DeleGate — A Multi-platform, Multipurpose Proxy Server

0
13612
DeliGate, a Proxy

DeliGate, a Proxy

A proxy server works as an intermediary for requests from clients seeking resources from other servers. There are various types of proxy servers. In this article, we will briefly discuss one of them, called DeleGate, along with some of its capabilities.

DeleGate is a multi-platform and multi-purpose proxy server, which runs on UNIX, Windows, Mac OS X and OS/2. It allows various protocols to pass through it, and applies cache and conversion to the pass-through data, as well as access control and routing.

Some of the protocols supported are HTTP, FTP, NNTP, SMTP, POP, IMAP, LDAP, Telnet, SOCKS and DNS. DeleGate can also translate protocols between clients and servers — such as converting between IPv4 and IPv6.

Multiple servers can be combined to behave as a single server, using the aliasing and filtering capabilities of DeleGate. For various automated purposes, DeleGate can also be used as an origin server for HTTP, FTP and NNTP.

Installing DeleGate

In order to install DeleGate on Linux, you can compile from source, or get ready-to-use binaries for 32-bit and 64-bit Linux distributions. I could not find a package for DeleGate in Debian, Ubuntu, Fedora or CentOS repositories, so the binary was my preferred option. Since I had only 64-bit environments at hand, I could only use the 64-bit version of the software.

The 64-bit binary worked fine on Fedora 13 and CentOS 5.5, but I could not get it to work on Debian Lenny and Ubuntu. I did not try for too long, but it looked like there were some compatibility issues. Users of those distros will need to explore further or compile their own binaries from source.

The following commands create a directory layout for DeleGate and extract the contents of the archive:

# mkdir -p /opt/delegate/{bin,etc} && cd /opt/delegate/bin 
# wget http://www.delegate.org/anonftp/DeleGate/bin/linux/9.9.7/linux64-dg.gz 
# gunzip linux64-dg.gz && chmod +x linux64-dg.gz 
# touch ../etc/dg.conf

Next, issue the following command to create a user account to run DeleGate (running it as root is a very very bad idea):

# useradd -M -c "Delegate Proxy User" -d /opt/delegate delegate 
# chown -R delegate:delegate /opt/delegate

Let’s use /opt/delegate/etc/dg.conf as the configuration file for DeleGate. I will discuss one sample configuration — DeleGate as an HTTP proxy. After you have created the desired configuration, you can start DeleGate as follows:

# su - delegate
$ bin/linux64-dg DGROOT="/opt/delegate" +=etc/dg.conf

After making changes to the configuration, do not forget to reload the changes by sending a HUP signal to the DeleGate process.

Configuration options used

The following list explains some of the common configuration options used in this article.

  • -P — Specifies on which port DeleGate will listen for requests from clients. You can specify a host or IP address too, such as -P localhost:8080 or -P 192.168.1.1:8080. By default, the port is a TCP port, unless a UDP-based application protocol is specified in the SERVER parameter. However, you can still specify UDP — for example, -P8080/UDP. You can also specify multiple host:port options as a comma-separated list.
  • -T — Used to trace system calls. Signals occurring in the DeleGate process will be watched by the parent DeleGate using “ptrace(2)”. -Tx here ensures that DeleGate processes trying to execute the “execve(2)” system call will be trapped and killed. This is a very useful security measure.
  • DGROOT — At startup,DeleGate searches for an available DGROOT which is both readable and writable by the OWNER. The OWNER (which can be set as a variable also) is the user, using which the delegate process will run. By default this user is the user that launched the delegate process. In our example, this is the “delegate” user we created in the previous section. Typically it will be ${HOME}/delegate and / if CHROOT is used. This parameter needs to be specified on the command line.
  • SERVER — Specifies the protocol to be used for communication with clients.
  • REMITTABLE — Only the listed protocols (to the SERVER) will be permitted to be relayed by the proxy. A typical list of protocols expected to be relayed through an HTTP proxy includes HTTP, HTTPS, Gopher, FTP and WAIS.
  • CACHE — Whether the proxy should use cache or not. A value of no will disable cache; do will enable it, and create CACHEDIR if it does not exist.
  • TIMEOUT — The time-out period for an action, by default, is in units of seconds. A 0 means never time out. Valid units are days, hours and minutes (e.g., 1d, 1h, 1m). The action can be, for example, shutout which specifies that a suspicious client host will be shut out until a relevant file (under ADMDIR/shutout/) is removed, or the file is expired by TIMEOUT. This is a good defense against attacks on the proxy.
  • MAXIMA — Maximum values for resource usage, processes, connections, etc. randstack randomises the range of stack base for security, randenv randomises the range of environment variables base and randfd randomises the range of client socket file-descriptors.
  • ADMIN — Specifies the admin contact person who will receive emails from DeleGate on various events.
  • AUTHORIZER — Specifies an optional server for authentication and authorisation. A list of user names and passwords is used in pairs for authentication. There are various other schemes available, such as PAM.

DeleGate as an HTTP proxy

In this sample configuration, DeleGate is configured as an HTTP proxy with authentication and no caching. To enable caching, change CACHE=no to CACHE=do:

# su - delegate 
$ vi /opt/delegate/etc/dg.conf 
-P8080 
-Tx 
DGROOT="/opt/delegate" 
SERVER=http 
REMITTABLE="http,https/443,gopher,ftp,wais" 
CACHE=no 
TIMEOUT="shutout:30m" 
MAXIMA="randstack:32" 
MAXIMA="randenv:1024" 
MAXIMA="randfd:32" 
ADMIN=tech.support@unixclinic.net 
AUTHORIZER="-list{user1:password1,user2:password2}"

Moving on

This article is only an introduction to this marvellous piece of engineering. We have not covered many DeleGate features such as SOCKS proxy, transparent SOCKS proxy, chaining of proxies, etc. I leave further exploration to readers; I am pretty sure that those of you who are interested will explore and benefit from DeleGate’s capabilities.

Interested readers could also explore another proxy server called Dante. Time permitting, I may, in the future, write about implementing other features of DeleGate. Dante is also in my to-do list, so watch out.

LEAVE A REPLY

Please enter your comment!
Please enter your name here