Installing the Netscape Proxy Server

his chapter tells you how to install the Netscape Proxy Server and begin configuring the server for your needs. The proxy server runs as a daemon process that spawns child processes. You can configure the proxy server by using the web-based administration forms or by editing the configuration files.

The web-based administration server is a separate HTTP server daemon that runs on your machine using a different port number than the proxy server. The administration server is a server common to all Netscape server products. You can have one administration server that configures all of the Netscape servers on your computer. For example, you might have a web server and a proxy server installed on the same machine (however, for high-load machines, you'll probably want a computer dedicated to one server).

The administration server runs a collection of web forms and CGI scripts. The Server Selector is the main web form that lets you configure the administration server itself or choose a server to configure. The Server Manager forms are specific forms for configuring the server you selected in the Server Selector. For more information, see Chapter 2 "Configuring and managing the server."

Before you install

Installing the Netscape Proxy Server is a smooth process if you prepare first. The following list describes the software you should install on your server machine before you install the proxy server.

Making sure DNS is running

 Without DNS the proxy can't resolve IP addresses from host names and can't connect to any remote hosts.

When you install the Netscape Proxy Server, some items on the installation forms require a server host name or an IP address.

To make sure DNS is running on your computer,

  1. At the command line, type nslookup and press Enter. The nslookup program responds by printing the name and address of the DNS server:

    Default Server: dns.netscape.com

    Address: 198.95.249.78

    If nslookup cannot find an authoritative answer, it prints the names of any servers that might have an authoritative answer:

    Non-authoritative answer:

    Name: www.mysite.com

    Address: 198.95.251.30

  2. To exit nslookup, type Control-d.

Creating an alias for the server

 If your server will run on one machine among many in a network, you or your system administrator should set up a DNS CNAME record or an alias (such as proxy) that points to the actual proxy server machine. Later, should the need arise, you can change the actual host name or IP address of the server machine and the clients that use the proxy won't have to change their URLs to the proxy. For information on how to set up an alias, see the system administration manual for your platform.

Creating a Unix user account

You should create a Unix user account for the proxy server. Most likely, you'll want the server to have restricted access to your system resources, so you should set up and run the proxy with a nonprivileged system user account.

For instructions on creating a new user account, see your system manual or a Unix administrator's handbook.
When the proxy server starts and runs, it runs with the Unix user account you specify during installation. Any child processes of the proxy and all files created by the proxy are created with this account as the owner.

You can use the account with the name nobody, but this might not work on your system. Some machines ship with a user identification (uid) of -2 for the user nobody. A uid less than zero generates an error during installation. Check the /etc/passwd file or the yppasswd database to see if the uid for nobody exists, and then make sure it is greater than zero. Otherwise, create a new user account with a uid greater than zero. The default uid for nobody depends on the platform:
User ID

 Platform

60001

 Solaris, IRIX

65534

 OSF/1, HPUX

4294967294

 AIX

Note
It's strongly recommended that you use a dedicated user account for the proxy server.

Because the proxy server is configured through a web-based administration server, you might also want to create another user account for the administration server. You can also run the administration server as root, and then start and stop the server when you aren't using it to configure the proxy server.

Choosing unique port numbers

 The proxy server uses two port numbers: one for the proxy server itself and another for the administrations server. You specify these two port numbers during installation, but you can also change the port numbers after installation.

The port numbers must be unique for each service on a computer. Port numbers for all network-accessible services on your machine are listed in the file /etc/services. Your system might use the YP (or NIS) Yellow Pages. In that case, you can use the command-line utility ypcat services to list the additional port numbers used or reserved in the YP database. Industry standards for many kinds of ports already exist; for example, the standard HTTP port number is 80; for Telnet, the standard port is 23; and for HTTPS, the standard port is 443. There isn't yet a standard port number for proxy servers; however, commonly used ports are 8000 and 8080. If you are unsure of which port number to use, 8000 or 8080 is probably a good choice. If you use the Netscape Proxy Server's built-in SOCKS daemon, you should use the SOCKS port 1080.

The administration server is typically run on a random port number above 1024. This makes it harder for someone to figure out where your administration server is and try to compromise its security.

Before you choose a port number, make sure the port you choose isn't in use. Look at the file /etc/services on the server machine (or use ypcat services) to make sure you don't assign a port number that is used by another service.

Note
If you choose a port number less than 1024, you'll have to be logged in as root or superuser to start the proxy. After the proxy is bound to the port, the server changes from root or superuser to the user account you chose to run under. If you choose a port number greater than 1024, you don't have to be root or superuser to start the proxy.

Installing the Netscape Proxy Server

 After you've installed the required software, you can install the Netscape Proxy Server. You can install a new proxy, replace an existing proxy server, or install more than one proxy.

If you're already running a proxy server, you should install the new proxy server to a different port. For example, if you are replacing a proxy that listens to port 8080, you might first install the new Netscape Proxy Server on port 8081, assuming that port is available. After the new Netscape Proxy Server is properly configured, shut down the old proxy server and then change the new proxy to use port 8080.

If you're upgrading from a 1.1 Netscape Proxy Server, see page 38.

Note
The proxy server must be installed to an empty directory. By default, the installation process uses the directory /usr/ns-home.
To install the Netscape Proxy Server,

  1. Log into your computer as root or superuser unless you meet all of the following conditions: When you submit the installation forms, you'll get an error if you don't have sufficient permissions to the server root directory (the directory where you want to install the server). If this happens, you have to either change the directory where you install to, change your user permissions, or log in as root and start the installation over. Even if you meet these conditions, you should still log in as root or superuser for the installation.

  2. Check to be sure the standard Unix tar program is in your path before you run the installation process.
  3. Put the Netscape Proxy Server CD-ROM in the drive. If the system has volume manager running, the CD-ROM will be mounted automatically; otherwise, mount the CD-ROM.
  4. Go to the directory for the operating system that your computer uses and then go to the subdirectory called proxy. For example, if you are using Solaris, type cd SOLARIS/proxy.
    Note
    If you use the Solaris operating system, or any other operating system with a memory-based file system, don't use the /tmp directory because you might encounter problems later in the installation.

  5. Type ./ns-setup to start the server installation. If you aren't logged in as root (superuser) or if you don't have sufficient write permissions, you'll get one or more error messages. This program extracts proxy server files from the CD and installs them in the server root directory you specify. When you run .ns-setup, this prompt appears; the default directory is shown in brackets: Server root [/usr/ns-home]:

    You can either press Enter to accept the default name in brackets, or type the name of the directory you want to use and then press Enter.

  6. The program extracts the files. When the prompt appears, press Enter to start configuration. Configure new server now? [yes]: yes

  7. To start the configuration, the server needs the fully qualified host name of your machine. The following prompt appears with your fully qualified domain name listed. You can either press Enter to accept the default name in brackets, or type a new name and press Enter. Full name [mybox.mysite.com]:

  8. In Netscape Proxy Server 2.5, the administration server contains a collection of forms you use to configure the proxy server. Choose a random port number between 1024 and 65535 that is not used for any other services. The installation program defaults to 8081. You can type a different port number and then press Enter, or to accept the default port number, press Enter. Administration port [8081]:

  9. The administration server program runs using the user account you specify. This account should be different from the proxy server user account. Only the user that you specify will have write permission to the proxy server's configuration files (the proxy needs only read permission). The installation program by default uses the user account you are currently running with (for example, root). To accept it, press Enter, or type a different user and then press Enter. Run admin server as [root]:

  10. Access to the administration server is always restricted. The installation program prompts you to create a user name and password for authentication when accessing the administration server. Whenever you go to the administration server, you'll be prompted to enter this user name and password before you're allowed access to the Server Selector and Server Manager forms. You need to type the password twice to ensure accuracy. Access username [admin]: admin

    Password:

    Password (again):

  11. In addition to the user name authentication, access to the administration server is also restricted by host names and IP addresses. Any computer that isn't in the list of IP addresses or host names is denied access to the administration server even if the user knows the authentication user name and password. By default, access is restricted to the local host only (that is, the computer where the proxy and administration servers are installed). You can use wildcard patterns to specify a group of host names, such as *.netscape.com. Separate entries with commas. You can press Enter to accept the default restriction, or you can type entries and then press Enter:

    Hosts [NONE]: *.netscape.com

    IP addresses [198.95.251.30]:

  12. The installation program add your choices to the administration server's configuration files, then the administration server starts. The installation program displays messages as it writes to the configuration files. When it is finished, it asks you to press a key to continue, then it displays other start-up messages: Wrote /usr/ns-home/admserv/admpw
    Wrote /usr/ns-home/admserv/ns-admin.conf
    Wrote /usr/ns-home/start-admin
    Wrote /usr/ns-home/stop-admin
    Press any key to continue.
    warning: daemon is running as super-user
    startup: listening to port 8081 as root

  13. The installation program asks you for the name of your web browser. If you plan to access the administration server forms from a remote client (such as from a PC), enter NONE and then copy the URL the installation program lists--this is the URL you use to go to the administration server forms. Otherwise, press Enter to accept the default (Netscape Navigator), or type the name of your web browser. The installation program starts your web browser and goes to the Server Selector by using the URL to the administration server. The URL is based on your computers host name and the port where you installed the administration server. For example,
    http://mybox.mysite.com:8081/.     Network navigator [netscape]: NONE

  14. To finish the installation, click Install a new Netscape Proxy Server. The installation form collects data used to generate the server configuration files. The proxy uses these files to control how it works.
    Note
    You can choose the defaults during installation and change the information later by using the Server Manager. The options listed in the installation forms are described in more detail in Chapter 2, "Configuring and managing the server," and in other sections of this book.

  15. In the Netscape Proxy Server Installation form, type the following information for your proxy server:
  16. Depending on your proxy server configuration, the server might need to resolve IP addresses into host names (for example, if you use access control based on host name). Choose how you want the proxy server to resolve IP addresses by checking the box for one of these choices:
  17. Choose the log format you want the proxy to use. For more information about log files and formats, see Chapter 11, "Monitoring the server's status".
  18. Check the protocols you want the proxy to handle. All protocols are proxied by default. To disable proxying for a protocol, uncheck the box for that protocol. Choose the protocols that you want to support SSL tunneling. All secure protocols are tunneled by default. To disable tunneling for a secure protocol, uncheck the box for that protocol.

  19. Choose whether or not you want to cache documents. Caching is on by default, and the cache directory that you specified is listed. If you want to use caching, choose a cache size and capacity. You can change the directory if needed. If you don't want caching, check the box called No caching. For more detailed information on caching, see Chapter 7, "Caching".
  20. If you want the proxy to cache HTTP documents, check the Cache HTTP box. Caching HTTP is on by default. If you specify to cache HTTP, you also need to specify preferences for document refresh and expiration policies.
  21. Caching for both FTP and Gopher is on by default, with a time interval between reloads of six hours for FTP and four hours for Gopher. You can change the time interval, or you can turn off caching for either protocol by unchecking their respective check boxes.
  22. Click OK to complete the installation.
After you fill in the install form and click OK, the installation takes place. No file outside of the installation working directory is modified until you click OK.

What the installation does

Some temporary files are written to the /tmp directory and then removed after installation.

The installation program places all of the server files under the server root directory that you specified during installation. If you enabled caching, the cache framework is created under the cache root directory. The following files and directories are created under the server root directory.
Administration server:

Script to start the administration server

Script to stop the administration server

Script to configure the administration server

binaries and icons used in the administration server

Administration server main program

Administration server password file

Administration server batch processing configuration

Administration server batch processing error log

Administration server error log

Administration server configuration file

List of the Netscape servers that are installed

Proxy server:

Proxy binary

Shared library use by the proxy and the administration server

Binaries and icons used in the proxy configuration

Binaries and icons used in the proxy installation

Server plug-in API:

Server plug-in example code

Server plug-in include files

Miscellaneous:

Netscape server license

Berkeley DBM format database manipulation code

Flex-log analyzer

Log analyzer version 1.12 for compatibility

Icons for Gopher menus and FTP listings

 

Upgrading from a previous version of the Netscape Proxy Server

This section tells you how to upgrade from an earlier version of the Netscape Proxy Server. The upgrade process involves installing the new server to a new or empty directory and then transferring the configuration information from the old proxy server to the new one.

To upgrade from an earlier version of the proxy server,

  1. Shut down your server.
  2. Follow the directions in the previous installation section to install the new 2.5 server into a separate directory. After you start the administration server, click the Install a new Netscape Proxy Server button.
  3. In the form that appears, click the Upgrade button.
  4. Type the absolute path to the directory where the older version of the server server is installed.
  5. Type an identifier for the new proxy server. This is the name that will appear in the Server Selector and will be used for certain directory names for the new server.
  6. Click OK. The installation program transfers the configuration information from the old server to the new one. This process can take a few minutes depending on the complexity of your configuration.
  7. After this process, you will have two working servers (the old server will be turned off). To use your previous cache structure with the new 2.5 server, use the cupgrade utility, as described on page 108.

Starting the Netscape Proxy Server

 Once installed, the proxy server and its child processes run constantly, waiting and handling requests. If your computer crashes or is taken off-line, the server processes are lost. There are several ways you can restart the server:

Because the installation forms cannot edit the /etc/rc.local, /etc/re2.d/S99proxy or /etc/inittab files, you have to edit those files yourself.

Starting from the Server Manager

You can start and stop the proxy server from the Server Selector or from the Server Manager forms. Next to each installed server in the Server Selector, there is a red graphic (shown at left) that shows you if the server is on or off. You can click this graphic to toggle the server. For example, if the server is running, you can click the graphic to turn it off, and vice versa.

To start or stop the server from the Server Manager forms, use the Server Selector to choose the proxy server you want to start or stop. Click the System Settings button, and then click the link called On/Off. The Server On/Off form appears with two buttons. If you want to start the server, click Server On. If you want to stop the server, click Server Off. For either of these, you will get a confirmation message.

Manually starting the server

To restart the proxy server from the command line, log in as root or superuser, or if the proxy port number is greater than 1024, log in with the proxy's user account. At the command-line prompt, go to the proxy's root directory, type the start command, and then press Enter. The syntax is:

[ServerRoot]/proxy-[IDENTIFIER]/start

[ServerRoot] is the directory where you installed the server The start script has two command-line arguments:

-p XX (where XX is a port number) starts the proxy on a specific port number. This overrides the setting in magnus.conf.

-i runs the proxy in inittab mode, so that if the proxy process is ever killed or crashes, inittab restarts the proxy server for you. It also prevents the proxy from putting itself in a background process.

Note
If the proxy is already running, the start command fails. You must stop the proxy first, then use the start command. Also, if the proxy start-up fails, you should kill the process before trying to restart it (see "Troubleshooting installation" on page 41).

Manually stopping the server

 If you used inittab to starting the server, you'll need to remove the line from /etc/inittab before you stop the server. Otherwise, the server restarts automatically after it is stopped.

To stop the server manually, log in as root or become superuser, or if you started the proxy using the proxy's user account, log in as that user. Type the following at the command-line prompt:

[ServerRoot]/proxy-[IDENTIFIER]/stop

[ServerRoot] is the directory where you installed the server.

Restarting with inittab

To restart the proxy server with inittab, put the following text on one line in the /etc/inittab file. The syntax is:

proxy:2:respawn:[ServerRoot]/proxy-[IDENTIFIER]/start -i

[ServerRoot] is the directory where you installed the server. You'll need to remove this line before you stop the server (see "Troubleshooting installation" on page 41).

Note
If you are using a version of Unix not derived from System V (such as SunOS 4.1.3), you won't be able to use the inittab option.

Restarting with the system RC scripts

 If you choose to use /etc/rc.local, or your system's equivalent, place the following line in that directory:

[ServerRoot]/proxy-IDENTIFIER/start

[ServerRoot] is the directory where you installed the server.

Soft starting the proxy

If the proxy is currently running and you want to restart it so that it uses an updated configuration, type:

[ServerRoot]/proxy-[IDENTIFIER]/restart

[ServerRoot] is the directory where you installed the server. This script finds the parent process id (in the logs/pid file), and sends the hang-up (-HUP) signal with this process id.

Troubleshooting installation

This section describes common installation problems and how to solve them.

I accidentally denied all access to the Administration forms.
Log in as root or with the proxy's user account. In the server root directory, edit the magnus.conf file. See page 352 for more information on this file.

I don't have access to the proxy.
Log in as root or the proxy's user account. In the server root directory, edit the obj.conf file and remove the following lines:

<Client dns="[wildcardpattern]" ip="[wildcardpattern]">

PathCheck fn=deny-service

</Client>
[wildcardpattern] is a shell expression that matches your DNS or IP address. You can also edit the wildcard patterns so that your user account information isn't included. To deny service to everyone except a select group, use *~ before the wildcard pattern (for example, *~*netscape.com denies service to everyone except those from the netscape.com domain). See Chapter 3, "Managing templates and resources" for more information on wildcard patterns.

Clients can't find the proxy server.
First try using the host name. If that doesn't work, use a fully-qualified name (in the form proxy.subdomain.domain). If that doesn't work, use the dotted quad IP address.

The proxy is slow, and transfers take too long.
If you log files to SYSLOG, you might encounter reduced performance. Use the proxy's error log files instead. The proxy computer might also need more RAM to handle the load, or if other applications are on the proxy machine, they might be degrading proxy performance by using most of the computers memory.

You can also reduce transfer time by configuring the cache refresh setting. See page 97 for more information on the cache refresh setting.