Manual:IP/Proxy: Difference between revisions

From MikroTik Wiki
Jump to navigation Jump to search
Created page with '{{Versions|v3, v4}} <div class=manual> <h2>Summary</h2> <p><b>Sub-menu:</b> <code>/ip proxy</code></p> <p><b>Standards:</b> <code>RFC 1945, RFC 2616</code></p> <br /> <p> This …'
 
update
Line 24: Line 24:
   <th width="40%">Property</th>
   <th width="40%">Property</th>
   <th >Description</th>
   <th >Description</th>
</tr>
<tr>
    <td><var><b>always-from-cache</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
    <td></td>
</tr>
</tr>
<tr>
<tr>
Line 30: Line 34:
</tr>
</tr>
<tr>
<tr>
     <td><var><b>cache-drive</b></var> (<em>string</em>; Default: <b> system </b>)</td>
     <td><var><b>cache-hit-dscp</b></var> (<em>integer: 0..63</em>; Default: <b>4</b>)</td>
     <td>Specifies the target disk drive to be used for storing cached objects. You can use console completion to see the list of available drives</td>
    <td></td>
</tr>
<tr>
    <td><var><b>cache-on-disk</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
    <td></td>
</tr>
<tr>
    <td><var><b>max-cache-size</b></var> (<em>none | unlimited | integer: 0..4294967295</em>; Default: <b>none</b>)</td>
     <td>Specifies the maximal cache size, measured in kibibytes</td>
</tr>
<tr>
    <td><var><b>max-client-connections</b></var> (<em>integer: 1..5000</em>; Default: <b>600</b>)</td>
    <td>Maximal number of connections accepted from clients (any further connections will be rejected)</td>
</tr>
 
<tr>
    <td><var><b>max-fresh-time</b></var> (<em>time</em>; Default: <b>3d</b>)</td>
    <td>Maximal time to store a cached object. The validity period of an object is is usually defined by the object itself, but in case it is set too high, you can override the maximal value</td>
</tr>
<tr>
    <td><var><b>max-server-connections</b></var> (<em>integer: 1..5000</em>; Default: <b>600</b>)</td>
    <td>Maximal number of connections made to servers (any further connections from clients will be put on hold until some server connections will terminate)</td>
</tr>
<tr>
    <td><var><b>parent-proxy</b></var> (<em>IP</em>; Default: <b>0.0.0.0</b>)</td>
    <td>IP address and port of another HTTP proxy to redirect all requests to. If set to <b>0.0.0.0</b> parent proxy is not used.</td>
</tr>
<tr>
    <td><var><b>parent-proxy-port</b></var> (<em>integer: 0..65535</em>; Default: <b>0</b>)</td>
    <td>Port that parent proxy is listening on.</td>
</tr>
<tr>
    <td><var><b>port</b></var> (<em>integer: 0..65535</em>; Default: <b>8080</b>)</td>
    <td>TCP port the proxy server will be listening on. This port have to be specified on all clients that want to use the server as HTTP proxy. Transparent (with zero configuration for clients) proxy setup can be made by redirecting HTTP requests to this port in IP firewall using destination NAT feature</td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>cache-only-on-disk</b></var> (<em>yes | no</em>; Default: <b>yes</b>)</td>
     <td><var><b>serialize-connections</b></var> (<em>yes | no</em>; Default: <b>no</b>)</td>
     <td>Whether to create database in memory that describes cache contents on disk. This will minimize memory consumption, but may affect speed.</td>
     <td></td>
</tr>
</tr>
<tr>
<tr>
     <td><var><b>max-disk-cache-size</b></var> (<em>none | unlimited | integer: 0..4294967295</em>; Default: <b> none </b>)</td>
     <td><var><b>src-address</b></var> (<em>IP</em>; Default: <b>0.0.0.0</b>)</td>
     <td>Specifies the maximal disk cache size, measured in kibibytes</td>
     <td>Proxy will use specified address when connecting to parent proxy or web site. If set to <b>0.0.0.0</b> then appropriate IP address will be taken from routing table.</td>
</tr>
</tr>
</table>
</table>
<h4>Menu Specific commands</h4>
<p>
</p>
<h4>Example</h4>
<p>
To enable the proxy on port 8000:
<pre>
[admin@MikroTik] ip proxy> set enabled=yes port=8000
[admin@MikroTik] ip proxy> print
                    enabled: yes
                src-address: 0.0.0.0
                        port: 8000
                parent-proxy: 0.0.0.0:0
                cache-drive: system
        cache-administrator: "dmitry@mikrotik.com"
        max-disk-cache-size: none
          max-ram-cache-size: 100000KiB
          cache-only-on-disk: yes
  maximal-client-connections: 1000
  maximal-server-connections: 1000
            max-object-size: 2000KiB
              max-fresh-time: 3d
[admin@MikroTik] ip proxy>
</pre>
Remember to secure your proxy by preventing unauthorized access to it, otherwise it may be used as an open proxy. Also you need to setup destination NAT in order to utilize transparent proxying facility:
<pre>
[admin@MikroTik] ip firewall nat> add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8000
[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0  chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8000
[admin@MikroTik] ip firewall nat>
</pre>
</p>
<h2>Access List</h2>
<p><b>Sub-menu:</b> <code>/ip proxy access</code></p>
<p>
</p>
<h2>Direct Access </h2>
<p><b>Sub-menu:</b> <code>/ip proxy direct</code></p>
<p>
</p>
<h2>Cache Management</h2>
<p><b>Sub-menu:</b> <code>/ip proxy cache</code></p>
<p>
</p>
<h2>Connections</h2>
<p><b>Sub-menu:</b> <code>/ip proxy connections</code></p>
<p>
</p>
<h2>Cache Inserts</h2>
<p><b>Sub-menu:</b> <code>/ip proxy inserts</code></p>
<p>
</p>
<h2>Cache Lookups</h2>
<p><b>Sub-menu:</b> <code>/ip proxy inserts</code></p>
<p>
</p>
<h2>HTTP Methods</h2>
<h4>Options</h4>
<p>
This method is a request of information about the communication options available on the chain between the client and the server identified by the <b>Request-URI</b>. The method allows the client to determine the options and (or) the requirements associated with a resource without initiating any resource retrieval
</p>
<h4>GET</h4>
<p>
This method retrieves whatever information identified by the Request-URI. If the Request-URI refers to a data processing process than the response to the GET method should contain data produced by the process, not the source code of the process procedure(-s), unless the source is the result of the process.
</p>
<p>
The GET method can become a conditional GET if the request message includes an If-Modified-Since, If-Unmodified-Since, If-Match, If-None-Match, or If-Range header field. The conditional GET method is used to reduce the network traffic specifying that the transfer of the entity should occur only under circumstances described by conditional header field(-s).
</p>
<p>
The GET method can become a partial GET if the request message includes a Range header field. The partial GET method intends to reduce unnecessary network usage by requesting only parts of entities without transferring data already held by client.
</p>
<p>
The response to a GET request is cacheable if and only if it meets the requirements for HTTP caching.
</p>
<h4>HEAD</h4>
<p>
This method shares all features of GET method except that the server must not return a message-body in the response. This retrieves the metainformation of the entity implied by the request which leads to a wide usage of it for testing hypertext links for validity, accessibility, and recent modification.
</p>
<p>
The response to a HEAD request may be cacheable in the way that the information contained in the response may be used to update previously cached entity identified by that Request-URI.
</p>
<h4>POST</h4>
<p>
This method requests that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI.
</p>
<p>
The actual action performed by the POST method is determined by the origin server and usually is Request-URI dependent.
</p>
<p>
Responses to POST method are not cacheable, unless the response includes appropriate Cache-Control or Expires header fields.
</p>
<h4>PUT</h4>
<p>
This method requests that the enclosed entity be stored under the supplied Request-URI. If another entity exists under specified Request-URI, the enclosed entity should be considered as updated (newer) version of that residing on the origin server. If the Request-URI is not pointing to an existing resource, the origin server should create a resource with that URI.
</p>
<p>
If the request passes through a cache and the Request-URI identifies one or more currently cached entities, those entries should be treated as stale. Responses to this method are not cacheable.
</p>
<h4>TRACE</h4>
<p>
This method invokes a remote, application-layer loop-back of the request message. The final recipient of the request should reflect the message received back to the client as the entity-body of a 200 (OK) response. The final recipient is either the origin server or the first proxy or gateway to receive a Max-Forwards value of 0 in the request. A TRACE request must not include an entity.
</p>
<p>
Responses to this method MUST NOT be cached.
</p>


</div>
</div>

Revision as of 11:37, 12 November 2009

Applies to RouterOS: v3, v4

Summary

Sub-menu: /ip proxy

Standards: RFC 1945, RFC 2616


This service performs proxying of HTTP and HTTP-proxy (for FTP, HTTP and HTTPS protocols) requests. Web proxy performs Internet object cache function by storing requested Internet objects, i.e., data available via HTTP and FTP protocols on a system positioned closer to the recipient than the site the data is originated from. Here 'closer' means increased path reliability, speed or both. Web browsers can then use the local proxy cache to speed up access and reduce bandwidth consumption. When setting up proxy service, make sure it serves only your clients, and is not misused as relay. Please read the security notice in the Access List Section! Note that it may be useful to have Web proxy running even with no cache when you want to use it only as something like HTTP and FTP firewall (for example, denying access to mp3 files) or to redirect requests to external proxy (possibly, to a proxy with caching functions) transparently.

General

Sub-menu: /ip proxy

Property Description
always-from-cache (yes | no; Default: no)
cache-administrator (string; Default: webmaster) Administrator's e-mail displayed on proxy error page
cache-hit-dscp (integer: 0..63; Default: 4)
cache-on-disk (yes | no; Default: no)
max-cache-size (none | unlimited | integer: 0..4294967295; Default: none) Specifies the maximal cache size, measured in kibibytes
max-client-connections (integer: 1..5000; Default: 600) Maximal number of connections accepted from clients (any further connections will be rejected)
max-fresh-time (time; Default: 3d) Maximal time to store a cached object. The validity period of an object is is usually defined by the object itself, but in case it is set too high, you can override the maximal value
max-server-connections (integer: 1..5000; Default: 600) Maximal number of connections made to servers (any further connections from clients will be put on hold until some server connections will terminate)
parent-proxy (IP; Default: 0.0.0.0) IP address and port of another HTTP proxy to redirect all requests to. If set to 0.0.0.0 parent proxy is not used.
parent-proxy-port (integer: 0..65535; Default: 0) Port that parent proxy is listening on.
port (integer: 0..65535; Default: 8080) TCP port the proxy server will be listening on. This port have to be specified on all clients that want to use the server as HTTP proxy. Transparent (with zero configuration for clients) proxy setup can be made by redirecting HTTP requests to this port in IP firewall using destination NAT feature
serialize-connections (yes | no; Default: no)
src-address (IP; Default: 0.0.0.0) Proxy will use specified address when connecting to parent proxy or web site. If set to 0.0.0.0 then appropriate IP address will be taken from routing table.

Menu Specific commands

Example

To enable the proxy on port 8000:

[admin@MikroTik] ip proxy> set enabled=yes port=8000
[admin@MikroTik] ip proxy> print
                     enabled: yes
                 src-address: 0.0.0.0
                        port: 8000
                parent-proxy: 0.0.0.0:0
                 cache-drive: system
         cache-administrator: "dmitry@mikrotik.com"
         max-disk-cache-size: none
          max-ram-cache-size: 100000KiB
          cache-only-on-disk: yes
  maximal-client-connections: 1000
  maximal-server-connections: 1000
             max-object-size: 2000KiB
              max-fresh-time: 3d
[admin@MikroTik] ip proxy>

Remember to secure your proxy by preventing unauthorized access to it, otherwise it may be used as an open proxy. Also you need to setup destination NAT in order to utilize transparent proxying facility:

[admin@MikroTik] ip firewall nat> add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8000
[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
 0   chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8000
[admin@MikroTik] ip firewall nat>

Access List

Sub-menu: /ip proxy access

Direct Access

Sub-menu: /ip proxy direct

Cache Management

Sub-menu: /ip proxy cache

Connections

Sub-menu: /ip proxy connections

Cache Inserts

Sub-menu: /ip proxy inserts

Cache Lookups

Sub-menu: /ip proxy inserts

HTTP Methods

Options

This method is a request of information about the communication options available on the chain between the client and the server identified by the Request-URI. The method allows the client to determine the options and (or) the requirements associated with a resource without initiating any resource retrieval

GET

This method retrieves whatever information identified by the Request-URI. If the Request-URI refers to a data processing process than the response to the GET method should contain data produced by the process, not the source code of the process procedure(-s), unless the source is the result of the process.

The GET method can become a conditional GET if the request message includes an If-Modified-Since, If-Unmodified-Since, If-Match, If-None-Match, or If-Range header field. The conditional GET method is used to reduce the network traffic specifying that the transfer of the entity should occur only under circumstances described by conditional header field(-s).

The GET method can become a partial GET if the request message includes a Range header field. The partial GET method intends to reduce unnecessary network usage by requesting only parts of entities without transferring data already held by client.

The response to a GET request is cacheable if and only if it meets the requirements for HTTP caching.

HEAD

This method shares all features of GET method except that the server must not return a message-body in the response. This retrieves the metainformation of the entity implied by the request which leads to a wide usage of it for testing hypertext links for validity, accessibility, and recent modification.

The response to a HEAD request may be cacheable in the way that the information contained in the response may be used to update previously cached entity identified by that Request-URI.

POST

This method requests that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI.

The actual action performed by the POST method is determined by the origin server and usually is Request-URI dependent.

Responses to POST method are not cacheable, unless the response includes appropriate Cache-Control or Expires header fields.

PUT

This method requests that the enclosed entity be stored under the supplied Request-URI. If another entity exists under specified Request-URI, the enclosed entity should be considered as updated (newer) version of that residing on the origin server. If the Request-URI is not pointing to an existing resource, the origin server should create a resource with that URI.

If the request passes through a cache and the Request-URI identifies one or more currently cached entities, those entries should be treated as stale. Responses to this method are not cacheable.

TRACE

This method invokes a remote, application-layer loop-back of the request message. The final recipient of the request should reflect the message received back to the client as the entity-body of a 200 (OK) response. The final recipient is either the origin server or the first proxy or gateway to receive a Max-Forwards value of 0 in the request. A TRACE request must not include an entity.

Responses to this method MUST NOT be cached.


[Back to Content]