Login
- Table of Contents
-
- 06-Layer 3—IP Services Command Reference
- 00-Preface
- 01-ARP commands
- 02-IP addressing commands
- 03-DHCP commands
- 04-DNS commands
- 05-NAT commands
- 06-NAT66 commands
- 07-IP forwarding basics commands
- 08-Fast forwarding commands
- 09-Multi-CPU packet distribution commands
- 10-Adjacency table commands
- 11-IP performance optimization commands
- 12-UDP helper commands
- 13-IPv6 basics commands
- 14-DHCPv6 commands
- 15-IPv6 fast forwarding commands
- 16-AFT commands
- 17-Tunneling commands
- 18-GRE commands
- 19-ADVPN commands
- 20-WAAS commands
- 21-Web caching commands
- 22-HTTP proxy commands
- 23-IRDP commands
- 24-STUN commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 22-HTTP proxy commands | 367.82 KB |
Contents
display http-proxy monitor-info
display http-proxy statistics service
protocol-type (Web server group view)
protocol-type (HTTP proxy server view)
protocol-type (HTTP proxy service view)
ssl certificate domain-name file key-file
HTTP proxy commands
access-record enable
Use access-record enable to enable the HTTP proxy operation recording and specify the directory for saving an HTTP proxy operation recording file.
Use undo access-record enable to restore the default.
Syntax
access-record enable file-path path [ gzip ]
undo access-record enable
Default
The HTTP proxy operation recording is disabled.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Parameters
file-path path: Specifies a file path. The file path specified by the path argument must include the slot number in the format of slotn# to specify the location of the storage media. The n indicates the slot number of the module that has storage media. (In standalone mode.)
file-path path: Specifies a file path. The file path specified by the path argument must include the chassis number and slot number in the format of chassism#slotn# to specify the location of the storage media. The m and n indicate the member number of the device and the slot number of the module that has storage media, respectively. (In IRF mode.)
gzip: Compresses the HTTP proxy operation recording file. The HTTP proxy operation recording files will be saved in gzip format. If you do not specify this keyword, the device will not compress the HTTP proxy operation recording file.
Usage guidelines
The proxy information of an HTTP proxy service will be recorded in the HTTP proxy operation recording file in the descending order of the time. For example, the proxy information is recorded in the HTTP proxy operation recording file as follows:
[03/Dec/2019:16:11:35 +0800] Client=2001::1 URL=http://www.example.com/index.html Server=172.16.28.12:80
· The [03/Dec/2019:16:11:35 +0800] field indicates the access time and time zone of the client.
· The 2001::1 field indicates the IPv6 address of the client.
· The http://www.domain.com/index.html field indicates the address requested by the client.
· The 172.16.28.12:80 field indicates the IPv4 address of the Web server accessed by the client.
With this command configured, the device will create a directory named as the main file name of the recording file plus suffix _history to store the historical HTTP operation records. For example, if you specify directory flash:/httpproxy/record.log to store HTTP operation records, the device automatically creates directory flash:/httpproxy/record_history to store historical HTTP operation records. When file record.log exceeds the upper limit, the device will create a file named as record_YYYYMMDDhhmm.log in directory flash:/httpproxy/record_history to store the contents of the record.log file and will clear the contents of the record.log file. By default, the maximum file size is 10 MB. For the record_YYYYMMDDhhmm.log file name, YYYY represents year, MM represents month, DD represents day, hh represents hour, and mm represents minute.
Examples
# (In standalone mode.) Enable the operation recording for HTTP proxy service test and specify the directory for saving the HTTP proxy operation recording file compressed in gzip format.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] access-record enable file-path slot1#flash:/httpproxy/20210111.log gzip
Related commands
access-record max-size
access-record max-size
Use access-record max-size to specify the size of the log file zone and the size of a single log file.
Use undo access-record max-size to restore the default.
Syntax
access-record max-size max-zone-size single-file-size single-file-size
undo access-record max-size
Default
The size for a single file is 10 MB and the size of the log file zone is 4 GB.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Parameters
max-zone-size: Specifies the size of the log file zone. The value range is 500 to 20480 MB.
single-file-size single-file-size: Specifies the size of a single log file. The value range for the single-file-size argument is 10 to 300 MB.
Usage guidelines
The system automatically saves the proxy information into several HTTP proxy operation files in sequence. If the upper limit of an HTTP proxy operation file is reached, the system creates a new file to save the proxy information. When the upper limit of the log file zone is reached, the early generated proxy information will be overwritten by the newly generated proxy information.
As a best practice, obey the following rules to set the size of a single log file:
· If the device handles a large number of connections, use a smaller value as the size of a single log file. Thus, the device can perform a more granular file overwritten operation when the log file zone is full.
· If the device handles a small number of connections, use a larger value as the size of a single log file to obtain the completed proxy information.
When you specify the size of the log file zone, make sure it is smaller than the maximum size of data that can be stored in the working path.
Examples
# (In standalone mode.) Specify 5120 MB and 10 MB as the size of the log file zone and the size of a single log file, respectively.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] access-record max-size 5120 single-file-size 10
Related commands
access-record enable
cache-data
Use cache-data to enable the device to cache Web server resources and specify the directory for storing cache files.
Use undo cache-data to disable the device from caching Web server resources.
Syntax
cache-data directory directory
undo cache-data
Default
The device does not cache Web server resources and the directory for storing cache files is not specified.
Views
HTTP proxy service view
HTTP proxy server view
Predefined user roles
network-admin
mdc-admin
Parameters
directory directory: Specifies a directory path. The directory path specified by the directory argument must include the slot number in the format of slotn# to specify the location of the storage media. The n indicates the slot number of the module that has storage media. (In standalone mode.)
directory directory: Specifies a directory path. The directory path specified by the directory argument must include the chassis number and slot number in the format of chassism#slotn# to specify the location of the storage media. The m and n indicate the member number of the device and the slot number of the module that has storage media, respectively. (In IRF mode.)
Usage guidelines
This command enables the device to cache the Web server resources obtained through the HTTP or HTTPS protocol in the specified directory. When a client requests the same Web server resources, the device uses the locally saved data to response the client directly. This method reduces the traffic sent to the servers, reduces the traffic transmission cost, lessens the burden on the servers, reduces the response time of the device to the clients, and enhances the user experience.
After you execute this command on a centralized IRF device, the distributed devices, or distributed devices in IRF mode, the system will check whether the specified cache files exist on the master device or active MPU:
· If yes, the configuration succeeds.
· If not, the configuration fails.
If you want to reference an HTTP proxy server in an HTTP proxy service, when you execute this command for the HTTP proxy server, the specified directory path must be the path of the slot where the HTTP proxy service is located. Otherwise, the reference will fail.
Before changing the cache file directory for an HTTP proxy service, make sure the HTTP proxy service is disabled. Before changing the cache file directory for an HTTP proxy server, make sure the HTTP proxy server is not referenced.
If you execute this command multiple times, the most recent configuration takes effect.
Currently, the device can cache the apk, bmp, doc, docx, gif, gzip, ipa, jar, jpg, jpeg, mp4, pdf, png, pptx, rar, swf, tar, txt, xls, xlsx, or zip files on the webpages.
Do not use this command in an HTTP proxy service view after the HTTP proxy service references an HTTP proxy server.
Examples
# (In standalone mode.) Enable HTTP proxy service test to cache Web server resources and specify directory flash:/cached to store cache files.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] cache-data directory slot1#flash:/cached
# Enable HTTP proxy server test to cache Web server resources and specify directory flash:/cached to store cache files.
<Sysname> system-view
[Sysname] http-proxy server test
[Sysname-http-proxy-server-test] cache-data directory flash:/cached
Related commands
http-proxy server
include server
service enable
delete cookie-flag
Use delete cookie-flag to delete a Set-Cookie attribute from an HTTP/HTTPS response.
Use undo delete cookie-flag to restore the default.
Syntax
delete cookie-flag { httponly | samesite | secure }
undo delete cookie-flag { httponly | samesite | secure }
Default
The device does not modify the Set-Cookie attributes in an HTTP or HTTPS response.
Views
HTTP proxy server view
Predefined user roles
network-admin
mdc-admin
Parameters
httponly: Specifies the HTTPOnly attribute in a cookie.
samesite: Specifies the SameSite attribute in a cookie.
secure: Specifies the Secure attribute in a cookie.
Usage guidelines
After the external link reference feature is enabled in an HTTP proxy server view, the device will add a wildcard domain name to the external link URL in the response returned by the Web server and modify the external link URL into HTTP format. For example, the device modifies external link URL https://example.com into http://https-example-com.example.cn by adding wildcard domain name example.cn. A client sends an HTTP request containing the wildcard domain name to the device when it accesses the external link. After the device receives the HTTP request, it restores the external link URL in the request to https://example.com and then sends the request to the Web server through HTTPS.
In the previous process, the Web server returns an HTTPS response, and the Set-Cookie header in the response might contain the Secure attribute. The Secure attribute requires a secure transmission of a cookie through HTTPS to improve the security of the cookie. Because the client requests external link resources through HTTP, it does not save the cookie with the Secure attribute. As a result, the user will go offline when it accesses the external link resources. To avoid this issue, you can execute the delete cookie-flag secure command. The Secure attribute in a Set-Cookie header returned by the Web server will be deleted, so the client will save the cookie.
For high security purpose, a Web server will carry the SameSite attribute for the cookie in a Set-Cookie header of an HTTP or HTTP response. The SameSite attribute is used to restrict third-party cookies and prevents illegal websites from forging HTTP or HTTPS requests by using client cookies. After a client saves a cookie with the SameSite attribute, it regards the device enabled with the HTTP proxy service as a third-party website and therefore does not carry the cookie in the HTTP/HTTPS request sent to the device. For the client to send the cookie in the HTTP/HTTPS request, you can execute the delete cookie-flag samesite command to configure the device to delete the SameSite attribute from the Set-Cookie headers in HTTP/HTTPS responses returned from the Web server.
When the device requests resources from a Web server, the Set-Cookie header in the HTTP or HTTPS response returned by the Web server might contain the HTTPOnly attribute, which forbids JavaScript from accessing the cookie. After a client saves a cookie containing the HTTPOnly attribute, the client will not carry the cookie in the HTTP/HTTPS requests when it requests Web resources by JavaScript. The user will go offline due to absence of the cookie in the HTTP/HTTPS request header. In scenarios that need to retain the user status, you can use the delete cookie-flag httponly command to configure the device to delete the HTTPOnly attribute from the Set-Cookie response headers returned by the Web server.
You can execute this command multiple times to configure the device to delete multiple Set-Cookie attributes.
Execute this command for an HTTP proxy server when it is not referenced by an HTTP proxy service.
Examples
# Configure HTTP proxy server test to delete the Secure attribute from Set-Cookie HTTP/HTTPS headers.
<Sysname> system-view
[Sysname] http-proxy server test
[Sysname-http-proxy-server-test] delete cookie-flag secure
Related commands
http-proxy server
service enable
denylist-domain-name
Use denylist-domain-name to specify a denylist domain name for an HTTP proxy service.
Use undo denylist-domain-name to delete a denylist domain name for an HTTP proxy service.
Syntax
denylist-domain-name domain-name
undo denylist-domain-name domain-name
Default
No denylist domain names are specified for an HTTP proxy service.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Parameters
domain-name: Specifies a denylist domain name, a case-insensitive string with a maximum of 253 characters. The domain name can include dot-separated domain name suffixes (example.com, for example). Each domain name suffix can contain a maximum of 63 characters. You can enter three to five such suffixes. Valid characters in the domain name string include letters, digits, hyphens (-), underscores (_), dots (.), and asterisk (*).The asterisk (*) character is used to match the domain names with fixed starting or ending string. For example, www.example.* represents all domain names starting with www.example.; *.example.gov represents all domain names ending with .example.gov.
Usage guidelines
When a client accesses a website through an HTTP proxy service, the device returns an error page to the client if the domain name of the requested website is in the domain name denylist. When a client accesses an external link on the website proxied by an HTTP proxy service, the device returns an error page to the client if the domain name of the requested external link is in the domain name denylist.
An external link is a hyperlink that exists on the webpages of an IPv4 server accessed by a client and is used to redirect to other websites.
If you do not specify a denylist domain name or allowlist domain name for an HTTP proxy service, the device can proxy all domain names. If you specify only denylist domain names for an HTTP proxy service, the device can proxy all domain names except the domain names in the denylist. If you specify only allowlist domain names for an HTTP proxy service, the device can only proxy the domain names in the allowlist.
A maximum of 512 denylist domain names can be configured. You can execute this command multiple times to configure multiple denylist domain names.
A domain name can only be added to the domain name allowlist or the domain name denylist. The denylist-domain-name and domain-name commands are mutually exclusive.
Before specifying a denylist domain name for an HTTP proxy service, first disable the HTTP proxy service.
Examples
# (In standalone mode.) Add domain name test.example.cn to the domain name denylist for HTTP proxy service test.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] denylist-domain-name test.example.cn
Related commands
domain-name
display http-proxy
Use display http-proxy to display HTTP proxy configuration information.
Syntax
display http-proxy { server-group [ group-name ] | service [ service-name ] }
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
server-group: Specifies a Web server group.
group-name: Specifies a Web server group by its name, a case-sensitive string of 1 to 63 characters. The name can include digits, letters, and underscores (_). If you do not specify a Web server group, this command displays configuration information about all Web server groups.
service: Specifies an HTTP proxy service.
service-name: Specifies an HTTP proxy service by its name, a case-sensitive string of 1 to 63 characters. The name can include digits, letters, and underscores (_). If you do not specify an HTTP proxy service, this command displays configuration information about all HTTP proxy services.
Examples
# Display the configuration information about Web server group test.
<Sysname> display http-proxy server-group test
Server group name: test
Protocol type: HTTP
Server IP addresses: 192.168.10.10
192.168.10.12
192.168.10.14:8080
Table 1 Command output
|
Field |
Description |
|
Server group name |
Web server group name. |
|
Protocol type |
Protocol type of the Web server group. This field displays N/A if no protocol type is specified for the Web server group. |
|
Server IP addresses |
IP addresses and port numbers of the Web servers in the Web server group. This field displays N/A if no Web server is in the Web server group. |
# Display the configuration information about HTTP proxy service test.
<Sysname> display http-proxy service test
Service name: test
IPv6 address: 2001::1
Allowlist domain names: www.aaa.example.com
www.bbb.example.com
www.ccc.example.com
Protocol types: HTTP at port 8000
HTTP [Server group: testa]
HTTP at port 8001 [Server group: testa]
HTTPS at port 8003
HTTPS [Server group: testb]
HTTPS at port 8002 [Server group: testb]
SSL certificate directory: flash:/
Domain name: www.aaa.example.com
SSL certificate file: aaa.cert
SSL key files: aaa.key
Domain name: www.bbb.example.com
SSL certificate file: bbb.cert
SSL key files: bbb.key
Hyperlink proxy strings: www.example.org
www.example.com
Failed extlink error codes: 404
502
DNS servers: 8.8.8.8
9.9.9.9
Denylist domain names: www.fff.example.com
www.eee.example.com
Monitored keyword: abc
Replaced by efg
Monitored keyword: def
Replaced by N/A
Excluded external domain name: www.abc.example.com
Include Server: server1
IP pools: 1.1.1.1 to 1.1.1.2 vpn1
2.2.2.1 to 2.2.3.1 vpn1
Wildcard domain name: extlink.example.cn
URL protection: Enabled
Referer protection: Enalbed
Extlink href: Enabled
Medialink proxy: Enabled
Failed extlink inform: Enabled
Cache data: Enabled
Cache file path: flash:/httpproxy
HTTP proxy operation recording: Enabled
Operation record file path: flash:/httpproxy/20210111.log gzip
Max zone size 4096MB
Single file size 10MB
Extlink encryption algorithm: algx
HTTP proxy status: Enabled
Table 2 Command output
|
Field |
Description |
|
HTTP proxy name |
HTTP proxy service name. |
|
IPv6 address |
IPv6 address specified for the HTTP proxy service, which can be resolved from the specified domain name. This field displays N/A if no IPv6 address is specified for the HTTP proxy service. |
|
Allowlist domain names |
Allowlist domain names for the HTTP proxy service, which can be resolved to the specified IPv6 address. This field displays N/A if no allowlist domain name is specified for the HTTP proxy service. |
|
Protocol types |
Protocol types specified for the HTTP proxy service, listening port number, and the Web server groups bound to the HTTP proxy service. This field displays N/A if no protocol types are specified for the HTTP proxy service. |
|
SSL certificate file |
SSL certificate file specified for the HTTP proxy service. This field displays N/A if no SSL certificate file is specified for the HTTP proxy service. |
|
SSL certificate key-file |
SSL certificate key file specified for the HTTP proxy service. This field displays N/A if no SSL certificate key file is specified for the HTTP proxy service. |
|
SSL certificate directory |
Directory of SSL certification files and SSL certificate key files. This field displays N/A if the directory of the SSL certification files and SSL certificate key files is not specified. |
|
Domain name |
Domain name specified for the HTTPS requests of the HTTP proxy service. This field displays N/A if no domain name is specified for the HTTPS requests of the HTTP proxy service. |
|
SSL key file |
SSL certificate key file specified for the HTTP proxy service. This field displays N/A if no SSL certificate key file is specified for the HTTP proxy service. |
|
Hyperlink proxy strings |
External hyperlink match strings specified for the HTTP proxy service. This field displays N/A if no external hyperlink strings are specified for the HTTP proxy service. |
|
Failed extlink error codes |
Error codes for the external link proxying failure. This field displays N/A if no error code is configured for the external link proxying failure. |
|
DNS servers |
IP addresses of the DNS servers. This field displays N/A if no DNS server is specified. |
|
Denylist domain names |
Denylist domain names for the HTTP proxy service. This field displays N/A if no denylist domain name is specified for the HTTP proxy service. |
|
Monitored keyword |
Monitored keyword of the HTTP proxy service. This field displays N/A if no keyword is specified to be monitored by the HTTP proxy service. |
|
Replaced by |
Keyword to replace the monitored keyword. This field displays N/A if no keyword is specified to replace the monitored keyword of the HTTP proxy service. |
|
Excluded external domain name |
Domain name of the external link that will not be proxied by the HTTP proxy service. This field displays N/A if you have not specified the external link domain name to be not proxied by the HTTP proxy service. |
|
Include Server |
HTTP proxy server view referenced by the HTTP proxy service. This field displays N/A if no HTTP proxy server view is referenced. |
|
IP pools |
Source IP pools used for Web server connection. This field displays N/A if no IP pool is specified for the HTTP proxy. |
|
Wildcard domain name |
Wildcard domain name for the HTTP proxy service. |
|
URL protection |
URL protection status of the HTTP proxy service: · Enabled. · Disabled. |
|
Referer protection |
Referer protection status of the HTTP proxy service: · Enabled. · Disabled. |
|
Extlink href |
External link reference status of the HTTP proxy service: · Enabled. · Disabled. |
|
Medialink proxy |
Status of the external media link proxy feature: · Enabled. · Disabled. |
|
Failed extlink inform |
Status of the external link proxying failure informing feature: · Enabled. · Disabled. |
|
Cache data |
Web resource caching status of the HTTP proxy service: · Enabled. · Disabled. |
|
Cache file path |
Path for saving the cache files of the HTTP proxy service. This field displays N/A if no cache file path is specified. |
|
HTTP proxy operation recording |
Status of the HTTP proxy operation recording feature: · Enabled. · Disabled. |
|
Operation record file path |
Directory for saving an HTTP proxy operation recording file. This field displays N/A if no directory is specified for saving an HTTP proxy operation recording file. If an HTTP proxy operation recording file is compressed, this field displays the directory and file compression format. |
|
Max zone size |
Maximum size of the log file zone. This field displays N/A if no maximum size is specified for the log file zone. |
|
Single file size |
Size of a single file. This field displays N/A if no size is specified for a single log file. |
|
Extlink encryption algorithm |
Algorithm used in wildcard domain name encryption for an HTTP proxy service. This field displays N/A if no algorithm is specified. |
|
HTTP proxy status |
Status of the HTTP proxy service: · Enabled. · Disabled. |
Related commands
http-proxy server-group
http-proxy service
display http-proxy monitor-info
Use display http-proxy monitor-info to display keyword monitoring information of an HTTP proxy service.
Syntax
display http-proxy monitor-info service service-name [ keyword monitor-string ]
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
service service-name: Specifies an HTTP proxy service by its name, a case-sensitive string of 1 to 63 characters. The name can include digits, letters, and underscores (_).
keyword monitor-string: Specifies a monitored keyword. The monitor-string argument is a string of 1 to 127 characters and supports Chinese characters in UTF-8 encoding format. If you do not specify this option, this command displays information about all monitored keyword.
Examples
# Display information about monitored and replaced keywords by HTTP proxy service test.
<Sysname> system-view
[Sysname]display http-proxy monitor-info service test
Monitored keyword: aabbcc
Time: 2021/01/11 20:39:38
URL: http://a.example.com/index.html
Replaced by: bbddcc
Monitored keyword: qqwwee
Time: 2021/01/11 20:39:38
URL: http://b.example.com/index.html
Replaced by: N/A
Table 3 Command output
|
Field |
Description |
|
Monitored keyword |
Keyword monitored by the HTTP proxy service. |
|
Time |
Time when the device finds the monitored keyword. |
|
URL |
URL of the monitored keyword. |
|
Replaced by |
Keyword used to replace the monitored keyword. This field displays N/A if no keyword is specified to replace the monitored keyword. |
display http-proxy server
Use display http-proxy server to display the configuration for an HTTP proxy server.
Syntax
display http-proxy server server-name
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
service-name: Specifies an HTTP proxy server by its name, a case-sensitive string of 1 to 63 characters. The name can include digits, letters, and underscores (_).
Examples
# Display the configuration for HTTP proxy server test.
[Sysname]display http-proxy server test
Server name: test
IPv6 address: 2001::1
Allowlist domain names: www.abcd.example.com
Protocol types: HTTP at port 8000
Failed extlink error codes: N/A
Excluded external domain name: N/A
Restore request header name: N/A
Replace response header name: N/A
Include external domain name: N/A
Include redirect domain name: N/A
Referer protection domain name: N/A
Allowlist: N/A
Delete cookie flag: secure
Restore request querystring: Disabled
Extlink href: Disabled
Failed extlink inform: Disabled
Cache data: Disabled
Cache file path: N/A
Table 4 Command output
|
Field |
Description |
|
Server name |
Name of an HTTP proxy server. |
|
IPv6 address |
IPv6 address configured in the HTTP proxy server view. This field displays N/A if no IPv6 address is configured. |
|
Allowlist Domain name |
Allowlist domain name configured in the HTTP proxy server view. This field displays N/A if no allowlist domain name is configured. |
|
Protocol types |
Protocol types and listening port number specified for the HTTP proxy service in the HTTP proxy server view. This field displays N/A if no protocol types and listening port number are specified. |
|
Failed extlink error codes |
Error codes for the external link proxying failure configured in the HTTP proxy server view. This field displays N/A if no error code is configured for the external link proxying failure. |
|
Excluded external domain name |
Domain name of the external link to be not proxied by the HTTP proxy service configured in the HTTP proxy server view. This field displays N/A if you have not specified the external link domain name to be not proxied by the HTTP proxy service. |
|
Restore request header name |
Fields in the request header to be restored configured in the HTTP proxy server view. The field displays N/A if no fields in the request header to be restored are configured. |
|
Replace response header name |
Fields in the response header to be replaced configured in the HTTP proxy server view. The field displays N/A if no fields in the response header to be replaced are configured. |
|
Include external domain name |
Domain name of the external link to be proxied configured in the HTTP proxy server view. The field displays N/A if the domain name of an external link to be proxied is not configured. |
|
Include redirect domain name |
Redirect URL domain name that allows replacement configured in the HTTP proxy server view. The field displays N/A if a redirect URL domain name that allows replacement is not configured. |
|
Referer protection domain name |
Domain name of the proxied external link with external link reference feature enabled by the device in the HTTP proxy server view. The field displays N/A if the domain name of a proxied external link with enabled referer protection feature is not configured. |
|
Allowlist |
Referer allowlist. The field displays N/A if no referer allowlist is configured. |
|
Delete cookie flag |
Flag in the response header set-cookie attributes to be deleted configured in the HTTP proxy server view. The field displays N/A if a flag in the response header set-cookie attributes to be deleted is not configured. |
|
Restore request querystring |
Status of the querystring restoration feature configured in the HTTP proxy server view: · Enabled. · Disabled. |
|
Extlink href |
External link reference status configured in the HTTP proxy server view: · Enabled. · Disabled. |
|
Failed extlink inform |
Status of the external link proxying failure informing feature configured in the HTTP proxy server view: · Enabled. · Disabled. |
|
Cache data |
Web resource caching status configured in the HTTP proxy server view: · Enabled. · Disabled. |
|
Cache file path |
Path for saving the cache files. This field displays N/A if no cache file path is specified. |
Related commands
denylist-domain-name
service enable
display http-proxy statistics service
Use display http-proxy statistics service to display statistics for an HTTP proxy service.
Syntax
display http-proxy statistics service service-name
Views
Any view
Predefined user roles
network-admin
network-operator
mdc-admin
mdc-operator
Parameters
service-name: Specifies an HTTP proxy service by its name, a case-sensitive string of 1 to 63 characters. The name can include digits, letters, and underscores (_).
Examples
# Display statistics for HTTP proxy service test1.
<Sysname> display http-proxy statistics service test1
Service name: test1
Active connections: 2
Requests: 1
Table 5 Command output
|
Field |
Description |
|
Service name |
HTTP proxy service name. |
|
Active connections |
Number of active HTTP/HTTPS connections, including both connections currently being accessed and those waiting to be accessed. |
|
Requests |
Number of the requests for Web resources. |
dns-server
Use dns-server to specify a DNS server for an HTTP proxy service.
Use undo dns-server to remove a DNS server for an HTTP proxy service.
Syntax
dns-server ip-address
undo dns-server ip-address
Default
No DNS servers are specified for an HTTP proxy service.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Parameters
ip-address: Specifies a DNS server by its IPv4 address.
Usage guidelines
This command configures a DNS server to resolve the domain names of the Web servers. To enable the device to proxy hyperlinks on the Web servers or to proxy Web servers using different domain names, configure a minimum of one DNS server for an HTTP proxy service.
Before specifying a DNS server for an HTTP proxy service, first disable the HTTP proxy service.
A maximum of two DNS servers can be specified for an HTTP proxy service.
Examples
# (In standalone mode.) Specify DNS server at 8.8.8.8 for HTTP proxy service test.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] dns-server 8.8.8.8
Related commands
hyperlink-proxy
medialink-proxy enable
domain-name
Use domain-name to specify an allowlist domain name for an HTTP proxy service.
Use undo domain-name to delete an allowlist domain name for an HTTP proxy service.
Syntax
domain-name domain-name
undo domain-name domain-name
Default
No allowlist domain names are specified for an HTTP proxy service.
Views
HTTP proxy service view
HTTP proxy server view
Predefined user roles
network-admin
mdc-admin
Parameters
domain-name: Specifies an allowlist domain name, a case-insensitive string with a maximum of 253 characters. The domain name can include dot-separated domain name suffixes (example.com, for example). Each domain name suffix can contain a maximum of 63 characters. You can enter three to five such suffixes. Valid characters in the domain name string include letters, digits, hyphens (-), underscores (_), dots (.), and asterisk (*).The asterisk (*) character is used to match a series of domain names with fixed starting or ending string. For example, www.example.* represents all domain names starting with www.example.; *.example.gov represents all domain names ending with .example.gov.
Usage guidelines
After you configure allowlist domain names, when a client tries to access a website through the proxy service, the device returns an error page to the client if the domain name of the requested website is not in the allowlist.
If you have not configured the wildcard domain name or enabled external link reference for an HTTP proxy service, the device responses a new domain name to a client who requests to access an external link on a Web server. The new domain name is composed of the domain name specified by this command plus the domain name of the external link. Thus, the device can use the specified DNS server to resolve new domain name into the IP address of the server that stores the external link resource. For a client, the domain name specified by this command must be the same as the domain name of the Web server accessed by the client. The proxy service configured in HTTP proxy server view cannot proxy an external link by using the domain name specified by this command plus the domain name of the external link.
For more information about external link, see HTTP proxy configuration in Layer 3—IP Services Configuration Guide.
A maximum of 512 allowlist domain names can be configured in a view. You can execute this command multiple times to configure multiple allowlist domain names.
A domain name can only be added to the domain name allowlist or the domain name denylist. The denylist-domain-name and domain-name commands are mutually exclusive.
Before specifying an allowlist domain name for an HTTP proxy service, first disable the HTTP proxy service. Before specifying an allowlist domain name for an HTTP proxy server, make sure the HTTP proxy server is not referenced.
You cannot execute this command for an HTTP proxy service that has referenced an HTTP proxy server.
Examples
# (In standalone mode.) Specify allowlist domain name test.examplev.cn for HTTP proxy service test.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] domain-name test.example.cn
# Specify allowlist domain name test.example.cn for the HTTP proxy service of HTTP proxy server test.
<Sysname> system-view
[Sysname] http-proxy server test
[Sysname-http-proxy-server-test] domain-name test.example.cn
Related commands
denylist-domain-name
http-proxy server
include server
service enable
exclude-external-domain
Use exclude-external-domain to specify an external link domain name not to be proxied by an HTTP proxy service, hereinafter referred to as excluded external domain name.
Use undo exclude-external-domain to remove an excluded external domain name.
Syntax
exclude-external-domain domain-name
undo exclude-external-domain domain-name
Default
No excluded external domain names are specified for an HTTP proxy service.
Views
HTTP proxy service view
HTTP proxy server view
Predefined user roles
network-admin
mdc-admin
Parameters
domain-name: Specifies an external link domain name, a case-insensitive string of 1 to 253 characters. Valid characters in the domain name string include letters, digits, hyphens (-), and underscores (_).
Usage guidelines
After you configure this command, the device will not add the domain name of an HTTP proxy service to the specified external link domain name. Thus, the clients cannot access the external link of the specified domain name through the HTTP proxy service. Please use this feature with cautions. For more information about external link, see HTTP proxy configuration in Layer 3—IP Services Configuration Guide.
Before specifying an excluded external domain name for an HTTP proxy service, disable the HTTP proxy service. Before specifying an excluded external domain name for an HTTP proxy server, make sure the HTTP proxy server is not referenced.
A maximum of 512 external link domain names can be configured in a view. You can execute this command multiple times to configure multiple external link domain names.
A domain name can only be proxied or not proxied. The exclude-external-domain and hyperlink-proxy commands are mutually exclusive.
Examples
# (In standalone mode.) Configure HTTP proxy service test to not proxy the requests for external links of domain name test.example.cn.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] exclude-external-domain test.example.cn
# In HTTP proxy server test, configure the HTTP proxy service to not proxy the requests for external links of domain name test.example.cn.
<Sysname> system-view
[Sysname] http-proxy server test
[Sysname-http-proxy-server-test] exclude-external-domain test.example.cn
Related commands
http-proxy server
hyperlink-proxy
service enable
extlink-encryption algorithm
Use extlink-encryption algorithm to enable wildcard domain name encryption feature for an HTTP proxy service.
Use undo extlink-encryption algorithm to disable wildcard domain name encryption feature for an HTTP proxy service.
Syntax
extlink-encryption algorithm { algx | algy | algz }
undo extlink-encryption algorithm { algx | algy | algz }
Default
The wildcard domain name encryption feature for an HTTP proxy service is disabled.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Parameters
algx: Specifies algorithm x.
algy: Specifies algorithm y.
algz: Specifies standard MD5 algorithm.
Usage guidelines
With the wildcard domain name encryption feature enabled, in external link proxy, the device uses the specified algorithm to encrypt the external link containing the wildcard domain name. When the client accesses the external link later, the HTTP or HTTPS requests sent by the client carry the encrypted external link. The device will decrypt the link and then proxy the resource, so as to prevent illegal users from forging the wildcard domain name to access the external link and occupying proxy resources.
Enable wildcard domain name encryption for an HTTP proxy service when the HTTP proxy service is disabled.
To enable wildcard domain name encryption for an HTTP proxy service, make sure the HTTP proxy service has referenced an HTTP proxy server by using the include server command. To cancel the reference to an HTTP proxy server, first disable wildcard domain name encryption for the current HTTP proxy service.
Examples
# (In standalone mode.) Use algorithm x to encrypt the wildcard domain name of an HTTP proxy service on slot 1.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] extlink-encryption algorithm algx
Related commands
service enable
extlink-href enable
Use extlink-href enable to enable external link reference for an HTTP proxy service.
Use undo extlink-href enable to disable external link reference for an HTTP proxy service.
Syntax
extlink-href enable
undo extlink-href enable
Default
The external link reference feature for an HTTP proxy service is disabled.
Views
HTTP proxy service view
HTTP proxy server view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The external link reference feature enables the clients to access all external links on webpages of any Web server. To configure the device to not proxy the requests for external links of a specific domain name, execute the exclude-external-domain command. For more information about external link, see HTTP proxy configuration in Layer 3—IP Services Configuration Guide.
To use this feature, you must execute the wildcard-domain-name command. After you configure a wildcard domain name and enable the external link reference feature, the device will add http:// and the specified wildcard domain name to the external link domain name that is requested by a client.
Before enabling external link reference for an HTTP proxy service, first disable the HTTP proxy service. Before enabling external link reference for an HTTP proxy server, make sure the HTTP proxy server is not referenced.
You cannot execute this command for an HTTP proxy service that has referenced an HTTP proxy server.
To disable external link reference when the external media link proxy and specified external link proxy features are disabled, first disable the external link proxying failure informing and redirection features.
Examples
# (In standalone mode.) Enable external link reference for HTTP proxy service test.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] extlink-href enable
# Enable external link reference for the HTTP proxy service of HTTP proxy server test.
<Sysname> system-view
[Sysname] http-proxy server test
[Sysname-http-proxy-server-test] extlink-href enable
Related commands
exclude-external-domain
failed-extlink inform
failed-extlink redirect
http-proxy server
include server
service enable
wildcard-domain-name
failed-extlink inform
Use failed-extlink inform to enable the external link proxying failure informing feature.
Use undo failed-extlink inform to disable the external link proxying failure informing feature.
Syntax
failed-extlink inform
undo failed-extlink inform
Default
The external link proxying failure informing feature is disabled.
Views
HTTP proxy service view
HTTP proxy server view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
If you enable this feature, message Error on page. Please visit URL XXX. will display when the external link proxying failure occurs. Then an IPv6 user can directly access the URL according to the message without using the HTTP proxy service.
Before enabling external link proxying failure informing for an HTTP proxy service, first disable the HTTP proxy service. Before enabling external link proxying failure informing for an HTTP proxy server, make sure the HTTP proxy server is not referenced.
You cannot execute this command for an HTTP proxy service that has referenced an HTTP proxy server.
To make this feature take effect, execute the following commands as needed:
· hyperlink-proxy
· medialink-proxy enable
· extlink-href enable
Examples
# (In standalone mode.) Enable external link proxying failure informing for HTTP proxy service test.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] failed-extlink inform
# Enable external link proxying failure informing for the HTTP proxy service of HTTP proxy server test.
<Sysname> system-view
[Sysname] http-proxy server test
[Sysname-http-proxy-server-test] failed-extlink inform
Related commands
extlink-href enable
http-proxy server
hyperlink-proxy
include server
medialink-proxy enable
failed-extlink redirect
Use failed-extlink redirect to enable the external link proxying failure redirection feature.
Use undo failed-extlink redirect to disable the external link proxying failure redirection feature.
Syntax
failed-extlink redirect error-code
undo failed-extlink redirect error-code
Default
The external link proxying failure redirection feature is disabled.
Views
HTTP proxy service view
HTTP proxy server view
Predefined user roles
network-admin
mdc-admin
Parameters
error-code: Specifies an error code. Currently, the device supports error codes starting with 4 or 5. Error code 499 is not supported.
Usage guidelines
When an IPv6 user fails to request part or all of the Web resources through the HTTP proxy service due to the external link server error, you can enable this feature. This feature redirects the failed external links with the specified error code and allows the IPv6 user to directly access the external link server without using the HTTP proxy service.
Before enabling external link proxying failure redirection for an HTTP proxy service, first disable the HTTP proxy service. Before enabling external link proxying failure redirection for an HTTP proxy server, make sure the HTTP proxy server is not referenced.
You cannot execute this command for an HTTP proxy service that has referenced an HTTP proxy server.
You can execute this command multiple times to configure multiple error codes that can be redirected.
To make this feature take effect, execute the following commands as needed:
· hyperlink-proxy
· medialink-proxy enable
· extlink-href enable
Examples
# (In standalone mode.) Enable external link proxying failure redirection for HTTP proxy service test.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] failed-extlink redirect 502
# Enable external link proxying failure redirection for the HTTP proxy service of HTTP proxy server test.
<Sysname> system-view
[Sysname] http-proxy server test
[Sysname-http-proxy-server-test] failed-extlink redirect 502
Related commands
extlink-href enable
http-proxy server
hyperlink-proxy
include server
medialink-proxy enable
http-proxy server-group
Use http-proxy server-group to create a Web server group and enter its view, or enter the view of an existing Web server group.
Use undo http-proxy server-group to delete a Web server group.
Syntax
http-proxy server-group group-name
undo http-proxy server-group group-name
Default
No Web server groups exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
group-name: Specifies the name of the Web server group, a case-sensitive string of 1 to 63 characters. The name can include digits, letters, and underscores (_).
Usage guidelines
You cannot delete the Web server group that has been bound to an HTTP proxy service no matter whether the HTTP proxy service is enabled.
Examples
# Create Web server group test and enter its view.
<Sysname> system-view
[Sysname] http-proxy server-group test
[Sysname-http-proxy-server-group-test]
Related commands
protocol-type (HTTP proxy service view)
http-proxy server
Use http-proxy server to create an HTTP proxy server and enter its view, or enter an existing HTTP proxy server view.
Use undo http-proxy server to delete an HTTP proxy server and all the configurations in the HTTP proxy server view.
Syntax
http-proxy server server-name
undo http-proxy server server-name
Default
No HTTP proxy servers exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
service-name: Specifies an HTTP proxy server name, a case-sensitive string of 1 to 63 characters. The name can include digits, letters, and underscores (_).
Usage guidelines
You can configure HTTP proxy service settings in both HTTP proxy service view and HTTP proxy server view. The settings in HTTP proxy service view apply to all the Web servers on the device, IRF member device, or card. The settings in HTTP proxy server view apply only to the specified Web server resources. An HTTP proxy server view has smaller granularity and higher flexibility. Using HTTP proxy servers, you can configure different proxy configurations for different Web server resources according to the requirements of users or Web servers.
The settings in an HTTP proxy service view also take effect on the HTTP proxy server. To delete an HTTP proxy server, first execute the undo include server command to cancel the reference to the HTTP proxy server, and then execute the undo http-proxy server command to delete the server.
Examples
# Create HTTP proxy server test and enter its view.
<Sysname> system-view
[Sysname] http-proxy server test
[Sysname-http-proxy-server-test]
Related commands
domain-name
include server
http-proxy service
Use http-proxy service to create an HTTP proxy service and enter its view, or enter the view of an existing HTTP proxy service.
Use undo http-proxy service to delete an HTTP proxy service.
Syntax
In standalone mode:
http-proxy service service-name slot slot-number
undo http-proxy service service-name slot
In IRF mode:
http-proxy service service-name chassis chassis-number slot slot-number
undo http-proxy service service-name chassis
Default
No HTTP proxy services exist.
Views
System view
Predefined user roles
network-admin
mdc-admin
Parameters
service service-name: Specifies an HTTP proxy service by its name, a case-sensitive string of 1 to 63 characters. The name can include digits, letters, and underscores (_).
slot slot-number: Specifies a card by its slot number. (In standalone mode.)
chassis chassis-number slot slot-number: Specifies a card on an IRF member device. The chassis-number argument represents the member ID of the IRF member device. The slot-number argument represents the slot number of the card. (In IRF mode.)
Examples
# (In standalone mode.) Create HTTP proxy service test on a module and enter its view.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1]
Related commands
service enable
hyperlink-proxy
Use hyperlink-proxy to specify an external link to be proxied by an HTTP proxy service.
Use undo hyperlink-proxy to remove an external link from the external hyperlinks proxied by an HTTP proxy service.
Syntax
hyperlink-proxy link-string
undo hyperlink-proxy link-string
Default
No external links to be proxied are specified for an HTTP proxy service.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Parameters
link-string: Specifies the URL of an external link, a case-insensitive string of 1 to 253 characters. The string can include letters, digits, hyphens (-),underscores (_), slashes (/), and dots (.).
Usage guidelines
By default, the clients cannot use an HTTP proxy service to access external links. In HTTP proxy service view, you can specify external links to be proxied by the HTTP proxy service. For more information about external link, see HTTP proxy configuration in Layer 3—IP Services Configuration Guide.
Before specifying an external link to be proxied by an HTTP proxy service, first disable the HTTP proxy service.
The HTTP proxy service will proxy all specified external links on the webpages requested by a client, which might cause security risks. Please use this feature with cautions.
To use this feature, you must also configure the domain-name and dns-server commands.
To disable the specified external link proxy feature when the external link reference and external media link proxy features are disabled, first disable the external link proxying failure informing and redirection features.
You cannot execute this command for an HTTP proxy service that has referenced an HTTP proxy server.
Examples
# (In standalone mode.) Specify external link www.example.org to be proxied by HTTP proxy service test.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] hyperlink-proxy www.example.org
Related commands
dns-server
domain-name
exclude-external-domain
failed-extlink inform
failed-extlink redirect
include-external-domain
Use include-external-domain to configure an external link domain name in an HTTP proxy server view.
Use undo include-external-domain to delete the configurations for the external link domain name in the HTTP proxy server view.
Syntax
include-external-domain domain-name
undo include-external-domain [ domain-name ]
Default
No external link domain name is configured in an HTTP proxy server view.
Views
HTTP proxy server view
Predefined user roles
network-admin
mdc-admin
Parameters
domain-name: Specifies an external link domain name in the HTTP proxy server view. In format, http:// or https:// is added before the specified domain name. The domain name suffix is a dot-separated string, for example, example.com. Each separated string includes no more than 63 characters. You can enter a minimum of three such strings or a maximum of five such strings. The domain name is a case-insensitive string, including a maximum of 253 characters. Valid characters in the domain name string include letters, digits, hyphens (-), underscores (_), and dots (.).
Usage guidelines
For an HTTP proxy service with a specified wildcard domain name, if the external link reference feature in an HTTP proxy server view is disabled, by default, the device cannot use configurations in the view to proxy an external link. After you configure this command, the device will replace the external link domain name specified by the domain-name argument in the HTTP or HTTPS response header returned by the Web server. It adds the specified wildcard domain name to the external link domain name to proxy the specified external link. This command can be applied in scenarios where the device only needs to proxy part of the external link resources.
This command does not take effect if the external link reference feature in an HTTP proxy server view is enabled.
A maximum of 512 external link domain names can be configured in an HTTP proxy server view. You can execute this command multiple times to configure multiple external link domain names.
Execute this command when the current HTTP proxy server view is not referenced.
Examples
# Configure external link domain name test.example.cn in HTTP proxy server view test.
<Sysname> system-view
[Sysname] http-proxy server test
[Sysname-http-proxy-server-test] include-external-domain http://test.example.cn
Related commands
extlink-external-domain
http-proxy server
service enable
wildcard-domain-name
include-redirect-domain
Use include-redirect-domain to configure a redirect URL domain name that allows replacement in an HTTP proxy server view.
Use undo include-redirect-domain to delete the configurations for the redirect URL domain name that allows replacement in the HTTP proxy server view.
Syntax
include-redirect-domain domain-name
undo include-redirect-domain [ domain-name ]
Default
No redirect URL domain name that allows replacement is configured in an HTTP proxy server view.
Views
HTTP proxy server view
Predefined user roles
network-admin
mdc-admin
Parameters
domain-name: Specifies a redirect URL domain name that allows replacement. In format, http:// or https:// is added before the specified domain name. The domain name suffix is a dot-separated string, for example, example.com. Each separated string includes no more than 63 characters. You can enter a minimum of three such strings or a maximum of five such strings. The domain name is a case-insensitive string, including a maximum of 253 characters. Valid characters in the domain name string include letters, digits, hyphens (-), underscores (_), and dots (.).
Usage guidelines
For an HTTP proxy service with a specified wildcard domain name, if the external link reference feature in an HTTP proxy server view is disabled, by default, the device cannot use configurations in the view to proxy a redirect URL. After you configure this command, the device will replace the redirect URL domain name specified by the domain-name argument in the HTTP or HTTPS response header returned by the Web server. It adds the specified wildcard domain name to the redirect URL domain name to proxy the redirect URL. This command can be applied in scenarios where the device only needs to proxy part of the external link resources.
This command does not take effect if the external link reference feature in an HTTP proxy server view is enabled.
You can execute this command multiple times to configure multiple redirect URL domain names that allow replacement.
Execute this command when the current HTTP proxy server view is not referenced.
Examples
# Configure redirect URL domain name test.example.cn to be replaced in HTTP proxy server view test.
<Sysname> system-view
[Sysname] http-proxy server test
[Sysname-http-proxy-server-test] include-redirect-domain http://tyrz.gxzf.example.cn
Related commands
extlink-external-domain
http-proxy server
service enable
wildcard-domain-name
include server
Use include server to reference an HTTP proxy server.
Use undo include server to cancel the reference to an HTTP proxy server.
Syntax
include server server-name [ default ]
undo include server server-name
Default
No HTTP proxy server is referenced in an HTTP proxy service.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Parameters
service-name: Specifies an HTTP proxy server view by its name, a case-sensitive string of 1 to 63 characters. The name can include digits, letters, and underscores (_).
default: Specifies the default HTTP proxy server view for reference. Only an HTTP proxy server view can be specified as the default HTTP proxy server view. If you do not specify this keyword, non-default HTTP proxy server views are specified the HTTP proxy server views for reference.
Usage guidelines
The device will use the configurations in the HTTP proxy server view to proxy the domain name Web resources specified by the domain-name command, if you perform the following operations:
· Execute the domain-name command in an HTTP proxy server view.
· Execute the include server command to reference the HTTP proxy server view in an HTTP proxy service view.
After the default HTTP proxy server view is referenced, if the Web resources requested by the client does not match the domain names specified in any HTTP proxy server view, the device will use the configurations in the default HTTP proxy server view for proxy.
Configure reference to an HTTP proxy server view when the HTTP proxy service is disabled. If the default HTTP proxy server view is not specified in the referenced HTTP proxy server view, the HTTP proxy service cannot be enabled.
If the ache-data, domain-name, extlink-href enable, failed-extlink inform, failed-extlink redirect, medialink-proxy enable, hyperlink-proxy, ipv6-address, or protocol-type command is configured in an HTTP proxy service view, you cannot reference the HTTP proxy server view.
Examples
# (In standalone mode.) Specify HTTP proxy server view server1 on slot 1.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] include server server1
Related commands
http-proxy server
service enable
ip-address
Use ip-address to add a Web server to a Web server group.
Use undo ip-address to remove a Web server from a Web server group.
Syntax
ip-address ip-address [ port port-number ]
undo ip-address ip-address [ port port-number ]
Default
No Web servers exist in a Web server group.
Views
Web server group view
Predefined user roles
network-admin
mdc-admin
Parameters
ip-address: Specifies the IPv4 address of the Web server.
port port-number: Specifies the port number of the Web server, in the range of 1 to 65535.
Usage guidelines
You can repeat this command to add multiple Web servers to a Web server group.
If a Web server group has been bound to an HTTP proxy service, you cannot modify the IP address or port number of any Web server in this Web server group.
Examples
# Add the Web server with IP address 10.1.1.10 and port number 8000 to Web server group test.
<Sysname> system-view
[Sysname] http-proxy server-group test
[Sysname-http-proxy-server-group-test] ip-address 10.1.1.10 port 8000
ip-pool
Use ip-pool to configure a source IP pool used for Web server connection.
Use undo ip-pool to delete the source IP pool used for Web server connection.
Syntax
ip-pool start-address end-address [ vpn-instance vpn-instance-name ]
undo ip-pool [ start-address end-address [ vpn-instance vpn-instance-name ] ]
Default
No source IP pools are specified for Web server connection.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Parameters
start-address end-address: Specifies the start IP address and end IP address of a source IP pool. The end address cannot be lower than the start address. If the start and end IP addresses are the same, the source IP pool has only one IP address.
vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the IP pool is on the public network.
Usage guidelines
By default, the device uses the IP address of the outgoing interface in the default route to establish TCP connections with Web servers. An IP address supports a maximum of 65535 TCP connections. To allow the device to establish more TCP connections with Web servers, you can use this command to configure source IP pools. The device will use an IP address in the source IP pool for Web server connection.
You can execute this command multiple times to specify a maximum of 64 source IP pools. An IP pool can contain a maximum of 512 IP addresses. The IP addresses in different source IP pools cannot overlap with each other.
The source IP pools configured in the same HTTP proxy service must belong to the same VPN instance. The IP pools configured in the different HTTP proxy services must belong to different VPN instances.
Examples
# (In standalone mode.) Configure a source IP pool that contains IP addresses 1.1.1.1 through 1.1.1.100 and belongs to VPN instance vpn1 for HTTP proxy service test.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] ip-pool 1.1.1.1 1.1.1.100 vpn-instance vpn1
ipv6-address
Use ipv6-address to specify an IPv6 address for an HTTP proxy service.
Use undo ipv6-address to delete the IPv6 address for an HTTP proxy service.
Syntax
ipv6-address ipv6-address
undo ipv6-address
Default
No IPv6 address is specified for an HTTP proxy service.
Views
HTTP proxy service view
HTTP proxy server view
Predefined user roles
network-admin
mdc-admin
Parameters
ipv6-address: Specifies an IPv6 address for an HTTP proxy service.
Usage guidelines
You can use the specified IPv6 address of an HTTP proxy service to establish a communication between the devices and the Web server group bound with the HTTP proxy service.
Before specifying an IPv6 address for an HTTP proxy service, first disable the HTTP proxy service and ensure that the current HTTP proxy server view is not referenced.
Do not use this command in an HTTP proxy service view after an HTTP proxy server view is referenced.
Examples
# (In standalone mode.) Specify 2001::1 as the IPv6 address of HTTP proxy service test.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] ipv6-address 2001::1
# Specify 2001::1 as the IPv6 address of an HTTP proxy service in HTTP proxy server view test.
<Sysname> system-view
[Sysname] http-proxy server test
[Sysname-http-proxy-server-test] ipv6-address 2001::1
Related commands
http-proxy server
include server
service enable
keyword monitor
Use keyword monitor to specify a keyword to be monitored by an HTTP proxy service and a keyword to replace the monitored keyword.
Use undo keyword to cancel the monitoring on a keyword.
Syntax
keyword monitor keyword-string
undo keyword monitor monitor-string
Default
No keywords are specified to be monitored by an HTTP proxy service.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Parameters
keword-string: Specifies a keyword to be monitored and a keyword to replace the monitored keyword. The keword-string argument is a string of 1 to 255 characters and supports Chinese characters in UTF-8 encoding format. If you specify both a monitored keyword and a keyword to replace the monitored keyword, make sure the keywords are specified in sequence and separated by spaces. For example, the string abc def represents that keyword def is specified to replace monitored keyword abc. If you do not need to specify a keyword to replace the monitored keyword, just enter a monitored keyword.
Usage guidelines
To specify multiple keywords to be monitored by an HTTP proxy service, execute this command multiple times. A maximum of 512 keywords can be monitored by an HTTP proxy service.
You can execute this command to specify the keywords to be monitored by the device and to specify the keywords to replace the monitored keywords. To view the monitored keywords and keywords used to replace the monitored keywords, execute the display http-proxy or display http-proxy monitor-info command.
Before modifying the keyword monitored by an HTTP proxy service or modifying the keyword used to replace the monitored keyword, first disable the HTTP proxy service.
Examples
# Configure HTTP proxy service test to monitor keyword abc.
<Sysname> system-view
[Sysname] http-proxy service test
[Sysname-http-proxy-service-test] keyword monitor abc
# Configure HTTP proxy service test to monitor keyword abc and to use keyword def to replace monitored keyword abc.
<Sysname> system-view
[Sysname] http-proxy service test
[Sysname-http-proxy-service-test] keyword monitor abc def
Related commands
display http-proxy monitor-info
service enable
medialink-proxy enable
Use medialink-proxy enable to enable the external media link proxy feature for an HTTP proxy service.
Use undo medialink-proxy enable to disable the external media link proxy feature for an HTTP proxy service.
Syntax
medialink-proxy enable
undo medialink-proxy enable
Default
The external media link proxy feature for an HTTP proxy service is disabled.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
This feature enables the clients to access external media files linked to webpages of the Web servers proxied by the HTTP proxy service. For more information about external link, see HTTP proxy configuration in Layer 3—IP Services Configuration Guide.
To use this feature, you must also configure the domain-name and dns-server commands.
To disable the external media link proxy feature when the external link reference and specified external link proxy features are disabled, first disable the external link proxying failure informing and redirection features.
Do not use this command when the current HTTP proxy service view references an HTTP proxy server view.
Examples
# (In standalone mode.) Enable the external media link proxy feature for HTTP proxy service test.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] medialink-proxy enable
Related commands
dns-server
domain-name
failed-extlink inform
failed-extlink redirect
protocol-type (Web server group view)
Use protocol-type to specify a protocol type for a Web server group.
Use undo protocol-type to delete the protocol settings for a Web server group.
Syntax
protocol-type { http | https }
undo protocol-type
Default
No protocol types are specified for a Web server group.
Views
Web server group view
Predefined user roles
network-admin
mdc-admin
Parameters
http: Specifies the HTTP protocol.
https: Specifies the HTTPS protocol.
Usage guidelines
If a Web server group has been bound to an HTTP proxy service, you cannot change the protocol type specified for a Web server group.
The device uses the specified protocol to encapsulate HTTP or HTTPS requests sent to Web servers in the Web server group.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify HTTP as the protocol type of Web server group test.
<Sysname> system-view
[Sysname] http-proxy server-group test
[Sysname-http-proxy-server-group-test] protocol-type http
protocol-type (HTTP proxy server view)
Use protocol-type to specify a protocol type and listening port number for an HTTP proxy service in an HTTP proxy server view.
Use undo protocol-type to delete the protocol and listening port settings for the HTTP proxy service in the HTTP proxy server view.
Syntax
protocol-type { http | https } [ port port-number ]
undo protocol-type { http | https } [ port port-number ]
Default
No protocol type or listening port number is specified for an HTTP proxy service in an HTTP proxy server view.
Views
HTTP proxy server view
Predefined user roles
network-admin
mdc-admin
Parameters
http: Specifies the HTTP protocol.
https: Specifies the HTTPS protocol.
port port-number: Specifies the port number on which the HTTP proxy service listens. The value range is 1 to 65535. The default listening port number for the HTTP protocol and HTTPS protocol is 80 and 443, respectively.
Usage guidelines
With this command configured, if an IPv6 client uses the specified protocol and port number to access a Web server:
· For an IPv6 Web server, the device directly forwards the IPv6 packets received from the client to the Web server.
· For an IPv4 Web server, the device first converts the IPv6 packets of the client to IPv4 packets. Then the device uses the specified protocol to encapsulate the packets before sending them to the specified Web server.
The protocol type and port number supported by an HTTP proxy service must match those in an HTTP or HTTPS request of an IPv6 client.
You can execute this command multiple times to configure multiple listening ports for an HTTP proxy service. If you execute this command multiple times for a listening port, the most recent configuration takes effect.
Execute this command when the current HTTP proxy server view is not referenced.
Examples
# Specify HTTP and port number 8000 as the protocol type and listening port number of an HTTP proxy service in HTTP proxy server view test.
<Sysname> system-view
[Sysname] http-proxy server test
[Sysname-http-proxy-server-test] protocol-type http port 8000
Related commands
http-proxy server
include server
protocol-type (HTTP proxy service view)
Use protocol-type to specify a protocol type and listening port number for an HTTP proxy service and bind a Web server group to the service.
Use undo protocol-type to delete the protocol and listening port settings for an HTTP proxy service and unbind the Web server group from the service.
Syntax
protocol-type { http | https } [ port port-number ] [ server-group group-name ]
undo protocol-type { http | https } [ port port-number ] [ server-group group-name ]
Default
No protocol type or listening port number is specified for an HTTP proxy service and no Web server group is bound to the HTTP proxy service.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Parameters
http: Specifies the HTTP protocol.
https: Specifies the HTTPS protocol.
port port-number: Specifies the port number on which the HTTP proxy service listens. The value range is 1 to 65535. The default listening port number for the HTTP protocol and HTTPS protocol is 80 and 443, respectively.
server-group group-name: Specifies a Web server group by its name, a case-insensitive string of 1 to 63 characters. The name can include digits, letters, and underscores (_). If you do not specify this option, the device can access all Web servers.
Usage guidelines
With this command configured, if an IPv6 client uses the specified protocol and port number to access a Web server:
· For an IPv6 Web server, the device directly forwards the IPv6 packets received from the client to the Web server.
· For an IPv4 Web server, the device first converts the IPv6 packets of the client to IPv4 packets. Then the device uses the specified protocol to encapsulate the packets before sending them to the specified Web server.
To access different Web servers, you can execute this command multiple times to configure multiple listening ports and Web server groups for an HTTP proxy service. If you execute this command multiple times for a listening port, the most recent configuration takes effect.
As a best practice, do not bind HTTP proxy services of different protocol types to the same Web server group. One port number can be bound to only one Web server group that has been specified with a protocol type and contains Web servers.
The protocol type and port number supported by an HTTP proxy service must match those in an HTTP or HTTPS request of an IPv6 client.
Do not use this command when an HTTP proxy server view is referenced. Execute this command when an HTTP proxy service is disabled.
Examples
# (In standalone mode.) Specify HTTP and port number 8000 as the protocol type and listening port number of HTTP proxy service test and bind Web server group grouptest to the HTTP proxy service.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] protocol-type http port 8000 server-group grouptest
referer-protection domain
Use referer-protection domain to configure a referer allowlist domain name.
Use undo referer-protection domain to delete the configurations for the referer allowlist domain name.
Syntax
referer-protection domain domain-name allowlist allowlist-domain-name
undo referer-protection domain domain-name [ allowlist allowlist-domain-name ]
Default
No referer allowlist domain name is configured.
Views
HTTP proxy server view
Predefined user roles
network-admin
mdc-admin
Parameters
domain-name: Specifies a domain name proxied in HTTP proxy service. The domain name suffix is a dot-separated string, for example, example.com. Each separated string includes no more than 63 characters. You can enter a minimum of three such strings or a maximum of five such strings. The domain name is a case-insensitive string, including a maximum of 253 characters. Valid characters in the domain name string include letters, digits, hyphens (-), underscores (_), and dots (.).
allowlist-domain-name: Specifies a referer allowlist domain name. The domain name suffix is a dot-separated string, for example, example.com. Each separated string includes no more than 63 characters. You can enter a minimum of three such strings or a maximum of five such strings. The domain name is a case-insensitive string. The maximum number of characters that can be entered varies by device models. Valid characters in the domain name string include letters, digits, hyphens (-), underscores (_), dots (.), and asterisk (*). The asterisk (*) character is used to match a series of domain names with fixed starting or ending string. For example, www.example.* includes all domain names starting with www.example.; *.example.gov includes all domain names ending with .example.gov.
Usage guidelines
With the referer allowlist domain names configured, the referer protection feature is enabled in domain name proxy. When a client accesses a domain name, if the domain name in the referer request header of the sent HTTP or HTTPS request packets is not in the domain name allowlist, the device will deny the requests. The referer protection feature prevents other websites from stealing webpage resources of the proxied Web servers.
You can execute this command multiple times to configure multiple referer allowlist domain names for a proxied domain name. If you execute both the referer-protection domain command and the referer-protection enable command, the referer request header in the sent HTTP or HTTPS request packets needs to meet the requirements of both commands. Otherwise, the requests are denied.
Execute this command when the current HTTP proxy server is not referenced.
Examples
# In HTTP proxy server view test, enable referer protection for domain name test.example.cn, and configure referer allowlist domain name test1.example.cn.
<Sysname> system-view
[Sysname] http-proxy server test
[Sysname-http-proxy-server-test] referer-protection domain test.example.cn whiltelist test1.example.cn
Related commands
http-proxy server
referer-protection enable
service enable
referer-protection enable
Use referer-protection enable to enable referer protection for an HTTP proxy service.
Use undo referer-protection enable to disable referer protection for an HTTP proxy service.
Syntax
referer-protection enable
undo referer-protection enable
Default
The referer protection feature for an HTTP proxy service is disabled.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
With the referer protection feature enabled for an HTTP proxy service, the HTTP proxy service will match the referer field in the HTTP request of a client with the specified allowlist domain names. Thus the HTTP proxy service can filter the HTTP request for website resources and prevent other websites from stealing webpage resources of the proxied Web servers. To make the referer protection feature take effect, first execute the domain-name command to specify the allowlist domain names.
Before enabling referer protection for an HTTP proxy service, first disable the HTTP proxy service.
Examples
# (In standalone mode.) Enable referer protection for HTTP proxy service test.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] referer-protection enable
Related commands
domain-name
service enable
replace response-header
Use replace response-header to enable the replacement of specified fields in an HTTP or HTTPS response header.
Use undo replace response-header to disable the replacement of specified fields in an HTTP or HTTPS response header.
Syntax
replace response-header { access-control-allow-origin | location | p3p | refresh | vary }
undo replace response-header { access-control-allow-origin | location | p3p | refresh | vary }
Default
The replacement of all fields in an HTTP or HTTPS response header is disabled.
Views
HTTP proxy server view
Predefined user roles
network-admin
mdc-admin
Parameters
access-control-allow-origin: Specifies the access-control-allow-origin field in a response header.
location: Specifies the location field in a response header.
p3p: Specifies the p3p field in a response header.
refresh: Specifies the refresh field in a response header.
vary: Specifies the vary field in a response header.
Usage guidelines
By default, the device does not replace the fields in the HTTP or HTTPS response header. After the external link reference feature is enabled, the device can proxy any external links. When the device proxies external links on the Web server with origins outside the server, the client needs to send cross-domain requests. However, some clients do not allow cross-domain requests, so they cannot access external links with origins outside the server. With the replace response-header command enabled, the device uses the wildcard domain name specified by the wildcard-domain-name command to replace specified fields in an HTTP or HTTPS response header. For example, the device modifies https://www.example.com in the referer field into http://https-example-abc-com.example.cn (with wildcard domain name example.cn specified). When the client receives the HTTP or HTTPS response with the replaced response header, it does not consider the access request in the response as a cross-domain request. In this way, it can access external links with origins outside the server.
You can execute this command multiple times to configure multiple fields to be replaced in an HTTP or HTTPS response header.
Specify the access-control-allow-origin field in the response header when the current HTTP proxy server view is not referenced.
Examples
# Specify the access-control-allow-origin field in a response header in HTTP proxy server view test.
<Sysname> system-view
[Sysname] http-proxy server test
[Sysname-http-proxy-server-test] restore response-header access-control-allow-origin
Related commands
extlink-href enable
http-proxy server
service enable
wildcard-domain-name
restore request-header
Use restore request-header to enable the restoration of fields in an HTTP or HTTPS request header.
Use undo restore request-header to disable the restoration of fields in the HTTP or HTTPS request header.
Syntax
restore request-header { origin | referer | x-wap-profile }
undo restore request-header { origin | referer | x-wap-profile }
Default
The restoration of fields in an HTTP or HTTPS request header is disabled.
Views
HTTP proxy server view
Predefined user roles
network-admin
mdc-admin
Parameters
origin: Specifies the origin field in a request header.
referer: Specifies the referer field in a request header.
x-wap-profile: Specifies the x-wap-profile field in a request header.
Usage guidelines
After the replace response-header command is enabled, the device uses the wildcard domain name to replace specified fields in an HTTP or HTTPS response header. When the client sends HTTP or HTTPS requests according to the response from the device, the relevant fields in the request header are the replaced fields. With the restore request-header command enabled, the device restores the replaced fields to ensure normal proxy of Web sources.
You can execute this command multiple times to configure multiple fields to be restored in an HTTP or HTTPS request header.
Specify the origin field in a request header when the current HTTP proxy server view is not referenced.
Examples
# Specify the origin field in a request header in HTTP proxy server view test.
<Sysname> system-view
[Sysname] http-proxy server test
[Sysname-http-proxy-server-test] restore request-header origin
Related commands
http-proxy server
service enable
wildcard-domain-name
restore request-querystring
Use restore request-querystring to enable the restoration of QueryString in Web requests.
Use undo restore request-querystring to disable the restoration of QueryString in Web requests.
Syntax
restore request-querystring
undo restore request-querystring
Default
The restoration of QueryString in Web requests is disabled.
Views
HTTP proxy server view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
After the external link reference feature is enabled, the QueryString parameters in the URLs of the HTTP or HTTPS request packets sent by the client may contain domain names replaced by the device. By default, the device does not restore the replaced domain names in the QueryString parameters, and thus the client cannot access Web sources through the QueryString parameters. With this command enabled, the device restores the replaced fields in the QueryString parameters to the original domain name, so as to ensure that the client can obtain the requested resources normally.
Execute this command when the current HTTP proxy server view is not referenced.
Examples
# Enable the restoration of QueryString in Web requests in HTTP proxy server view test.
<Sysname> system-view
[Sysname] http-proxy server test
[Sysname-http-proxy-server-test] restore request-querystring
Related commands
extlink-href enable
http-proxy server
service enable
wildcard-domain-name
service enable
Use service enable to enable an HTTP proxy service.
Use undo service enable to disable an HTTP proxy service.
Syntax
service enable
undo service enable
Default
An HTTP proxy service is disabled.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The HTTP proxy service requires a license. For more information about licenses, see license management in Fundamentals Configuration Guide.
Before enabling an HTTP proxy service, perform the following tasks:
· Specify a protocol type for the HTTP proxy service and bind a Web server group to the service.
· Specify an IPv6 address for the HTTP proxy service.
· If HTTPS is specified as the protocol type for the HTTP proxy service, specify an SSL certificate file and SSL certificate key file for the service by using the ssl certificate file and ssl certificate key-file commands, respectively.
· If you enable the external media link proxy feature or specify external hyperlinks to be proxied on webpages, configure the dns-server command.
If an HTTP proxy service has been enabled, you can execute only the access-record enable command in the view of this service.
Examples
# (In standalone mode.) Enable HTTP proxy service test.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] service enable
Related commands
dns-server
domain-name
hyperlink-proxy
ipv6-address
medialink-proxy enable
protocol-type (HTTP proxy service view)
ssl certificate file
ssl certificate key-file
ssl certificate directory
Use ssl certificate directory to specify a directory to store SSL certificates and SSL certificate key files.
Use undo ssl certificate directory to cancel the directory configuration.
Syntax
ssl certificate directory directory [ encryption ]
undo ssl certificate directory
Default
No directory is specified to store SSL certificates and SSL certificate key files.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Parameters
directory: Specifies a directory to store SSL certificate files and SSL certificate key files. The directory specified by the directory argument must include the slot number in the format of slotn# to specify the location of the storage media. The n indicates the slot number of the active MPU or master device that has storage media. (In standalone mode.)
directory: Specifies a directory to store SSL certificate files and SSL certificate key files. The directory specified by the directory argument must include the chassis number and slot number in the format of chassism#slotn# to specify the location of the storage media. The m and n indicate the member number of the master device and the slot number of the active MPU that has storage media, respectively. (In IRF mode.)
encryption: Uses the GM algorithm to encrypt all SSL certificate-related files in the specified directory. If you do not specify this keyword, SSL certificate-related files will not be encrypted.
Usage guidelines
Application scenarios
For an HTTP proxy service to proxy HTTPS requests, you must specify an SSL certificate file and SSL certificate key file for the HTTP proxy service. This command specifies the directory to store SSL certificate files and SSL certificate key files.
Operating mechanism
After you execute this command, the system will check whether the specified directory exists:
· If yes, the configuration succeeds.
· If not, the configuration fails.
Specifying the encryption keyword allows the device to encrypt SSL certificate-related files when an HTTP proxy service is enabled on the device. In addition, the device will decrypt the SSL certificate-related files only when SSL certificate-related files are required for HTTPS access. This enhances the security of HTTP proxy services.
Restrictions and guidelines
The encrypted files are in .enc format, so the device cannot encrypt files suffixed with .enc in the specified directory.
When the device encrypts an SSL certificate-related file, it generates a new encrypted file and deletes the original file. Cancelling this configuration will not delete that encrypted file or restore the original file. Therefore, when you enable file encryption and an HTTP proxy service, to perform configuration rollback or reconfigure unencrypted files after cancelling this configuration, re-upload SSL certificate-related files to the device.
Before modifying the directory for storing SSL certificate files and SSL certificate key files for an HTTP proxy service, first disable the HTTP proxy service.
If you execute this command multiple times, the most recent configuration takes effect. The directory specified by this command is used to store SSL certificate files and SSL certificate key files specified by the ssl certificate domain-name file key-file command.
This command is mutually exclusive with the ssl certificate file command and the ssl certificate key-file command.
Examples
# (In standalone mode.) Specify directory slot1#flash:/ssl-certificate for HTTP proxy service test to store SSL certificate files and SSL certificate key files.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] ssl certificate directory slot1#flash:/ssl-certificate
# (In standalone mode.) Specify directory flash:/ssl-certificate for HTTP proxy service test to store SSL certificate files and SSL certificate key files, and use the GM algorithm to encrypt all SSL certificate-related files in the directory.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] ssl certificate directory flash:/ssl-certificate encryption
Related commands
protocol-type (HTTP proxy service view)
ssl certificate domain-name file key-file
service enable
ssl certificate domain-name file key-file
Use ssl certificate domain-name file key-file to specify an SSL certificate file and SSL certificate key file for an HTTP proxy service to allow it to proxy the HTTPS requests for a specific domain name.
Use undo ssl certificate domain-name to delete the specified SSL certificate file and SSL certificate key file for an HTTP proxy service to allow it to proxy the HTTPS requests for a specific domain name.
Syntax
ssl certificate domain-name domain-name file certificate-file key-file key-file
undo ssl certificate domain-name domain-name
Default
No SSL certificate file and SSL certificate key file are specified for an HTTP proxy service to allow it to proxy the HTTPS requests for a specific domain name.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Parameters
domain-name: Specifies a domain name, a case-insensitive string with a maximum of 253 characters. The domain name can include dot-separated domain name suffixes (example.com, for example). Each domain name suffix can contain a maximum of 63 characters. You can enter a minimum of three such suffixes or a maximum of five such suffixes. Valid characters in the domain name string include letters, digits, hyphens (-), underscores (_), dots (.), and asterisk (*). The asterisk (*) character is used to match a series of domain names with fixed starting or ending string. For example, www.example.* includes all domain names starting with www.example.; *.example.gov includes all domain names ending with .example.gov.
certificate-file: Specifies an SSL certificate file.
key-file: Specifies an SSL certificate key file.
Usage guidelines
For an HTTP proxy service to proxy HTTPS requests for a specific domain name, you must specify an SSL certificate file and SSL certificate key file for the HTTP proxy service. The SSL certificate files and SSL certificate key files are stored in the directory specified by the ssl certificate directory command.
Before executing this command, make sure the specified SSL certificate file and SSL certificate key file already exist in the directory. Otherwise, the configuration fails.
To allow an HTTP proxy service to proxy the HTTPS requests for the specified domain name, first specify an SSL certificate file and SSL certificate key file and then enable the HTTP proxy service.
Before modifying the SSL certificate file and SSL certificate key file for an HTTP proxy service, first disable the HTTP proxy service.
To allow an HTTP proxy service to proxy HTTPS requests for one domain name, you can execute this command multiple times but only the most recent configuration takes effect. To allow an HTTP proxy service to proxy HTTP requests for multiple domain names, you can execute this command multiple times. An HTTP proxy service supports a maximum of 128 pairs of SSL certificate files and SSL certificate key files.
This command is mutually exclusive with the ssl certificate file command and the ssl certificate key-file command.
Examples
# Specify SSL certificate file cert.pem and SSL certificate key file cert.key for HTTP proxy service test to allow it to proxy the HTTPS requests for domain name test.example.cn.
<Sysname> system-view
[Sysname] http-proxy service test
[Sysname-http-proxy-service-test] ssl certificate domain-name test.example.cn file cert.pem key-file cert.key
Related commands
protocol-type (HTTP proxy service view)
ssl certificate directory
service enable
ssl certificate file
Use ssl certificate file to specify an SSL certificate file.
Use undo ssl certificate file to restore the default.
Syntax
ssl certificate file certificate-file [ encryption ]
undo ssl certificate file
Default
No SSL certificate file is specified.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Parameters
certificate-file: Specifies an SSL certificate file. The file path specified by the certificate-file argument must be on the storage media of the active MPU or master device.(In standalone mode.)
certificate-file: Specifies an SSL certificate file. The file path specified by the certificate-file argument must be on the storage media of the active MPU. (In IRF mode.)
encryption: Uses the GM algorithm to encrypt an SSL certificate file. If you do not specify this keyword, the device does not encrypt the SSL certificate file.
Usage guidelines
Application scenarios
For an HTTP proxy service to proxy HTTPS requests, you must specify an SSL certificate file for the HTTP proxy service.
Operating mechanism
After you execute this command on an IRF fabric, the system will examine whether the specified SSL certificate file exists on the master device or active MPU:
· If yes, the configuration succeeds.
· If not, the configuration fails.
Before executing this command, copy the SSL certificate file to the same directory as the master device or active MPU on all subordinate devices or standby MPUs. This operation ensures that the settings of an HTTP proxy service can restore successfully after a master/subordinate or active/standby switchover.
Specifying the encryption keyword allows the device to encrypt an SSL certificate file when an HTTP proxy service is enabled on the device. In addition, the device will decrypt an SSL certificate file only when that SSL certificate file is required for HTTPS access. This enhances the security of HTTP proxy services.
Restrictions and guidelines
The encrypted files are in .enc format, so the device cannot encrypt files suffixed with .enc.
When the device encrypts an SSL certificate file, it generates a new encrypted file and deletes the original file. Cancelling this configuration will not delete that encrypted file or restore the original file. Therefore, when you enable file encryption and an HTTP proxy service, to perform configuration rollback or reconfigure an unencrypted file after cancelling this configuration, re-upload an SSL certificate file to the device.
Make sure the SSL certificate file specified by ssl certificate file and the SSL certificate key file specified by ssl certificate key-file are encrypted or decrypted simultaneously. If you fail to do so, the ssl certificate file and ssl certificate key-file commands cannot be executed successfully.
You must specify an SSL certificate file for an HTTP proxy service before enabling the HTTP proxy service. If you fail to do so, the HTTP proxy service cannot correctly proxy HTTPS requests.
Before modifying the SSL certificate file for an HTTP proxy service, first disable the HTTP proxy service.
Examples
# (In standalone mode.) Specify SSL certificate file cert.pem for HTTP proxy service test.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] ssl certificate file flash:/cert.pem
# (In standalone mode.) Specify SSL certificate file cert.pem for HTTP proxy service test and use the GM algorithm to encrypt the SSL certificate file.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] ssl certificate file flash:/cert.pem encryption
Related commands
protocol-type (HTTP proxy service view)
ssl certificate key-file
Use ssl certificate key-file to specify an SSL certificate key file.
Use undo ssl certificate key-file to restore the default.
Syntax
ssl certificate key-file key-file [ encryption ]
undo ssl certificate key-file
Default
No SSL certificate key file is specified.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Parameters
key-file: Specifies an SSL certificate key file. The file path specified by the key-file argument must be on the storage media of the active MPU or master device. (In standalone mode.)
key-file: Specifies an SSL certificate key file. The file path specified by the key-file argument must be on the storage media of the active MPU. (In IRF mode.)
encryption: Uses the GM algorithm to encrypt an SSL certificate key file. If you do not specify this keyword, the device does not encrypt the SSL certificate key file.
Usage guidelines
Application scenarios
For an HTTP proxy service to proxy HTTPS requests, you must specify an SSL certificate key file for the HTTP proxy service.
Operating mechanism
After you execute this command on an IRF fabric, the system will examine whether the specified SSL certificate key file exists on the master device or active MPU:
· If yes, the configuration succeeds.
· If not, the configuration fails.
Before executing this command, copy the SSL certificate key file to the same directory as the master device or active MPU on all subordinate devices or standby MPUs. This operation ensures that the settings of an HTTP proxy service can restore successfully after a master/subordinate or active/standby switchover.
Specifying the encryption keyword allows the device to encrypt an SSL certificate key file when an HTTP proxy service is enabled on the device. In addition, the device will decrypt an SSL certificate key file only when that SSL certificate key file is required for HTTPS access. This enhances the security of HTTP proxy services.
Restrictions and guidelines
The encrypted files are in .enc format, so the device cannot encrypt files suffixed with .enc.
When the device encrypts an SSL certificate key file, it generates a new encrypted file and deletes the original file. Cancelling this configuration will not delete that encrypted file or restore the original file. Therefore, when you enable file encryption and an HTTP proxy service, to perform configuration rollback or reconfigure an unencrypted file after cancelling this configuration, re-upload an SSL certificate key file to the device.
Make sure the SSL certificate file specified by ssl certificate file and the SSL certificate key file specified by ssl certificate key-file are encrypted or decrypted simultaneously. If you fail to do so, the ssl certificate file and ssl certificate key-file commands cannot be executed successfully.
You must specify an SSL certificate key file for an HTTP proxy service before enabling the HTTP proxy service. Otherwise, the HTTP proxy service cannot correctly proxy HTTPS requests.
Before modifying the SSL certificate key file for an HTTP proxy service, first disable the HTTP proxy service.
Examples
# (In standalone mode.) Specify SSL certificate file cert.key for HTTP proxy service test.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] ssl certificate key-file flash:/cert.key
# (In standalone mode.) Specify SSL certificate key file cert.key for HTTP proxy service test and uses the GM algorithm to encrypt the SSL certificate key file.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] ssl certificate key-file flash:/cert.key encryption
Related commands
protocol-type (HTTP proxy service view)
url-protection enable
Use url-protection enable to enable URL protection for an HTTP proxy service.
Use undo url-protection enable to disable URL protection for an HTTP proxy service.
Syntax
url-protection enable
undo url-protection enable
Default
The URL protection feature for an HTTP proxy service is disabled.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Usage guidelines
The URL protection feature can prevent the clients from inserting SQL or XSS statements into the requests to trick the servers into executing malicious SQL or XSS commands. If the device needs to proxy the requests to the websites containing databases, enable this feature as a best practice.
Before enabling URL protection for an HTTP proxy service, first disable the HTTP proxy service.
Examples
# (In standalone mode.) Enable URL protection for HTTP proxy service test.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] url-protection enable
Related commands
service enable
wildcard-domain-name
Use wildcard-domain-name to specify the wildcard domain name for an HTTP proxy service.
Use undo wildcard-domain-name to restore the default.
Syntax
wildcard-domain-name wildcard-domain-name
undo wildcard-domain-name
Default
Wildcard domain name extlink.cn is specified for an HTTP proxy service.
Views
HTTP proxy service view
Predefined user roles
network-admin
mdc-admin
Parameters
wildcard-domain-name: Specifies a wildcard domain name, a case-insensitive string of 1 to 253 characters. The domain name can include dot-separated domain name suffixes (example.com, for example). Each domain name suffix can contain a maximum of 63 characters. You can enter a minimum of two such suffixes or a maximum of four such suffixes. Valid characters in the domain name string include letters, digits, hyphens (-), and underscores (_).
Usage guidelines
To allow an HTTP proxy service to proxy the requests for different external links of different domain names, you can specify a wildcard domain name for the HTTP proxy service and enable the external link reference feature. Otherwise, you need to execute the domain-name command multiple times to allow an HTTP proxy service to proxy the requests for different external links of the different domain names. For more information about external link, see HTTP proxy configuration in Layer 3—IP Services Configuration Guide.
When a client accesses an external link, the device adds the specified wildcard domain name to the external link domain name and returns the new domain name to the client. After the device receives the HTTP or HTTPS requests containing the wildcard domain name, it strips the wildcard domain name and sends the external link domain name to a DNS server to resolve the IP address. The DNS server returns the resolved IP address to the device, thus the device can proxy the requests to the external link.
Before specifying the wildcard domain name for an HTTP proxy service, disable the HTTP proxy service.
If you execute this command multiple times, the most recent configuration takes effect.
Examples
# Specify wildcard domain name example.cn for HTTP proxy service test.
<Sysname> system-view
[Sysname] http-proxy service test
[Sysname-http-proxy-service-test] wildcard-domain-name example.cn
# (In standalone mode.) Specify wildcard domain name example.cn for HTTP proxy service test.
<Sysname> system-view
[Sysname] http-proxy service test slot 1
[Sysname-http-proxy-service-test-slot1] wildcard-domain-name example.cn
Related commands
extlink-href enable
dns-server
service enable
