (one per
line)</guilabel></title>
+ <formalpara>
+ <title><guilabel>Memory cache size</guilabel></title>
<para>
- Content to be written...
+ This is the amount of physical RAM to be used for
+ negative-cached and in-transit objects.
+ This value should not exceed more than 50% of
+ your installed RAM.
+ The minimum for this value is 1 MB, the default is 2 MB.
</para>
</formalpara>
- <formalpara>
- <title><guilabel>Allowed SSL ports (one per
line)</guilabel></title>
+ <para>
+ This parameter does not specify the maximum process size.
+ It only places a limit on how much additional RAM the
+ proxy will use as a cache of objects.
+ </para>
+ <formalpara>
+ <title><guilabel>Harddisk cache size</guilabel></title>
<para>
- Content to be written...
+ This is the amount of disk space, in MB, to use for cached
+ objects.
+ The default is 50 MB.
+ Change this to suit your configuration.
+ Do not put the size of your disk drive here.
+ Instead, if you want <command>squid</command> to use the
+ entire disk drive, subtract 20% and use that value.
</para>
</formalpara>
<para>
- <figure id="v2.services.003">
- <title>Web proxy - Destination ports Section</title>
+ Setting the cache size to 0 will turn off the harddisk cache.
+ </para>
+ <formalpara>
+ <title><guilabel>Min object size</guilabel></title>
+ <para>
+ Objects smaller than this size will not be saved on disk.
+ The value is specified in kilobytes, and the default
+ is 0 KB, which means there is no minimum.
+ </para>
+ </formalpara>
+ <formalpara>
+ <title><guilabel>Max object size</guilabel></title>
+ <para>
+ Objects larger than this size will not be saved on disk.
+ The value is specified in kilobytes, and the default is
+ 4 MB.
+ If you wish to increase speed, more than you want to
+ save bandwidth, you should leave this low.
+ </para>
+ </formalpara>
+ <formalpara>
+ <title><guilabel>Number of level-1
subdirectories</guilabel></title>
+ <para>
+ The default value for the harddisk cache level-1
+ subdirectories is 16.
+ </para>
+ </formalpara>
+ <para>
+ Each level-1 directory contains 256 subdirectories, so a value
+ of 256 level-1 directories will use a total of 65536
+ directories for the harddisk cache.
+ This will significantly slow down the startup process of the
+ proxy service but can speed up the caching under
+ certain conditions.
+ </para>
+ <note>
+ <para>
+ The recommended value for level-1 directories is 16.
+ You should increase this value only when it's
+ necessary.
+ </para>
+ </note>
+ <formalpara>
+ <title><guilabel>Memory replacement policy</guilabel></title>
+ <para>
+ The memory replacement policy parameter determines which
+ objects are purged from memory, when memory space is
needed.
+ The default policy for memory replacement on IPCop is LRU.
+ </para>
+ </formalpara>
+ <para>
+ Possible replacement policies are:
+ </para>
+ <variablelist>
+ <varlistentry>
+ <term>LRU</term>
+ <listitem>
+ <para>
+ Squid's original list based Last Recently
Used
+ policy.
+ The LRU policy keeps recently referenced objects.
+ For instance, it replaces the object that has not
+ been accessed for the longest time.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>heap GDSF</term>
+ <listitem>
+ <para>
+ The heap Greedy-Dual Size Frequency policy
+ optimizes object hit rate by keeping smaller
+ popular objects in cache,
+ so it has a better chance of getting a hit.
+ It achieves a lower byte hit rate than LFUDA
+ though, since it evicts larger (possibly
+ popular) objects.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>heap LFUDA</term>
+ <listitem>
+ <para>
+ Least Frequently Used with Dynamic Aging.
+ This policy keeps popular objects in cache
+ regardless of their size and thus optimizes byte
+ hit rate at the expense of hit rate since one
+ large, popular object will prevent many smaller,
+ slightly less popular objects from being cached.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>heap LRU</term>
+ <listitem>
+ <para>
+ Last Recently Used policy implemented using a heap.
+ Works like LRU, but uses a heap instead.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ <note>
+ <para>
+ If using the LFUDA replacement policy, the value of
+ <emphasis>Max object size</emphasis> should be increased
+ above its default of 4096 KB to maximize the potential
+ byte hit rate improvement of LFUDA.
+ </para>
+ </note>
+ <formalpara>
+ <title><guilabel>Cache replacement policy</guilabel></title>
+ <para>
+ The cache replacement policy parameter decides which
+ objects will remain in cache and which objects are evicted
+ (replaced) to create space for the new objects.
+ The default policy for cache replacement on IPCop is LRU.
+ </para>
+ </formalpara>
+ <para>
+ See above for details.
+ </para>
+ <formalpara>
+ <title><guilabel>Enable offline mode</guilabel></title>
+ <para>
+ Enabling this option will turn off the validation of
+ cached objects.
+ This gives access to more cached information (stale
+ cached versions, where the original server should have
+ been contacted).
+ </para>
+ </formalpara>
+ <formalpara>
+ <title><guilabel>Do not cache these destinations</guilabel>
(optional)</title>
+ <para>
+ A list of sites which cause the request to not be
+ satisfied from the cache and the reply to not be cached.
+ In other words, use this to force objects to never be
+ cached.
+ </para>
+ </formalpara>
+ <para>
+ Examples:
+ </para>
+ <para>
+ Entire domains and subdomains
+ </para>
+ <screen><computeroutput>*.example.net
+*.google.com</computeroutput></screen>
+ <para>
+ Single hosts
+ </para>
+ <screen><computeroutput>www.example.net
+www.google.com</computeroutput></screen>
+ <para>
+ IP addresses
+ </para>
+ <screen><computeroutput>81.169.145.75
+74.125.39.103</computeroutput></screen>
+ <para>
+ URLs
+ </para>
+ <screen><computeroutput>www.example.net/download
+www.google.com/images</computeroutput></screen>
+ <note>
+ <para>
+ You can enter all of these destination types in any order.
+ </para>
+ </note>
+ </sect3>
+
+ <sect3 id="services-webproxy-destports">
+ <title>Destination ports</title>
+ <para>
+ These fields enumerate the allowed destination ports for
+ standard HTTP and SSL encrypted HTTPS requests.
+ </para>
+ <para>
<mediaobject>
<imageobject role="fo">
<imagedata fileref="&imagepath;proxy2.&imageext;"
@@ -418,79 +604,244 @@
<phrase>HTTP Web Proxy Page</phrase>
</textobject>
</mediaobject>
- </figure>
</para>
+ <para>
+ The ports can be defined as a single port number
+ or a range of ports.
+ </para>
+ <formalpara>
+ <title><guilabel>Default standard ports</guilabel></title>
+ <para>
+ <screen><computeroutput>80 # http
+21 # ftp
+443 # https
+1025-65535 # unregistered ports
+800 # Squids port (for icons)</computeroutput></screen>
+ </para>
+ </formalpara>
+ <formalpara>
+ <title><guilabel>Default SSL ports</guilabel></title>
+ <para>
+ <screen><computeroutput>443 #
https</computeroutput></screen>
+ </para>
+ </formalpara>
</sect3>
+
<sect3 id="services-webproxy-network">
<title>Network based access control</title>
+ <para>
+ This defines the access control for accessing the proxy
+ server based on the client network address.
+ </para>
+ <para>
+ <mediaobject>
+ <imageobject role="fo">
+ <imagedata fileref="&imagepath;proxy3.&imageext;"
+ format="PNG"
+ contentwidth="14cm"/>
+ </imageobject>
+ <imageobject role="html">
+ <imagedata fileref="&imagepath;proxy3.&imageext;"
format="PNG" align="center"/>
+ </imageobject>
+ <textobject>
+ <phrase>HTTP Web Proxy Page</phrase>
+ </textobject>
+ </mediaobject>
+ </para>
<formalpara>
- <title><guilabel>Allowed subnets (one per
line)</guilabel></title>
+ <title><guilabel>Allowed subnets</guilabel></title>
<para>
- Content to be written...
+ All listed subnets are allowed to access the proxy server.
+ By default, the subnets for GREEN and BLUE (if available)
+ are listed here.
</para>
</formalpara>
+ <para>
+ You can add other subnets, like subnets behind GREEN in
+ larger environments, to this list.
+ All subnets <emphasis>not</emphasis> listed here will be
+ blocked for web access.
+ </para>
<formalpara>
<title><guilabel>Disable internal proxy
access</guilabel></title>
<para>
- Check this box to disable internal proxy access.
+ This option prevents direct HTTP access through the
+ internal proxy service to local web servers at those
+ subnets, as defined above.
+ This selection overrides the following two options which
+ manage HTTP access to GREEN and from BLUE.
</para>
</formalpara>
- <formalpara>
+ <formalpara>
<title><guilabel>Disable internal proxy access to Green from
other subnets</guilabel></title>
<para>
- Check this box to disable internal proxy access to Green
- from other subnets.
+ This prevents direct HTTP access through the internal proxy
+ service to web servers on GREEN from any other subnet
+ (e.g. BLUE).
</para>
</formalpara>
+ <para>
+ For example, while proxy access is enabled for GREEN and BLUE,
+ usually all requests will be forwarded to RED.
+ But when a client from BLUE wants to access a web server on
+ GREEN, the Proxy Server takes the internal shortcut between
+ the BLUE and the GREEN interface, regardless of any
+ firewall rules.
+ </para>
+ <note>
+ <para>
+ To protect your servers on GREEN, it's recommended
+ that you enable this option and use the Address Filter or
+ DMZ pinholes if necessary.
+ </para>
+ </note>
<formalpara>
<title><guilabel>Disable internal proxy access from Blue to
other subnets</guilabel></title>
<para>
- Check this box to disable internal proxy access from Blue
- to other subnets.
+ This prevents direct HTTP access through the internal proxy
+ service from BLUE to web servers on any other subnet
+ (e.g.GREEN).
</para>
</formalpara>
+ <para>
+ For example, while proxy access is enabled for GREEN and BLUE,
+ usually all requests will be forwarded to RED.
+ But when a client from BLUE wants to access a web server on
+ GREEN, the Proxy Server takes the internal shortcut between
+ the BLUE and the GREEN interface, regardless of any firewall
+ rules.
+ </para>
+ <note>
+ <para>
+ This option is only available with a BLUE interface
+ installed.
+ </para>
+ <para>
+ If enabled, clients on BLUE can only access web servers on
+ BLUE or RED.
+ </para>
+ </note>
<formalpara>
- <title><guilabel>Unrestricted IP addresses (one per
line)</guilabel> (optional)</title>
+ <title><guilabel>Unrestricted IP addresses</guilabel>
(optional)</title>
<para>
- Content to be written...
+ All client IP addresses in this list will override the
+ following restrictions:
</para>
</formalpara>
- <formalpara>
- <title><guilabel>Unrestricted MAC addresses (one per
line)</guilabel> (optional)</title>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Time restrictions
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Size limits for download requests
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Download throttling
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Browser check
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ MIME type filter
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Authentication (will be required by default for these
+ addresses, but can be turned off)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Concurrent logins per user (only available if
+ authentication is enabled)
+ </para>
+ </listitem>
+ </itemizedlist>
+ <formalpara>
+ <title><guilabel>Unrestricted MAC addresses</guilabel>
(optional)</title>
<para>
- Content to be written...
+ All client MAC addresses in this list will override the
+ following restrictions:
</para>
</formalpara>
+ <itemizedlist>
+ <listitem>
+ <para>
+ Time restrictions
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Size limits for download requests
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Download throttling
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Browser check
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ MIME type filter
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Authentication (will be required by default for these
+ addresses, but can be turned off)
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ Concurrent logins per user (only available if
+ authentication is enabled)
+ </para>
+ </listitem>
+ </itemizedlist>
+ <para>
+ Using MAC addresses instead of IP addresses can be useful if
+ the DHCP service is enabled without having fixed leases
defined.
+ </para>
+ <para>
+ MAC addresses can be entered in either one of these forms:
+ </para>
+ <screen><computeroutput>00-00-00-00-00-00
+00:00:00:00:00:00</computeroutput></screen>
+ <note>
+ <para>
+ The proxy server can only determine MAC addresses from
+ clients configured for the subnets of the GREEN, BLUE or
+ ORANGE interfaces.
+ </para>
+ </note>
<formalpara>
- <title><guilabel>Banned IP addresses (one per line)</guilabel>
(optional)</title>
+ <title><guilabel>Banned IP addresses</guilabel>
(optional)</title>
<para>
- Content to be written...
+ All requests from the clients (IP addresses or subnets)
+ listed here will be blocked.
</para>
</formalpara>
<formalpara>
- <title><guilabel>Banned MAC addresses (one per
line)</guilabel> (optional)</title>
+ <title><guilabel>Banned MAC addresses</guilabel>
(optional)</title>
<para>
- Content to be written...
+ All requests from clients in this list will be blocked.
</para>
</formalpara>
- <para>
- <figure id="v2.services.004">
- <title>Web proxy - Network based access control Section</title>
- <mediaobject>
- <imageobject role="fo">
- <imagedata fileref="&imagepath;proxy3.&imageext;"
- format="PNG"
- contentwidth="14cm"/>
- </imageobject>
- <imageobject role="html">
- <imagedata fileref="&imagepath;proxy3.&imageext;"
format="PNG" align="center"/>
- </imageobject>
- <textobject>
- <phrase>HTTP Web Proxy Page</phrase>
- </textobject>
- </mediaobject>
- </figure>
- </para>
</sect3>
<sect3 id="services-webproxy-cre">
@@ -537,6 +888,12 @@
Unrestricted MAC addresses
</para>
</listitem>
+ <listitem>
+ <para>
+ Members of the group <quote>Extended</quote> if the
+ proxy uses <quote>Local authentication</quote>
+ </para>
+ </listitem>
</itemizedlist>
</sect3>
@@ -568,6 +925,12 @@
Unrestricted MAC addresses
</para>
</listitem>
+ <listitem>
+ <para>
+ Members of the group <quote>Extended</quote> if the
+ proxy uses <quote>Local authentication</quote>
+ </para>
+ </listitem>
</itemizedlist>
</sect3>
This was sent by the SourceForge.net collaborative development platform, the
world's largest Open Source development site.
------------------------------------------------------------------------------
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
Register now!
http://p.sf.net/sfu/rsa-sfdev2dev2
_______________________________________________
Ipcop-svn mailing list
Ipcop-svn@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipcop-svn
