Filtering functionality is enhanced in Excelerator 2.3 so that an N2H2 filtering service or an override list entry can be temporarily bypassed, allowing objects to be cached that would otherwise be blocked.
NOTE: The filter service bypass functionality does not apply to installed X-Stop filtering services.
This feature can be useful for school situations wherein a teacher can either cache content or permit content to be cached that would normally be blocked. For example, sites dealing with breast cancer research might normally be blocked, in which case a teacher could cause the sites to be cached and make the information available to students writing research papers.
Before deploying this feature, it is critical that you understand exactly how it works as outlined in the following sections.
Consider the following points:
Blocking Prevents Objects from Being Cached: Excelerator filtering services and override lists block specified Web content from coming through the proxy service. Content that can't get through the proxy service can't be cached.
Conversely, if content is not blocked and if it is cachable, it is cached automatically as part of the retrieval process.
Filtering Services Prevent Access Only Where Installed: An installed filtering service or an override list will prevent general access to cached content on the device where they are installed or active.
However, they do not prevent general access to cached content on other devices. For example, a filtering service on a hierarchical parent will not prevent access to cached content on a hierarchical child that doesn't have a filtering service installed.
Unblocked Cached Content Is Openly Available: Once content is cached, anyone accessing the Web through the cache device has access to the cached content if a filtering service or override list on the box doesn't block the access.
Hierarchical Caching Broadens the Distribution of Cached Objects: When a cachable object is requested and retrieved through a hierarchy, any hierarchical parents or peers involved in retrieving the objects will also have cached copies of the objects.
Therefore, anyone accessing the Web through these cache devices will also have access to the objects unless they are blocked by a filtering service or override list on the device.
Unblocked Access Is Unrestricted Access: Once filtering has been bypassed for a workstation, anyone using the workstation has unrestricted Web access for the period of time specified when access is granted.
It is imperative, therefore, that unblocked access is carefully monitored and controlled.
Access Control to the Web: After a workstation is authorized to bypass filtering, Web access is unrestricted.
Object Caching Controls: Once filtering is bypassed, all cachable objects accessed through the cache device will be cached.
Access to Cached Objects: Once objects are cached, they become generally available unless one of the following happens:
Organizations often set up hierarchies wherein all content requests are funneled through one or two parent cache devices. Such organizations usually install filtering services only on the parent devices since these can then act as gatekeepers for all content entering the hierarchy.
Obviously, when filtering is bypassed and content that would normally be blocked is instead brought into the hierarchy, the scenario changes substantially. Requests made directly to the parent devices with filtering installed will still be blocked. However, requests to devices that don't have filtering installed will be filled directly from cache.
Organizations generally deploy filtering services and override lists to ensure that only appropriate content is cached and made generally available. For this reason, any decisions to bypass these safeguards must be carefully considered.
We recommend you consider the following usage suggestions:
IMPORTANT: If undesirable content is accessed and cached for whatever reason, you will need to use the selective purge to remove it from the cache device and any hierarchical parents or peers involved in retrieving the content.
Filter bypass functionality is summarized in Figure 66.
Figure 66
To deploy the filter bypass solution, you need the following:
Complete the following steps:
Install and configure an N2H2 filtering service or create an override list on each Excelerator 2.3 cache device.
For help installing N2H2 filtering services, refer to the N2H2 product documentation. For more information on creating filter override lists, see Creating an Override List.
Enable the Mini-FTP server on each Excelerator cache device.
For more information, see FTP Services.
Install the Microsoft Internet Information Server (IIS) on the Windows 2000 computer.
This software is available on the Windows 2000 CD if one came with the computer or on Microsoft's Web site.
Download and complete a default installation of ActiveState's ActivePerl 5.6.x or later from ActiveState's Web site.
NOTE: The download is free and should be installed using the default options for use with Microsoft IIS as outlined in the accompanying documentation.
If the default options are not used, for example if you install in another location, be sure to follow the tips presented in Tips for Non-Default Installations.
Ensure that the Perl executable appears in the path on the Windows 2000 computer by running CMD.EXE and entering PATH at the command prompt.
Complete the following steps:
Using an FTP client, access the Excelerator 2.3 device's default FTP directory (/etc/proxy/appliance/config/user) and retrieve the N2H2FBYP.EXE file.
On the Windows 2000 computer, run the N2H2FBYP.EXE from the Start menu and unzip the files to the default location.
Run the command processor (CMD) from the Start menu, and using the CD command, change to Documents and Settings\username\Local Settings\Temp, where username is your Windows 2000 user name.
NOTE: Local Settings is a hidden directory and won't appear in a directory listing (DIR) at the command line. However, the directory is accessible and the CD command should work.
In the command processor window, enter INSTALL.BAT.
This batch file copies the following files to the directories indicated:
After installing the filter bypass software on the IIS server, you must modify its Perl scripts to communicate with your Excelerator cache devices.
Complete the following steps:
Using an ASCII text editor, open the configex.pl file in the C:\filter directory.
NOTE: This is the main Perl script that communicates with the Excelerator cache device.
Locate the following line in the file:
$uploadServers = "<Mini-FTP_IP_Address>:config:<Pwd>";
This line specifies the Excelerator Mini-FTP servers to which the IIS server will send bypass list files.
IMPORTANT: In the steps that follow, modify only the text between the double quotation marks ("...").
Replace <Mini-FTP_IP_Address> with the IP address of one of the Excelerators' mini-FTP servers to which you want the bypass lists sent.
Do not change the word config in the string. This references the Excelerator config user - the user with rights to copy files using FTP.
Replace the word <Pwd> with the password of the config user on the Excelerator.
If you want the bypass lists sent to multiple Excelerators, create new entries (<Mini-FTP_IP_Address>:config:<Pwd>) within the double quotation marks for each Excelerator and separate each entry using commas (,).
For example, "1.1.1.1:config:pwd1,2.2.2.2:config:pwd2, ... ".
If you have not installed all components to their default locations, complete the modifications outlined in Tips for Non-Default Installations.
Complete the following steps to enable the IIS server to run Perl scripts located in the cgi-bin directory:
On the IIS server, click Start > Settings > Control Panel > Administrative Tools.
Run the Internet Services Manager.
Browse in the tree to the Default Web Site > cgi-bin folder.
Right-click on cgi-bin > select Properties.
Under Execute Permissions, select Scripts and Executables.
You must change the default HTML page that Excelerator serves when access to blocked content is attempted so that the completed form can be sent to the IIS. You must then FTP this page to each Excelerator.
Complete the following steps:
Browse to C:\Documents and Settings\username\Local Settings\Temp\misc where username is the Windows 2000 user name you used when installing the filtering bypass software, and make a copy of the picsblok.htm file.
Using an ASCII text editor, open the picsblok.htm file.
Locate the string <IP_OF_WEB_SERVER> in the file and replace only this string with the IP address of the IIS server.
IMPORTANT: If you choose to modify other portions of the picsblok.htm file, do not modify the following lines:
<input type="hidden" name="REFERER" value="#REFERER#">
<input type="hidden" name="FORWARDED_FOR_IP" value="<X-FORWARDED-FOR>"
These two lines are critical elements of the form that cannot be changed or deleted.
Using an FTP application, copy the modified picsblok.htm file to the etc/proxy/data directory on the Excelerator cache device where filtering is installed.
Access to the list of filter bypass users and their passwords is controlled by a single administrative password. To set or change this password, complete the following steps:
On the IIS server, run the command processor (CMD) from the Start menu.
Change to the C:\filter directory, or to the directory where the setadminpass.pl script file is located.
Enter the following command:
perl setadminpass.pl xxxxx
where xxxxx is the administrative password you want to use when modifying the filter bypass user database.
IMPORTANT: This section lets you designate the people who will be able to bypass filtering. In most situations, this will be a supervisor (or teacher in a school environment) who has the responsibility to see that only appropriate content is accessed and cached.
To add authorized users to the filter bypass database, complete the following steps:
In a browser, access the Add User page on the IIS by entering the following URL:
http://iii.iii.iii.iii/AddUser.html
where i is the IP address of the IIS Web server.
In the SysAdmin Password field, type the administrative password created in Setting Up Administrative Access to the List of Bypass Users.
In the UserName field, type the user id for one of the filter bypass users.
In the Password field, type the password this user will use to bypass filtering.
In the Verify Password field, re-type the password for this user.
Click Add User.
To create additional users, repeat the process starting with Step 2.
NOTE: All maintenance of bypass lists, expiration checking, etc. occurs on the IIS server. It is therefore critical that the server communicate regularly with the Excelerator cache devices. Otherwise, the devices won't receive timely bypass list updates, and the expiration of IP addresses will also not be communicated to the cache devices.
The start the IIS server sending bypass lists to your Excelerators, you need to run a Perl script on the server.
Complete the following Steps:
On the IIS server, run the command processor (CMD) from the Start menu.
Change to the C:\filter directory, or the directory containing the configex.pl Perl script.
Enter the following command:
perl configex.pl
By default, this script runs continually, processing new and expired bypass authorizations every 60 seconds. It also provides a status update every 60 seconds indicating that the script is still running.
If your users are accessing the Web through a proxy that is a member of a hierarchy in which filtering is installed on the parent cache device, you must do the following on the child device:
IMPORTANT: Be aware that any objects cached on a device that fills through a hierarchy will also be cached on all other devices involved in retrieving the content. For a review of the implications of caching through a hierarchy, see Managing the Impacts of Using this Feature.
IMPORTANT: You should start the bypass service from the command line at first and watch for any error messages or other issues requiring troubleshooting.
If you want to have the script start automatically each time the server reboots, you can use srvany.exe and instsrv.exe, available with the W2K Resource Kit, to convert configex.pl to an NT service. More information is available on the Web.
Alternatively, you can also use a third party CRON utility to run the script every 45 to 60 seconds.
If you have installed any components (ActivePerl, the bypass software, Internet Information Server, etc.) to non-default locations, you must check the .html, .htx, and .pl files in the following locations and modify any affected paths.
where non_default_directory_path represents the directory where you've installed the bypass software.
The filtering bypass software manages a simple database of userids and passwords for the users authorized to grant temporary unrestricted Web access, such as teachers who need to cache specific content in an educational environment.
Passwords in this database are stored in their hashed format, and the database is not stored in a path that is accessible to the HTTP server. A would-be hacker would have to compromise Windows 2000 security to crack the passwords in the database.
Creating the userids and passwords in the database is handled through the HTML input password mechanism. Anyone sniffing the wire would be able to see the password in plain text.
Access to the database requires an administrative password. For more information on setting this password, see Setting Up Administrative Access to the List of Bypass Users. Since this password is created on the box, it cannot be sniffed on the wire. One would have to look over the administrator's shoulder to discover this password.
The IIS server sends the bypass list to the Excelerator using Excelerator's mini-FTP functionality. All FTP security liabilities apply to this transaction.