Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Part of the flexibility of the OpenAthens Wait... what? Why would..?

As discussed on the about the managed proxy service is that you can use a simple forward proxy of your own as part of it. 

OpenAthens still does the complicated parts, but the final hop to the resource can come from a forward proxy under your direct control. This has several advantages including:

  • You can use an IP address that vendors already have registered for you
  • You have access to your own server logs 

Squid is a widely used proxy available on most platforms under the GNU GPL (i.e. it's popular and free). Link: http://www.squid-cache.org/

Other forwarding proxies are available and will work in similar ways. Windows users will probably prefer to use IIS.

Prerequisites

  • Familiarity with your own systems.
  • Sufficient access rights to install and configure software.
  • No fear of the command line (although a healthy respect is always good).

Method

 There are a couple of differences between Debian and Red Hat derived systems which are highlighted below. Other distros will be similar.

General

...

Code Block
languagebash
# Prevent X-Forwarded-For being overwritten by Squid
forwarded_for transparent
 
# Setup ACLs for OpenAthens
auth_param basic program /usr/lib64/squid/basic_ncsa_auth /etc/squid/squid_passwd # RHEL / CentOS based distros
# auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/squid_passwd # Debian / Ubuntu based distros
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
 
# Allow authenticated access
http_access allow authenticated
 
# Deny all other access to this proxy
http_access deny all

...

Securing the connection

You want to make sure that the inbound connection is limited to OpenAthens and this is secured using an X.509 client certificate. The process is a little different depending on which flavour of Linux you are using. 

Table of Contents
minLevel4

Red Hat based such as CentOS

7. Add the following to your squid.conf file:

Code Block
#http_port xxx.xxx.xxx.xxx:3128 
 
https_port xxx.xxx.xxx.xxx:3128 cert=/etc/squid/ssl_cert/server.pem clientca=/etc/squid/ssl_cert/openathens-client.pem
    • xxx.xxx.xxx.xxx is the external IP address of your Squid instance. Remove any and all http_port directives, leaving only the https_port directive
    • server.pem is your server's certificate. This needs to be from a valid certification authority or Let's Encrypt. We'll need a copy alongside the username and password you set up earlier. Our service desk will be able to advise on secure ways to transfer the information to us. 
    • openathens-client.pem is the public key of the OpenAthens service and will ensure access is restricted. You can download it from https://proxy.openathens.net/tls/openathens-client.pem
    • (Put both certificates in the /etc/squid/ssl_cert folder)

8. Set your firewall rules to

    • allow TCP inbound to port 3128 on this server from any source IP address (the connection from us can come from multiple IPs)
    • allow outbound traffic on standard HTTP ports (80 and 443)

9. Securely pass our service desk the username and password you set up in step 3 and a copy of your server.pem certificate. 

Debian based such as Ubuntu

At the time of writing the Squid package supplied by Debian is not compiled with the -enable-ssl flag which means the https_port configuration directive is not available and a little more work is required. Since you can't use a simple configuration directive you need to front Squid with something such as stunnel (https://www.stunnel.org/).  

7.  >apt-get install stunnel4

8. Create /etc/stunnel/stunnel.conf:

Code Block
pid=/var/run/stunnel4/pid
setuid = stunnel4
setgid = nogroup
 
[squid-tls]
accept  = xxx.xxx.xxx.xxx:3128
#Don't need to expose squid directly to the internet.
connect = 127.0.0.1:3129
cert = /etc/stunnel/server.pem
CAfile=/etc/stunnel/openathens-client.pem
verify = 4
    • xxx.xxx.xxx.xxx is the external IP address of your Squid instance.
    • server.pem is your server's certificate. This needs to be from a valid certification authority or Let's Encrypt. We'll need a copy alongside the username and password you set up earlier. Our service desk will be able to advise on secure ways to transfer the information to us. 
    • openathens-client.pem is the public key of the OpenAthens service and will ensure access is restricted. You can download it from https://proxy.openathens.net/tls/openathens-client.pem
    • (Put both certificates in the /etc/stunnel folder)
    • Only root should have RW access to the server.pem file

9. Add the following to your squid.conf file:

Code Block
http_port 127.0.0.1:3129

10. Set your firewall rules to

    • allow TCP inbound to port 3128 on this server from any source IP address (the connection from us can come from multiple IPs)
    • allow outbound traffic on standard HTTP ports (80 and 443)

11. Securely pass our service desk the username and password you set up in step 3 and a copy of your server.pem certificate. 

It is possible to set up squid in a multi-tennant mode - e.g. if different parts of your organisation or consortium have different scopes and need to present a different IP address depending on where in your organisation the user sits. Instructions for this are available from our service desk. page, this kind of proxy is a rewriting proxy and whilst the reverse proxy and rewriting parts have to sit with us, the forward proxy part that is the last step between the user and the content doesn't have to and this opens up some possibilities:

  • You can host the forward proxy within your own network where it appears at one of your own IP addresses - you wouldn't have to supply new addresses to publishers
  • Depending on where in the world you are there can be some performance improvements - e.g. where you are geographically closer to the website than we are
  • You can use different IP addresses for different parts of your organisation

In a sense you are bringing your own IP address to the managed proxy service whilst OpenAthens still does the complicated parts (selecting the relevant configurations, permissions, redirector support and re-writing).

There are three options documented.

For the large organisation or consortia with a need for different IP addresses for different organisational units:

For the smaller organisations who just want to use their own IP address:

Squid is a widely used proxy available on most platforms under the GNU GPL (i.e. it's popular and free). Link: http://www.squid-cache.org/