General Information on HTTP Proxy Configuration

Allows you to efficiently handle browser requests thru the Firewall that eliminates the need for a socks server environment. Users can use the Internet, without compromising the security of the internal network, and without altering their client environment to implement it.

Note: If you change any of these settings, you must restart the phttpd process.

Example of HTTP Proxy Configuration

Suppose that your firewall is set up to mediate traffic between a secure network and the outside Internet. Let's also suppose that you want to allow users from the secure network to access the World Wide Web on the non-secure Internet. For a basic configuration, you could complete the following steps.

  1. Click "HTTP" in the navigation tree and ensure that the HTTP Proxy Configuration settings are suitable for your purposes. Note that port 8080 is the default here. If you change this, the port number must also be changed in the Services that get set up for this configuration (see below). If you change any of these settings, you must restart the phttpd process.
  2. Ensure that the phttpd process is running. If it's not, you can type "phttpd" at the AIX command line to start it. To have it start automatically each time the Firewall is rebooted, uncomment the phttpd line in the /etc/rc.tcpip file so that it looks as follows:
    ## If you want the HTTP proxy daemon to always            #FW#
    ## start at boot time, uncomment the following line.      #FW#
    /usr/sbin/phttpd 
    
  3. Add two connections (or supplement existing connections):
    1. Allow HTTP traffic to flow between the secure users and the secure interface on the firewall:
      Name: HTTP Proxy 1
      Description: HTTP to the firewall
      Source: Secure Network
      Destination: Secure Interface
      Service: HTTP proxy outbound 1/2
    2. Allow HTTP traffic to flow between the non-secure interface of the Firewall and the Internet:
      Name: HTTP Proxy 2
      Description: HTTP from Firewall to WWW
      Source: Non-secure Interface
      Destination: The World
      Services: Select from...
      • HTTP proxy out 2/2
      • FTP proxy out 2/2
      • Gopher proxy out 2/2
      • WAIS proxy out 2/2
      • HTTPS proxy out 2/2
  4. Allow DNS Queries. An easy way to do this is to click on Security Policy (from inside the System Administration folder in the navigation tree) and click on "Permit DNS Queries".
  5. Regenerate and activate the Connection Rules.
  6. Tell your secure network users to configure their browsers so that they are accessing the HTTP Proxy at the Firewall's secure interface address and that they should use port 8080.

Further Information

Example of Proxy HTTP
Using Proxy Servers

Proxy Port Number

Enter the TCP/IP port number (in decimal) where you wish the proxy to listen. All clients should configure their browsers to this port.

Content Buffer Length (KBytes)

Enter the size, in kilobytes, reserved for the HTTP content buffer. For each proxy request, a buffer of up to this size is allocated. If this buffer cannot be allocated, the file is sent WITHOUT a content length header.

Max Active Threads

Enter the maximum number of threads that the proxy can have active or available for use at any one time. This number of threads will be exceeded by the proxy and new requests will be held, until a thread becomes available.

Min Active Threads

Enter the minimum number of threads that the proxy can have active or available for use. This number of threads will ALWAYS be available on the proxy.

Idle Thread Never Timeout

Click "Yes" if you do not want an idle thread to timeout. Click "No" to indicate that you do want a timeout value and then enter the timeout value in the field below.

Idle Thread Timeout (Minutes)

Enter the time, in minutes, for the proxy to keep an idle thread (above the value entered in the Minimum Active Thread field) available.

HTTP Logging Management

Set this to "on" if you wish log records to be written to the syslog file when the proxy starts, stops, or when an HTTP "GET" request is processed. If you do not wish to log any requests thru the proxy, set this to "off".

OK

Press the "OK" button to save changes and close the window.

Cancel

Press the "Cancel" button to close the window without saving any changes.