Instructional and research resources on the web and licensed to the university often protect licenses by allowing client access only to internet addresses recognized as belonging to university subnets. This manner of managing licenses hinders free access to licensed resources. The university network, including continuing education and other remote sites, is necessarily composed of numerous subnets which do not generalize to a single simple internet address description ("mask"). Increasingly frequent remote access by university personnel from internet addresses away from university subnets, including ISP access to the internet, reveals that describing internet access points cannot adequately describe university affiliation of the personnel using them. Utilizing university dial-in modems to give the appearance of locality cannot scale financially to cover all remote users, is not cost-effective for long-distance dialing, and is an inconvenience rather than a convenience from a computer directly connected to the internet. This is a poor model which by itself cannot support needed access for authorized personnel to licensed resources.
An authorizing proxy server at once protects university licenses and allows legitimate access regardless of user locale. The authorizing proxy server is additionally used to protect university-owned (non-licensed) web-based resources, where the proxy authorization scheme provides a better permissions model than does the Apache web server, and also can be used to protect licensed resources in physically-unsecured university computer labs.
The authorizing proxy server is based on the squid http proxy server. Since the HTTP protocol sends proxy user ids and passwords in clear text, outside any optional SSL-encrypted envelope, we rely on separate, squid-based proxy user accounts, and sternly advise users against reusing the same password as used with secure accounts. The university provides secure, SSL-based account creation, which protects the user's credentials needed to establish the proxy account. The university proxy homepage includes usage notes and a proxy account creation webpage. Password change is effected by recreating the associated proxy account. Technical development and deployment of the authorizing proxy server is a joint development of the Advanced Technology Group and other divisions of UVa Information Technology and Communication (ITC).
The squid proxy itself handles user authentication. Proxy authorization instead uses a site-configurable feature of the squid proxy. The squid proxy supports an internal rewrite of the request url, using a site-written squid redirector program or script. The redirector is a daemon process. The squid proxy can run several redirector copies to ensure quick proxy response time. On each authenticated proxy request, a copy of the redirector is supplied with the url and proxy userid of the proxy request for a possible url rewrite. The authorizing proxy server uses this mechanism to authorize access (allowing the original url) or to deny access (by rewriting the url with the url of a different, error document).
The authorizing proxy server uses a redirector written locally in Perl. Authorization and user data are preloaded into a mySQL database, whence the redirector obtains them. URLs and users are characterized as regular expressions for highly-productive permissions rules. An authorization server based on LDAP is under development, including a datastore and authorization engine in the server; this may later be deployed in the university proxy to simplify and replace the existing redirector implementation.
A manual, constant proxying configuration of a web browser would result in inefficiencies of both web browser and proxy server. An autoproxy javascript is served to the browser, directing proxying only where needed. Usually, this is when not on campus and when accessing a protected resource. There are a few resources which are configured to be always proxied, regardless of browser locale.
The current Proxy 2 phase has two distinct and quite different predecessors:
- The current authorizing phase of university proxy deployment was preceded by and replaced proxy 1, an authenticating-only (no authorization) deployment of the squid proxy which used a simple, constant on, squid redirector.
- Before that, a non-proxying, authenticating-only server-based gateway Man-In-The-Middle provided protection of some library resources. This is or has been replaced as library webpage links are updated, and is no longer an offered service.