Proxy server security

Security of the Caching Proxy server is important and this provides details on how to control who has access to the files there.

Any server accessible from the Internet is at risk for attracting unwanted attention to the system on which it runs. Unauthorized people might try to guess passwords, update files, run files, or read confidential data. Part of the attraction of the World Wide Web is its openness. However, the web is open to both positive use and abuse.

The following sections describe how to control who has access to the files on your Caching Proxy server.

Caching Proxy supports Secure Sockets Layer (SSL) connections, in which secure transmissions that involve encryption and decryption are established between the client browser and the destination server (either a content server or a surrogate server).

When Caching Proxy is configured as a surrogate, it can establish secure connections with clients, with content servers, or both. To enable SSL connections, in the Configuration and Administration forms, select Proxy Configuration SSL Settings. On this form, select the Enable SSL check box and specify a key ring database and a key ring database password file.

When Caching Proxy is configured as a forward proxy server, it follows a pass-through protocol that is called SSL Tunneling to pass encrypted requests between the client and the content server. Encrypted information is not cached because the proxy server does not decrypt the tunneled requests. In a forward proxy installation, SSL tunneling is enabled. To disable it, in the Configuration and Administration forms, select Proxy Configuration Proxy Settings, and clear the SSL Tunneling check box on this form.

You can take several basic precautions to protect your system:
  • Place a server that is meant for public access in a network that is separate from your local or internal network.
  • Disable utilities that allow remote users to access the server's internal processes. In particular, consider disabling telnet, TN3270, rlogin and finger clients on the system that is running the server.
  • Use packet filtering and firewalls.

    Packet filtering provides a choice of defining where data can come from and where it can go. You can configure your system to reject certain source-destination combinations.

    A firewall separates an internal network from a publicly accessible network, such as the Internet. The firewall can be a group of computers or a single computer that acts as a gateway in both directions, regulating and tracking the traffic that passes through it. IBM® Firewall is an example of firewall software.

  • Control CGI scripts. Using CGI scripts on a web server can create a security risk because it is possible for these scripts to show environment variables that include such sensitive data as user IDs and passwords. Make sure that you know exactly what a CGI program does before you run it on your server, and control who has access to CGI scripts on your server.
Note: If the Configuration wizard is used to configure the proxy server, then to enable SSL, a mapping rule must be created to proxy requests received through port 443.
Proxy /* http://content server :443
Proxy /* https://content server :443