Skip to content

Using the CAS Connector with a Web Proxy

If web access is being blocked to the machines in your environment the CAS Connector will not work. In order to give the CAS Connector machine access to the required resources from the internet, a web proxy server is required. The web proxy server must support the HTTP Connect method and it must be enabled. Both HTTP and HTTPS traffic will be proxied through the same proxy server.

Using the CAS Connector with a Web Proxy

The following steps outline how to use the CAS Connector with a web proxy:

  1. Set up a web proxy with access to the Internet, for example Squid.
  2. Ensure that HTTP Connect is enabled on the web proxy. For Squid for example, the config file may look like this:
    # Allowed Source IPs (ie, machines with IPs)
    acl localnet src # RFC1918 possible internal network
    # Allowed ports to proxy traffic (Default)
    acl SSL_ports port 443
    acl Safe_ports port 80      # http
    acl Safe_ports port 21      # ftp
    acl Safe_ports port 443     # https
    acl Safe_ports port 70      # gopher
    acl Safe_ports port 210     # wais
    acl Safe_ports port 1025-65535  # unregistered ports
    acl Safe_ports port 280     # http-mgmt
    acl Safe_ports port 488     # gss-http
    acl Safe_ports port 591     # filemaker
    acl Safe_ports port 777     # multiling http
    # Enable HTTP Connect
    acl CONNECT method CONNECT
    # Default Squid http_access settings
    # Deny requests to certain unsafe ports
    http_access deny !Safe_ports
    # Deny CONNECT to other than secure SSL ports
    http_access deny CONNECT !SSL_ports
    # Only allow cachemgr access from localhost
    http_access allow localhost manager
    http_access deny manager
    # Example rule allowing access from your local networks.
    # Adapt localnet in the ACL section to list your (internal) IP networks
    # from where browsing should be allowed
    http_access allow localnet
    http_access allow localhost
    # And finally deny all other access to this proxy
    http_access deny all
    # Squid normally listens to port 3128
    http_port 3128
    # Leave coredumps in the first cache dir (Default)
    coredump_dir /var/spool/squid
    # Default Refresh patterns
    refresh_pattern ^ftp:       1440    20% 10080
    refresh_pattern ^gopher:    1440    0%  1440
    refresh_pattern -i (/cgi-bin/|\?) 0 0%  0
    refresh_pattern (Release|Packages(.gz)*)$      0       20%     2880
    refresh_pattern .       0   20% 4320
  3. To test that the proxy is working correctly, using SSH, open a terminal on the CAS Connector host machine and run the following set of commands:
    # Running curl to cam should time out since the host should not be able to route to the internet
    $ curl
    curl: (7) Failed to connect to port 80: Connection timed out
    $ curl
    curl: (7) Failed to connect to port 443: Connection timed out
    # Setting the proxy settings in the environment for curl to test that it works for HTTP and HTTPS traffic
    $ export http_proxy=http://<ip-of-proxy-server>:<proxy-port (default 3128)>
    $ curl
    <head><title>308 Permanent Redirect</title></head>
    <body bgcolor="white">
    <center><h1>308 Permanent Redirect</h1></center>
    $ export https_proxy=$http_proxy
    $ curl
    <!doctype html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name="theme-color" content="#000000"><link rel="manifest" href="/manifest.json"><link rel="shortcut icon" href="/favicon.ico"><title>Cloud Access Manager</title><link href="/static/css/main.27391ea7.css" rel="stylesheet"></head><body><noscript>You need to enable JavaScript to run this app.</noscript><div id="root" class="full-height"></div><script type="text/javascript" src="/static/js/main.45a05db7.js"></script></body></html>
    # Clear the settings from the environment
    $ unset http_proxy
    $ unset https_proxy
  4. To run the installer with the proxy settings, you can apply them in the environment:
    # Installer will read proxy setting from environment if http_proxy, https_proxy, HTTP_PROXY, or HTTPS_PROXY are set
    $ export https_proxy=http://<ip-of-proxy-server>:<proxy-port (default 3128)>
    $ ./cloud-access-connector install ...
    or through the command line option:
    $ ./cloud-access-connector install --https-proxy http://<ip-of-proxy-server>:<proxy-port (default 3128)> ...
  5. The installer should run as normal and configure the containers with the web proxy settings provided.

Proxy Passwords are not Supported

Proxy passwords are not supported with the CAS Connector at this time.