Part of the flexibility of the OpenAthens managed proxy service is that you can use a simple forward proxy of your own as part of itFor large organisations and consortia who need the proxy service to present different IP addresses for different parts of their account structure we have an option available where the OpenAthens Managed Proxy Service can use a locally hosted forward proxy to perform the final hop to the publisher site.
to come from your own infrastructure if you wish. This is done by running what is called a 'forward proxy' and it allows you to 'bring your own' IP address.
OpenAthens still does the complicated parts (selecting the relevant configurations, permissions, end-user interaction and the redirector support and re-writing of the the packets), but the final hop to the resource can come from a forward proxy under your direct control. This has several advantages including:
an IP address of your own - i.e. one that vendors already have registered for you
Squid is a widely used proxy available on most platforms under the GNU GPL (i.e. it's popular and free). Link: http://www.squid-cache.org/
This page concentrates on Linux. Other forwarding proxies are available and will work in similar ways.
- Familiarity with your own systems.
- Sufficient access rights to install and configure software.
- No fear of the command line (although a healthy respect is always good).
There are a couple of differences between Debian and Red Hat derived systems which are highlighted below. Other distros will be similar.
- Install Squid. Most repositories include it, but you can also get binaries from https://wiki.squid-cache.org/SquidFaq/BinaryPackages
- Navigate to your install directory (
- Create a password
> htpasswd -c squid_passwd
- Make a note of the username and password for later - you will need to tell OpenAthens what they are
squid.conftaking care to use the correct
auth_paramline for your distro.
Code Block language bash
# Prevent X-Forwarded-For being overwritten by Squid forwarded_for transparent # Setup ACLs for OpenAthens auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_passwd # RHEL / CentOS based distros # auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd # Debian / Ubuntu based distros auth_param basic realm proxy acl authenticated proxy_auth REQUIRED # Allow authenticated access http_access allow authenticated # Deny all other access to this proxy http_access deny all
- Start Squid and set it to autostart according to your OS
- <squids_ip_address>:3128 should now show an error page generated by Squid
Securing the connection
You want to make sure that the inbound connection is limited to OpenAthens and this is secured using an X.509 client certificate. The process is a little different depending on which flavour of Linux you are using.
|Table of Contents|
Red Hat based distros such as CentOS
7. Add the following to your squid.conf file:
It is also possible to set up squid in a multi-tennant mode - e.g. if different parts of your organisation or consortium have different scopes and need to present a different IP address depending on where in your organisation the user sits. Instructions for this are available from our service desk.
Debian based distros such as Ubuntu
At the time of writing the Squid package supplied by Debian is not compiled with the
-enable-ssl flag which means the
https_port configuration directive is not available and a little more work is required. Since you can't use a simple configuration directive you need to front Squid with something such as stunnel (https://www.stunnel.org/).