Web Proxy

Document revision:1.8 (Wed Apr 28 13:56:22 GMT 2004)
Applies to: V2.8

General Information

Summary

The MikroTik RouterOS implements the following proxy server features:

Specifications

Packages required: web-proxy
License required: Level3
Submenu level: /ip web-proxy
Standards and Technologies: HTTP/1.0, HTTP/1.1, FTP
Hardware usage: uses disk space, if available (see description below)

Related Documents

Description

When setting up Web proxy, make sure it serves only your clients, and is not misused as relay. Please read the security notice in the Access List Section!

Note that it may be useful to have Web proxy running even with no cache when you want to use it as something like HTTP and FTP firewall (for example, denying access to mp3 files) or to redirect requests to external proxy transparently

Setup

Submenu level: /ip web-proxy

Property Description

src-address (IP address; default: 0.0.0.0) - the web-proxy will use this address connecting to the parent proxy or web site.
0.0.0.0 - appropriate src-address will be automatically taken from the routing table

enabled (yes | no; default: no) - specifies whether the web proxy is enabled

hostname (text; default: "") - hostname (DNS or IP address) of the web proxy

transparent-proxy (yes | no; default: no) - specifies whether the proxy uses transparent mode

parent-proxy (IP address:port; default: 0.0.0.0:0) - specifies upper-level (parent) proxy

max-object-size (integer; default: 4096) - objects larger than the size specified will not be saved on disk. The value is measured in kilobytes. If you wish to get a high bytes hit ratio, you should probably increase this (one 32 MB object hit counts for 3200 10KB hits). If you wish to increase speed more than your want to save bandwidth you should leave this low

max-cache-size (none | unlimited | integer; default: none) - specifies the maximal disk cache size, measured in megabytes

cache-administrator (text; default: webmaster) - administrator's e-mail displayed on proxy error page

cache-drive (system | text; default: system) - specifies the target disk drive to be used for storing cached objects

status (read-only: text; default: stopped) - display status information of the proxy server
stopped - proxy is disabled and is not running
rebuilding-cache - proxy is enabled and running, existing cache is being verified
running - proxy is enabled and running
stopping - proxy is shutting down (max 10s)
clearing-cache - proxy is stopped, cache files are being removed
creating-cache - proxy is stopped, cache directory structure is being created
dns-missing - proxy is enabled, but not running because of unknown DNS server (you should specify it under /ip dns)
invalid-address - proxy is enabled, but not running because of invalid address (you should change address or port)
invalid-cache-administrator - proxy is enabled, but not running because of invalid cache-administrator's e-mail address
invalid-hostname - proxy is enabled, but not running because of invalid hostname (you should set a valid hostname value)
error-logged - proxy is not running because of unknown error. This error is logged as System-Error. Please, send us this error and some description, how it happened
reserved-for-cache (integer) - maximal cache size, that is accessible to web-proxy

Notes

By default the proxy cache can use as much disk space as there is allocated for it. When the system allocates the space for the proxy cache, 1/7th of the total partition (disk) size is reserved for the system, but not less than 50MB. The rest is left for the proxy cache. The system RAM size is considered as well when allocating the cache size. The cache size is limited so, that there are at least 15MB of RAM per 1GB of cache plus 55MB of RAM is reserved for the system. max-cache-size is also taken in account, so the cache will not occupy more than it is specified in this property. The effective limit is calculated as a minimum of all three limits.

Considering the previous note, you should be aware that you will not be able to enable web proxy, if you have less than 60MB of RAM on your router

Expire time of cache entries can be different for each HTML page (specified in headers). But, if there is no such header, the entry will be considered fresh for not more than 72 hours.

The address argument has been removed so the proxy listens to all IP addresses that the router has in its IP address list now.

Example

To enable the proxy on port 8080:

[admin@MikroTik] ip web-proxy> set enabled=yes src-address=0.0.0.0:8080
[admin@MikroTik] ip web-proxy> print
                enabled: no
            src-address: 0.0.0.0
                   port: 8080
               hostname: proxy
      transparent-proxy: no
           parent-proxy: 0.0.0.0:0
    cache-administrator: webmaster
        max-object-size: 4096 kB
            cache-drive: system
         max-cache-size: 12
                 status: rebuilding-cache
     reserved-for-cache: 9 MB
[admin@MikroTik] ip web-proxy>

Monitoring

Command name: /ip web-proxy monitor

Property Description

status (read-only: text) - the same as for /ip web-proxy print

uptime (read-only: time) - shows uptime of the proxy server

clients (read-only: integer) - total number of proxy clients with different IP addresses during last uptime

requests (read-only: integer) - total number of proxy requests during last uptime

hits (read-only: integer) - total number of requests satisfied by proxy's cache during last uptime

cache-size (read-only: integer) - current cache size in kilobytes

received-from-servers (read-only: integer) - shows the amount in kilobytes the proxy received from remote servers during last uptime

sent-to-clients (read-only: integer) - shows the amount in kilobytes the proxy sent to the clients to resolve their requests during last uptime

hints-sent-to-clients (read-only: integer) - shows how much outgoing traffic was taken from the cache during last uptime

Example

[admin@MikroTik] > ip web-proxy monitor
		   status: running
		   uptime: 4d19h8m14s
		  clients: 9
		 requests: 10242
		     hits: 3839
	       cache-size: 328672 kB
    received-from-servers: 58108 kB
	  sent-to-clients: 65454 kB
     hits-sent-to-clients: 7552 kB

[admin@MikroTik] >

Access List

Submenu level: /ip web-proxy access

Description

Access list is implemented in the same way as MikroTik firewall rules. Rules are processed from the top to the bottom. First matching rule specifies decision of what to do with this connection. Connections can be matched by its source address, destination address, destination port, substring of requested url or request method. If none of these parameters is specified, every connection will match this rule.

If connection is matched by a rule, action property of this rule specifies whether connection will be allowed or not. If connection does not match any rule, it will be allowed.

Property Description

src-address (IP address mask; default: 0.0.0.0/0) - source address of the IP packet

dst-address (IP address mask; default: 0.0.0.0/0) - destination address of the IP packet

dst-port (text; default: "") - a list of destination ports

url (text) - the URL of the request (regular expression)

method (any | connect | delete | get | head | options | post | put | trace; default: any) - HTTP method used in the request (see HTTP Methods section in the end of this document)

action (allow | deny; default: allow) - specifies the action to perform on matched packets

Notes

There is one rule by default, that disallows connect method connections to ports other than 443 (https) and 563 (snews). connect method is a security hole that allows connections (transparent tunneling) to any computer using any protocol. It is used mostly by spammers, as they found it very convinient to use others' mail (SMTP) servers as anonymous mail relay to send spam over the Internet.

It is strongly recommended to deny all IP addresses except those behind the router as the proxy still may be used to access your internal-use-only (intranet) web servers. Also, consult examples in Firewall Manual on how to protect your router.

Details about regular expressions used in url field can be found here: http://www.cs.utah.edu/dept/old/texinfo/regex/regex_toc.html

Example

The default rule:

[admin@MikroTik] ip web-proxy access> print
Flags: X - disabled
  0   ;;; allow CONNECT only to SSL ports 443 [https] and 563 [snews]
      src-address=0.0.0.0/0 dst-address=0.0.0.0/0 dst-port=!443,563 url=""
      method=connect action=deny

[admin@MikroTik] ip web-proxy access>

To disallow download of .MP3 files and FTP connections other than from the 10.0.0.1 server:

[admin@MikroTik] ip web-proxy access> add url="\\.mp3$" action=deny
[admin@MikroTik] ip web-proxy access> add src-address=10.0.0.1/32 action=allow
[admin@MikroTik] ip web-proxy access> add url="ftp://" action=deny
[admin@MikroTik] ip web-proxy access> print
Flags: X - disabled
  0   ;;; allow CONNECT only to SSL ports 443 [https] and 563 [snews]
      src-address=0.0.0.0/0 dst-address=0.0.0.0/0 dst-port=!443,563 url=""
      method=connect action=deny

  1   src-address=0.0.0.0/0 dst-address=0.0.0.0/0 dst-port="" url="\.mp3$"
      method=any action=deny

  2   src-address=10.0.0.1/32 dst-address=0.0.0.0/0 dst-port="" url=""
      method=any action=allow

  3   src-address=0.0.0.0/0 dst-address=0.0.0.0/0 dst-port="" url="ftp://"
      method=any action=deny


[admin@MikroTik] ip web-proxy access>

Notes:

Direct Access List

Submenu level: /ip web-proxy direct

Description

If parent-proxy property is specified, it is possible to tell proxy server whether to try to pass the request to the parent proxy or to resolve it connecting to the requested server directly. Direct Access List is managed just like Proxy Access List described in the previous chapter except the action argument.

Property Description

src-address (IP address mask; default: 0.0.0.0/0) - source address of the IP packet

dst-address (IP address mask; default: 0.0.0.0/0) - destination address of the IP packet

dst-port (text; default: "") - a list of destination ports

url (text) - the URL of the request (regular expression)

method (any | connect | delete | get | head | options | post | put | trace; default: any) - HTTP method used in the request (see HTTP Methods section in the end of this document)

action (allow | deny; default: allow) - specifies the action to perform on matched packets
allow - always resolve these requests directly, not through parent proxy
deny - resolve these requests through parent proxy if there is one. If there in no parent proxy, the action will be the same as for allow

Notes

The default action (if no rules specified or a request did not match any) is deny.

Managing the Cache

Submenu level: /ip web-proxy cache

Description

Cache access list specifies, which requests (domains, servers, pages) have to be cached locally by web proxy, and which not.

Access list is implemented exactly the same way as web proxy access list. Default action is to cache object (if no matching rule is found).

Property Description

src-address (IP address mask; default: 0.0.0.0/0) - source address of the IP packet

dst-address (IP address mask; default: 0.0.0.0/0) - destination address of the IP packet

dst-port (text; default: "") - a list of destination ports

url (text) - the URL of the request (regular expression)

method (any | connect | delete | get | head | options | post | put | trace; default: any) - HTTP method used in the request (see HTTP Methods section in the end of this document)

action (allow | deny; default: allow) - specifies the action to perform on matched packets

Notes

There is one cache access rule added by default:

[admin@MikroTik] ip web-proxy cache> print
Flags: X - disabled
  0   src-address=0.0.0.0/0 dst-address=0.0.0.0/0 dst-port=""
      url="cgi-bin \?" method=any action=deny


[admin@MikroTik] ip web-proxy cache>

This rule defines that all runtime generated pages (which are located within cgi-bin directories or contain ? in url) have not to be cached.

Objects, which are larger than max-object-size, are not cached.

Rebuilding the Cache

Command name: /ip web-proxy clear-cache

Description

Web proxy will automatically detect any problems with cache and will try to solve them without loosing any cache data. But in case of a heavy damage to the file system, the web proxy can't rebuild cache data. Cache can be deleted and new cache directories created using this feature.

Example

[admin@MikroTik] ip web-proxy> set enabled=no
[admin@MikroTik] ip web-proxy> clear-cache
Clear all web proxy cache, yes? [y/N]: y
cache will be cleared shortly
[admin@MikroTik] ip web-proxy>

Transparent Mode

Description

Transparent proxying does caching of web contents "transparently" to the end-user. Id est he (or she) does not know about the proxy being enabled and therefore does not need to provide any additional setting to his (her) web client.

To enable the transparent mode, firewall rule in destination NAT has to be added, specifying which connections (to which ports) should be transparently redirected to the proxy.

Notes

Only HTTP traffic is supported in web proxy transparent mode. HTTPS and FTP are not going to work this way.

Example

For example, if we want all connections coming from ether1 interface to port 80 to be handled transparently by web proxy, and if our web proxy is listening on port 8080, then we should add the following destination NAT rule:

[admin@MikroTik] ip firewall dst-nat> add in-interface=ether1 protocol=tcp \
dst-address=!10.0.0.1/32:80 action=redirect to-dst-port=8080
[admin@MikroTik] ip firewall dst-nat> print
Flags: X - disabled, I - invalid
  0   src-address=0.0.0.0/0:0-65535 in-interface=ether1
      dst-address=!10.0.0.1/32:80 protocol=tcp icmp-options=any:any flow=""
      src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0
      limit-time=0s action=redirect to-dst-address=0.0.0.0 to-dst-port=8080

[admin@MikroTik] ip firewall dst-nat>

Here, the router's address and port 80 (10.0.0.1/32:80) have been excluded from redirection to preserve the Winbox functionality which uses TCP port 80 on the router. More than one redirect rule can be added to redirect more than one port.

HTTP Methods

Description

OPTIONS

This method is a request of information about the communication options available on the chain between the client and the server identified by the Request-URI. The method allows the client to determine the options and (or) the requirements associated with a resource without initiating any resource retrieval

GET

This method retrieves whatever information identified by the Request-URI. If the Request-URI refers to a data processing process than the response to the GET method should contain data produced by the process, not the source code of the process procedure(-s), unless the source is the result of the process.

The GET method can become a conditional GET if the request message includes an If-Modified-Since, If-Unmodified-Since, If-Match, If-None-Match, or If-Range header field. The conditional GET method is used to reduce the notwork traffic specifying that the transfer of the entity should occure only under circumstances described by conditional header field(-s).

The GET method can become a partial GET if the request message includes a Range header field. The partial GET method intends to reduce unnecessary network usage by requesting only parts of entities without transfering data already held by client.

The response to a GET request is cacheable if and only if it meets the requirements for HTTP caching.

HEAD

This method shares all features of GET method except that the server must not return a message-body in the responce. This retrieves the metainformation of the entity implied by the request which leads to a wide usage of it for testing hypertext links for validity, accessibility, and recent modification.

The response to a HEAD request may be cacheable in the way that the information contained in the responce may be used to update priviously cached entity identified by that Request-URI.

POST

This metod requests that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI.

The actual action performed by the POST method is determined by the origin server and usually is Request-URI dependent.

Responses to POST method are not cacheable, unless the response includes appropriate Cache-Control or Expires header fields.

PUT

This method requests that the enclosed entity be stored under the supplied Request-URI. If another entity exists under specified Request-URI, the enclosed entity should be considered as updated (newer) version of that residing on the origin server. If the Request-URI is not pointing to an existing resource, the origin server should create a resource with that URI.

If the request passes through a cache and the Request-URI identifies one or more currently cached entities, those entries should be treated as stale. Responses to this method are not cacheable.

TRACE

This method invokes a remote, application-layer loop-back of the request message. The final recipient of the request should reflect the message received back to the client as the entity-body of a 200 (OK) response. The final recipient is either the origin server or the first proxy or gateway to receive a Max-Forwards value of 0 in the request. A TRACE request must not include an entity.

Responses to this method MUST NOT be cached.

© Copyright 1999-2006, MikroTik. All rights reserved. Mikrotik, RouterOS and RouterBOARD are trademarks of Mikrotikls SIA. Other trademarks and registered trademarks mentioned herein are properties of their respective owners.