9. Configuring a Proxy server¶
To configure a Proxy server, you should go through several steps:
Installing the Proxy service onto your system¶
We have been supporting Proxy since calculate-server 2.0.13. We use Squid, a most common Proxy server.
Before installing, make sure you have installed LDAP service. If this is not the case, please enter:
cl-setup ldap
To install Proxy, execute:
cl-setup proxy
The service will be then installed with default settings: proxy host name set to the name of the host machine and connection port set to 8080.
To install Proxy with trusted networks, enter:
cl-setup -a proxyWhen installing, the following basic groups will be created:
- http - port 80 availible
- ftp - port 21 availible
- https - port 443 availible
- gopher - port 70 availible
- wais - port 210 availible
- unregistered - ports from 1025 to 65535 availible
- http-mgmt - port 280 availible
- gss-http - port 488 availible
- filemaker - port 591 availible
- multiling - port 777 availible
- swat - port 901 availible
The default interval to refresh the cached permissions changes is 5 minutes.
Managing accounts¶
Add an account¶
To add a Proxy user account, use the cl-useradd command:
# add the user "john" with a full name in comments cl-useradd -p -c "John Black" john proxy
Change the password¶
If you need to change the password, use_cl-passwd_, for instance:
cl-passwd john proxy
Delete or lock an account¶
If you want to delete an account, you can do this with cl-userdel:
cl-userdel john proxy
For just locking the account, use cl-usermod-L, for example:
cl-usermod -L john proxy
You will be able to unlock the account with cl-usermod -U:
cl-usermod -U john proxy
Groups¶
A group is set of accounts for setting access rules.
Any group has a parameter defining the range of network ports.
The user is allowed access to a resource only if at least one group this user belongs to is granted such access.
Managing groups¶
Create a group
To create a group for Proxy, use the cl_groupadd command. Here is an example: let us create a group, named "adsl":
cl-groupadd -p 80,83,2000-3000 adsl proxy
Members added to this group will have access to network ports 80 and 83, as well as to the ports from 2000 to 3000, which can run certain services. Naming the group "adsl" is a matter of convention.
Delete a group
To remove a group from Proxy, use cl-groupdel:
cl-groupdel adsl proxy
Renaming groups
You can rename a group with cl-groupmod. Below we show how to change the group name from "adsl" to "adsl2":
cl-groupmod -n adsl2 adsl proxy
Change group membership
To change the membership of groups, you should use the cl-groupmod and cl-usermod commands. Examples:
Add "john" to the "http" group (granting them access to internet sites):
cl-usermod -G http john proxy
Remove the "john" user from "http":
cl-groupmod -d john http proxy
Add the users "john" and "guest" to the groups "http" and "proxy":
cl-groupmod -a john,guest http proxy
To give users access to FTP, you will have to give them access to port 21 and to the Proxy server port (which defaults to 8080):
# Allow the "guest" user to access to FTP cl-usermod -G ftp,unregistered guest proxy