restricting users to just one site

Peter Murray PMurray at law.uconn.edu
Wed Mar 6 16:06:47 EST 2002 

I talk about this in my LITA Regional Institute on Web Proxy Servers and 
Authentication (care to host a Regional Institute in Ireland?), and I 
offer three suggestions of increasing complexity to solve the problem:

1.  As Jacque pointed out, you can use the "Proxy Exeptions" 
configuration in the web browser to limit access.  This is described 
best by Andrew Mutch on his Tech pages:
  <http://northville.lib.mi.us/tech/lockin.htm> (Navigator)
  <http://tech.tln.lib.mi.us/lockinie.htm> (Internet Explorer)

2.  The problem with #1 is that the user gets a somewhat cryptic error 
message from the browser ('Netscape is unable to locate the server "Your 
Error Message":0  Please check the server name and try again.')  My 
enhancement to Andrew's idea is to put the address of a "fake" proxy 
server (the only thing this server does is return a page).  In this 
case, we run a fake proxy server on a specific port on a UNIX box which 
simply displays an HTML page.

    a.	Create a HTTP-response-in-a-file (/usr/local/sorry.cat-html in
       this example):

        HTTP/1.0 200 Ok
        Content-type: text/html

        <HTML>
        <HEAD><TITLE>Can't go there</TITLE></HEAD>
        <BODY><P>Sorry -- you can't get there from this
        workstation.</P></BODY> </HTML>

    b.	Add a line to your services file: fakeproxy 8080/tcp
    c.	Add a line to your inetd.conf file: fakeproxy stream tcp nowait
       httpusr /bin/cat cat /usr/local/sorry.cat-html ...and restart your
       inetd server with a HUP signal.
    d. Change the configuration of the browser in example #1 above such
       that the HTTP proxy hostname is your UNIX server and 8080 is the
       port.

There is probably an equivalent way to do this under NT.  (Anybody know 
how?)

3.  Option #2 above is great, but if you want to change the list of 
"Exceptions" you must visit each browser and reconfigure it (unless you 
are using something like NT profiles).  To solve that problem, I suggest 
using Proxy Automatic Configuration (PAC) files to define the exceptions 
list.  That way you can make the change to the PAC file on your web 
server and the clients will pick up the changes the next time the web 
browser is restarted.


Peter
--
Peter Murray, Computer Services Librarian              W: 860-570-5233
University of Connecticut Law School             Hartford, Connecticut

More information about the Web4lib mailing list