MAIL

Using an HTTP-proxy Servlet to restrict URLs to external servers
For IBM® Lotus® iNotes™ features that send requests to external servers or Web services, such as with Lotus Quickr integration or external calendar overlays, administrators can use an HTTP-proxy servlet to intercept calls and retrieve information from a remote site. An HTTP-proxy servlet specifies which sites are allowed and filters out unwanted sites. Then, instead of making a request call to an external server such as Lotus Quickr or Google, calls are passed through the HTTP-proxy servlet. If the external server is defined in the HTTP-proxy servlet properties as one of the allowed sites, then the request is passed on to the external server. And any information received from the external server is also returned through the HTTP-proxy servlet.

Using an HTTP-proxy servlet protects the hosting Web server against malicious code by preventing other servers from attacking the requesting server, because the requests are going to the HTTP-proxy servlet, not the Web server. For security reasons it is important that you limit the sites that can be accessed through your proxy. An open proxy that passes on connections to any Web site leaves the Web server vulnerable to abuse.

You configure the proxy servlet by editing the file proxy-config.properties located in the Domino\data\properties directory. To specify which servers are allowed, use the following set of properties:
PropertyDescription
enableSet to true to enable this servlet
connection timeoutLength of time to attempt a connection (default is 10 seconds if unspecified)
policy<n>.urlAddress of the site to which this policy applies

The url attribute is the target of the proxy. So, in the above example, this policy will be enforced if the GoogleProxy tries to access http://www.google.com/.

policy<n>.actionsThe set of HTTP actions this policy allows

These can be GET,POST,PUT,DELETE. The most frequently used are GET and POST.

policy<n>.cookiesCookies allowed for this site. That is, the cookies that will be passed from the browser to the target URL server.

Note Cookies with specified names will always be proxied to this site. In addition, any incoming (Set-Cookie response headers) received from the site will also be remembered and eventually sent back on subsequent requests to this site.

policy<n>.headersHeaders allowed for this site, or use * to allow all. This attribute determines which headers are forwarded to the target server.

Note Cookies are not handled as a standard header. Putting the entry "cookie" in the headers list will have no effect.

policy<n>.mime-typesContent types allowed back from the target server, or use * to allow all.
You configure a proxy policy for each site you want to allow. Each policy setting that you configure must have a different number and the numbers must be sequential. That is, there is a policy0, then a policy1, then a policy2, and so on. The context entry determines which proxy servlet this setting is for. In the example above, the setting is for the GoogleProxy. If you want the setting to be for the QuickrProxy, then the entry would look like this:

policy1.context=/proxy/QuickrProxy/

Example:

# Test properties for proxy policies

enabled=true

connectTimeout=200

policy0.url=http://www.google.com/

policy0.context=/xsp/proxy/GoogleProxy/

policy0.actions=GET,POST

policy0.cookies=

policy0.headers=*

policy0.mime-types=*

policy1.url=https://www.google.com/

policy1.context=/xsp/proxy/GoogleProxy/

policy1.actions=GET,POST

policy1.cookies=

policy1.headers=*

policy1.mime-types=*

# policy2.url=http://your_quickr_server:10038/

# policy2.context=/xsp/proxy/QuickrProxy/

# policy2.actions=GET,POST

# policy2.cookies=LtpaToken

# policy2.headers=*

# policy2.mime-types=*

Related topics