The HTTP proxy feature enables IPv6 clients to access IPv4 Web servers during network transition from IPv4 to IPv6. This feature has the following advantages:

· Simplifies smooth IPv4-to-IPv6 transition without affecting existing IPv4 services.

· Enables clients of one IP stack to access webpages of another IP stack, providing network compatibility and scalability.

· Supports load balancing, which improves the network efficiency and stability and enhances user experience.

Working mechanism

The working mechanism of the HTTP proxy feature varies by the applicable scenarios.

· To proxy the HTTP or HTTPS requests to Web servers that provide the same service, you can specify the IPv4 addresses of Web servers for an HTTP proxy service. The Web servers in a Web server group provide load balancing.

· To proxy the HTTP or HTTPS requests to Web servers that provide different services, you can specify a DNS server to resolve the IPv4 addresses of Web servers for an HTTP proxy service.

HTTP proxy mechanism by using the specified IPv4 address of a Web server

Figure 1 HTTP proxy mechanism by using the specified IPv4 address of a Web server

‌

1. The IPv6 host obtains the IPv6 address corresponding to the requested domain name through a DNS server. The obtained IPv6 address is the IPv6 address of an HTTP proxy service configured on the device. The IPv6 host sends an HTTP or HTTPS GET request to the device.

2. The device checks whether the URL of the request contains the domain name that can be proxied by the HTTP proxy service:

¡ If not, the device returns an error page to the IPv6 host.

¡ If yes, the device takes the subsequent steps.

By default, the device can proxy all domain names. With denylist domain names specified on the device, the device cannot proxy the requests to the Web servers that use the specified denylist domain names. With allowlist domain names specified on the device, the device can only proxy the requests to the Web servers that use the specified allowlist domain names.

3. The device re-encapsulates the HTTP or HTTPS GET request according to the specified IPv4 address of the Web server and sends the new request to the IPv4 Web server.

4. The IPv4 Web server sends an HTTP or HTTPS response to the device.

5. The device re-encapsulates the HTTP or HTTPS response and sends it to the IPv6 host.

HTTP proxy mechanism by using the resolved IPv4 address of a Web server

Figure 2 HTTP proxy mechanism by using the resolved IPv4 address of a Web server

‌

2. The device checks whether the URL of the request contains the domain name that can be proxied by the HTTP proxy service:

¡ If not, the device returns an error page to the IPv6 host.

¡ If yes, the device obtains the IPv4 address of the Web server through the DNS server, re-encapsulates the HTTP or HTTPS GET request according to the resolved IPv4 address of the Web server, and sends the new request to the IPv4 Web server.

3. The IPv4 Web server sends an HTTP or HTTPS response to the device.

4. The device re-encapsulates the HTTP or HTTPS response and sends it to the IPv6 host.

External link proxy

An external link is a hyperlink that exists on the webpages of an IPv4 server accessed by a client and is used to redirect to other websites.

By default, the IPv6 clients cannot access the external links on the webpages of an IPv4 server. Thus, you need to configure the external link proxy feature.

Figure 3 shows the mechanism of external link proxy when an IPv6 client accesses external links on webpages of the IPv4 Web server.

Figure 3 External link proxy mechanism

‌

1. The IPv6 host requests the HTML resource of the Web server. The IPv6 host obtains the IPv6 address corresponding to the requested domain name through a DNS server. The obtained IPv6 address is the IPv6 address of an HTTP proxy service configured on the device. The IPv6 host sends an HTTP or HTTPS GET request to the device.

2. The device re-encapsulates the HTTP or HTTPS GET request and sends the new request to the IPv4 Web server.

3. The Web server encapsulates the data containing the HTML resource in the HTTP or HTTPS response and sends the response to the device.

4. Upon receiving the HTTP or HTTPS response, the device adds the domain name specified for the HTTP proxy service to the external link domain name and sends the new response to the client.

The specified domain name for the HTTP proxy service can be an allowlist domain name or a wildcard domain name. If you use the wildcard domain name for the HTTP proxy service, you must enable external link reference. Thus, all external links can be proxied.

5. When the IPv6 host accesses an external link on the webpages of the IPv4 server, the DNS server resolves the domain name in the request to the IPv6 address of the HTTP proxy service. The IPv6 host sends an HTTP or HTTPS request for an external link to the device.

6. Upon receiving the HTTP or HTTPS request for an external link, the device strips the domain name form the URL of the request.

7. The device resolves the domain name to the IPv4 address of the request through the DNS server.

8. The device re-encapsulates the request according to the resolved IPv4 address and sends the request to the external link server.

9. The external link serer encapsulates the media resources and HTML resources in the HTTP or HTTP response and sends the response to the device.

10. If the response contains only the media resources, the device directly re-encapsulates the response and sends the response to the IPv6 host. Otherwise, the device adds the domain name specified for the HTTP proxy service to the response that contains the external link, re-encapsulates the response, and sends the response to the IPv6 host.

HTTP proxy configuration views

The relevant parameters of HTTP proxy service can be configured in the following two views to control HTTP proxy service:

· HTTP proxy service view—The configurations in an HTTP proxy service view can be used to proxy all Web resources in the current HTTP proxy service. Only an HTTP proxy service view can be created on a device, member device, or card. Only a set of configurations can be used.

· HTTP proxy server view—The configurations in an HTTP proxy server view can only proxy specific Web server resources. An HTTP proxy server view has smaller granularity and higher flexibility. A device can create multiple HTTP proxy server views. The configurations in multiple HTTP proxy server views can take effect at the same time. You can use multiple sets of configurations for proxies of different Web server resources to meet different Web resource proxy needs. The configurations in an HTTP proxy server view only support proxying the HTTP or HTTPS requests to Web servers that provide different services.

Figure 4 shows the two HTTP proxy configuration views.

Figure 4 HTTP proxy configuration views

‌

The configurations in the HTTP proxy server view only take effect after the view is referenced by the HTTP proxy service view. Before the HTTP proxy server view is referenced, the device uses the configurations in the HTTP proxy service view to proxy. After the HTTP proxy server view is referenced, the device uses the configurations in the HTTP proxy server view and reuses some configurations in the HTTP proxy service view to proxy.

Some key features affecting proxies can be configured in both HTTP proxy server view and HTTP proxy service view, but they cannot be configured in both views at the same time. After the HTTP proxy server view is referenced, these features can only be configured in the HTTP proxy server view. Table 1 shows the configuration views of the features related to HTTP proxy service.

Table 1 Configuration views of features related to HTTP proxy service

Features related to HTTP proxy service	Configured in an HTTP proxy service view	Configured in an HTTP proxy server view	Configured in both HTTP proxy server view and HTTP proxy service view
Configuring a Web server group	Y	N	N
Specifying a protocol type and listening port for the HTTP proxy service	Y	Y	N
Specifying an IPv6 address for the HTTP proxy service	Y	Y	N
Specifying a DNS server for the HTTP proxy service	Y	N (Reusing configurations in the HTTP proxy service view.)	N
Specifying a denylist domain name for the HTTP proxy service	Y	N	N
Specifying an allowlist domain name for the HTTP proxy service	Y	Y	N
Specifying an SSL certificate file and SSL certificate key file	Y	N (Reusing configurations in the HTTP proxy service view.)	N
Configuring the external media link proxy feature	Y	N	N
Configuring the external hyperlink proxy feature	Y	N	N
Specifying a wildcard domain name for the HTTP proxy service	Y	N (Reusing configurations in the HTTP proxy service view.)	N
Configuring the external link reference feature	Y	Y	N
Specifying an external link domain name to be not proxied by the HTTP proxy service	Y	Y	Y
Enabling the external link proxying failure informing feature	Y	Y	N
Enabling the external link proxying failure redirection feature	Y	Y	N
Configuring the specified external link proxy feature in HTTP proxy server view	N	Y	N
Configuring a source IP pool used for Web server connection	Y	N (Reusing configurations in the HTTP proxy service view.)	N
Enabling caching of Web server resources	Y	Y	N
Specifying a keyword to be monitored and a keyword to replace the monitored keyword	Y	N (Reusing configurations in the HTTP proxy service view.)	N
Enabling referer protection	Y	N	N
Enabling referer protection in HTTP proxy server view	N	Y	N
Enabling URL protection	Y	N (Reusing configurations in the HTTP proxy service view.)	N
Deleting response header set-cookie attributes	N	Y	N
Enabling the restoration of QueryString in Web requests	N	Y	N
Replacing an HTTP or HTTPS response header or restoring an HTTP or HTTPS request header	N	Y	N
Configuring a redirect URL domain name that allows replacement	N	Y	N
Enabling wildcard domain name encryption feature for an HTTP proxy service	Y	N (Reusing configurations in the HTTP proxy service view; only used in an HTTP proxy server view.)	N
Configuring the HTTP proxy operation recording	Y	N (Reusing configurations in the HTTP proxy service view.)	N
Enabling an HTTP proxy service	Y	N (Reusing configurations in the HTTP proxy service view.)	N

‌

License requirement for HTTP proxy

The HTTP proxy feature requires a license. If you configure the feature without a license, the settings will be lost after a device reboot. For information about license management, see Fundamentals Configuration Guide.

Configuring HTTP proxy in an HTTP proxy service view

Restrictions and guidelines: HTTP proxy in an HTTP proxy service view

To enable an HTTP proxy service to proxy the Web resources, make sure the ports on the device used for communication with the IPv6 user and IPv4 Web server belong to the same slot.

For domain name resolution through a DNS server, you must execute the dns proxy enable command to enable DNS proxy on the device. If DNS proxy is disabled, the DNS server cannot resolve the IP addresses of the domain names proxied by an HTTP proxy service. For more information about the dns proxy enable command, see DNS commands in Layer 3—IP Services Command Reference.

HTTP proxy tasks at a glance

To configure HTTP proxy in an HTTP proxy service view, perform the following tasks:

1. (Optional.) Configuring a Web server group

2. Configuring an HTTP proxy service

3. Specifying an SSL certificate file and SSL certificate key file

¡ Specifying an SSL certificate file and SSL certificate key file

¡ Specifying a domain-specific SSL certificate file and SSL certificate key file

To enable the device to proxy HTTPS requests, you must perform this task.

4. (Optional.) Configuring the external link proxy feature

¡ Configuring the external media link proxy feature

¡ Configuring the external hyperlink proxy feature

¡ Configuring the external link reference feature

5. (Optional.) Configuring the advanced features for an HTTP proxy service

¡ Configuring a source IP pool used for Web server connection

¡ Enabling caching of Web server resources

¡ Specifying a keyword to be monitored and a keyword to replace the monitored keyword

¡ Enabling referer protection

¡ Enabling URL protection

6. (Optional.) Configuring the HTTP proxy operation recording

7. Enabling an HTTP proxy service

Configuring a Web server group

About this task

You can add multiple IPv4 Web servers to a Web server group for an HTTP proxy service and bind the group to the HTTP proxy service. When the device receives HTTP or HTTPS requests, it distributes the traffic to different Web servers according to a certain algorithm, implementing load balancing. This increases network bandwidth and improves network availability and flexibility.

To proxy both HTTP and HTTPS packets, you can bind a Web server group specified with HTTP and a Web server group specified with HTTPS to an HTTP proxy service.

To implement load balancing, you can add multiple IPv4 Web servers with different IP addresses and port numbers to an IPv4 Web server group.

Restrictions and guidelines

With this feature configured, the device can only send the HTTP or HTTPS requests to the specified Web servers. If an IPv6 client accesses a Web server that is not configured on the device, the device will return an error page to the client.

Before binding a Web server group to an HTTP proxy service, first configure the parameters of the Web server group.

To modify the parameters of a Web server group that has been bound to an HTTP proxy service, first unbind the Web server group from the HTTP proxy service. Then, modify the parameters of the Web server group.

Make sure the protocol types of the all Web servers in a Web server group are consistent with the protocol type of the Web server group.

Procedure

1. Enter system view.

system-view

2. Create a Web server group and enter its view.

http-proxy server-group group-name

3. Add a Web server to the Web server group.

ip-address ip-address [ port port-number ]

By default, no Web servers exist in a Web server group.

4. Specify a protocol type for the Web server group.

protocol-type { http | https }

By default, no protocol types are specified for a Web server group.

Configuring an HTTP proxy service

About this task

An HTTP proxy service listens for and proxies HTTP or HTTPS requests from a specified TCP port number and IPv6 address. To proxy HTTPS packets, you must also specify an SSL certificate file and SSL certificate key file so the device can establish secure connections to IPv6 clients.

Upon receiving an HTTP or HTTPS request, the device checks whether the URL of request can be proxied by an HTTP proxy service. You can configure denylist domain names and allowlist domain names for an HTTP proxy service to filter the domain names. By default, the device can proxy all reachable domain names that can be resolved into reachable IPv4 addresses through a DNS server or proxy the specified domain names for Web server groups. To allow the device to proxy only the specified domain names, configure the specified domain names as allowlist domain names. To prevent the device from proxy the specified domain names, configure the specified domain names as denylist domain names.

Restrictions and guidelines

The protocol type of an HTTP proxy service can be different from the protocol type of the Web server group bound to the HTTP proxy service.

When configuring allowlist domain names and denylist domain names, obey the following rules:

· A domain name can only be configured as an allowlist domain name or a denylist domain name. The denylist-domain-name and domain-name commands are mutually exclusive.

· An HTTP proxy service supports a maximum of 512 denylist domain names and 512 allowlist domain names.

· Do not configure the allowlist domain names and denylist domain names at the same time.

Prerequisites

You must specify an unused TCP port number for an HTTP proxy service. To view TCP port numbers in use, execute the display tcp command.

To modify the parameters of an enabled HTTP proxy service, first disable the HTTP proxy service.

Procedure

1. Enter system view.

system-view

2. Create an HTTP proxy service and enter its view.

In standalone mode:

http-proxy service service-name slot slot-number

In IRF mode:

http-proxy service service-name chassis chassis-number slot slot-number

3. Specify a protocol type and listening port for the HTTP proxy service and bind a Web server group to the service.

protocol-type { http | https } [ port port-number ] [ server-group group-name ]

By default, no protocol type or listening port number is specified for an HTTP proxy service and no Web server group is bound to the HTTP proxy service.

4. Specify an IPv6 address for the HTTP proxy service.

ipv6-address ipv6-address

By default, no IPv6 address is specified for an HTTP proxy service.

5. (Optional.) Specify a DNS server for the HTTP proxy service.

dns-server ip-address

By default, no DNS servers are specified for an HTTP proxy service.

If you do not specify a Web server group for an HTTP proxy service, you must configure a DNS server for the HTTP proxy service.

6. Specify a domain name for the HTTP proxy service. Choose one option as needed:

¡ Specify a denylist domain name for the HTTP proxy service.

denylist-domain-name denylist-domain-name

¡ Specify an allowlist domain name for the HTTP proxy service.

domain-name domain-name

By default, no denylist domain names or allowlist domain names are specified for an HTTP proxy service.

Specifying an SSL certificate file and SSL certificate key file

About specifying an SSL certificate file and SSL certificate key file

After specifying a Web server group for an HTTP proxy service, you can specify an SSL certificate file and SSL certificate key file for the HTTP proxy service. Thus, the HTTP proxy service can handle the HTTPS requests for one domain name.

After specifying a DNS server for an HTTP proxy service, you can specify multiple pairs of SSL certificate files and SSL certificate key files for the HTTP proxy service. Thus, the HTTP proxy service can handle the HTTPS requests for different domain names.

Restrictions and guidelines

The ssl certificate domain-name file key-file command is mutually exclusive with the ssl certificate file command and the ssl certificate key-file command.

To allow an HTTP proxy service to proxy HTTP requests for multiple domain names, you can execute the ssl certificate domain-name file key-file command multiple times. Thus, the device can establish secure connections to IPv6 clients who request to access the web servers of different domain names.

Prerequisites

Before you execute the ssl certificate file and the ssl certificate key-file commands to specify an SSL certificate file and SSL certificate key file, upload the files to the device through FTP or TFTP. Before you execute the ssl certificate domain-name file key-file command to specify an SSL certificate file and SSL certificate key file, make sure the directory for storing the files exists and then upload the files to the device through FTP or TFTP. If the director for storing the SSL certificate file and SSL certificate key files does not exist, create a directory. For more information about FTP and TFTP configuration, see Fundamentals Configuration Guide.

Before specifying an SSL certificate file and SSL certificate key file for an HTTP proxy service, first disable the HTTP proxy service.

Specifying an SSL certificate file and SSL certificate key file

1. Enter system view.

system-view

2. Create an HTTP proxy service and enter its view.

In standalone mode:

http-proxy service service-name slot slot-number

In IRF mode:

http-proxy service service-name chassis chassis-number slot slot-number

3. Specify an SSL certificate file.

ssl certificate file certificate-file [ encryption ]

By default, no SSL certificate file is specified.

4. Specify an SSL certificate key file.

ssl certificate key-file key-file [ encryption ]

By default, no SSL certificate key file is specified.

Specifying a domain-specific SSL certificate file and SSL certificate key file

1. Enter system view.

system-view

2. Create an HTTP proxy service and enter its view.

In standalone mode:

http-proxy service service-name slot slot-number

In IRF mode:

http-proxy service service-name chassis chassis-number slot slot-number

3. Specify a directory to store SSL certificates and SSL certificate key files.

ssl certificate directory directory [ encryption ]

By default, no directory is specified to store SSL certificates and SSL certificate key files.

4. Specify an SSL certificate file and SSL certificate key file for the HTTP proxy service to allow it to proxy the HTTPS requests for a specific domain name.

ssl certificate domain-name domain-name file certificate-file key-file key-file

By default, no SSL certificate file and SSL certificate key file are specified for an HTTP proxy service to allow it to proxy the HTTPS requests for a specific domain name.

Configuring the external link proxy feature

About configuring the external link proxy feature

For an HTTP proxy service, configure the external link proxy feature as required:

· The external media link proxy feature enables the IPv6 clients to access all external media resources (such as pictures or videos) on webpages of proxied Web servers. The proxied Web servers must use the domain names in the allowlist.

· The external hyperlink proxy feature enables the HTTP proxy service to proxy external hyperlinks on webpages of proxied Web servers by adding the specified domain name to the link URLs. The proxied Web servers must use the domain names in the allowlist. In this way, the clients can access webpage resources that are not on the proxied Web servers and the media resources on the accessed webpages.

· The external link reference feature enables the HTTP proxy service to proxy all external links on webpages of proxied Web servers by adding the wildcard domain name to the link URLs. In this way, the clients can access the webpage resources and media resources on webpages of all Web servers. To configure the device to not proxy the requests for external links of a specific domain name, execute the exclude-external-domain command.

When an IPv6 user fails to access the Web page or to request part of the Web resources through an HTTP proxy service, you can take the following actions.

· Enable the external link proxying failure informing feature. If you enable this feature, message Error on page. Please visit URL XXX. will display when the external link proxying failure occurs.

· Enable the external link proxying failure redirection feature. This feature redirects the failed external links with the specified error code and allows the IPv6 user to directly access the external link server without using the HTTP proxy service.

Prerequisites

Before configuring the external link proxy feature for an HTTP proxy service, first disable the HTTP proxy service.

Configuring the external media link proxy feature

1. Enter system view.

system-view

2. Enter the view of an HTTP proxy service.

In standalone mode:

http-proxy service service-name slot slot-number

In IRF mode:

http-proxy service service-name chassis chassis-number slot slot-number

3. Specify an allowlist domain name for the HTTP proxy service.

domain-name domain-name

By default, no allowlist domain names are specified for an HTTP proxy service.

4. (Optional.) Specify a DNS server for the HTTP proxy service.

dns-server ip-address

By default, no DNS servers are specified for an HTTP proxy service.

If you do not specify a Web server group for an HTTP proxy service, you must configure a DNS server for the HTTP proxy service.

5. Enable the external media link proxy feature.

medialink-proxy enable

By default, the external media link proxy feature is disabled.

6. (Optional.) Enable the external link proxying failure informing feature.

failed-extlink inform

By default, the external link proxying failure informing feature is disabled.

7. (Optional.) Enable the external link proxying failure redirection feature.

failed-extlink redirect error-code

By default, the external link proxying failure redirection feature is disabled.

Configuring the external hyperlink proxy feature

1. Enter system view.

system-view

2. Enter the view of an HTTP proxy service.

In standalone mode:

http-proxy service service-name slot slot-number

In IRF mode:

http-proxy service service-name chassis chassis-number slot slot-number

3. Specify an allowlist domain name for the HTTP proxy service.

domain-name domain-name

By default, no allowlist domain names are specified for an HTTP proxy service.

4. (Optional.) Specify a DNS server for the HTTP proxy service.

dns-server ip-address

By default, no DNS servers are specified for an HTTP proxy service.

If you do not specify a Web server group for an HTTP proxy service, you must configure a DNS server for the HTTP proxy service.

5. Specify an external hyperlink to be proxied on webpages.

hyperlink-proxy link-string

By default, no external hyperlinks are specified to be proxied.

6. (Optional.) Enable the external link proxying failure informing feature.

failed-extlink inform

By default, the external link proxying failure informing feature is disabled.

7. (Optional.) Enable the external link proxying failure redirection feature.

failed-extlink redirect error-code

By default, the external link proxying failure redirection feature is disabled.

Configuring the external link reference feature

Restrictions and guidelines

To make this feature take effect for an HTTP proxy service, you must specify a wildcard domain name for the HTTP proxy service.

With both a wildcard domain name and allowlist domain name configured for an HTTP proxy service, the HTTP proxy service adds only the wildcard domain name to the external link domain name.

Procedure

1. Enter system view.

system-view

2. Enter the view of an HTTP proxy service.

In standalone mode:

http-proxy service service-name slot slot-number

In IRF mode:

http-proxy service service-name chassis chassis-number slot slot-number

3. Specify a wildcard domain name for the HTTP proxy service.

wildcard-domain-name wildcard-domain-name

By default, wildcard domain name extlink.cn is specified for an HTTP proxy service.

4. Enable external link reference for the HTTP proxy service.

extlink-href enable

By default, the external link reference feature for an HTTP proxy service is disabled.

5. (Optional.) Specify an external link domain name to be not proxied by the HTTP proxy service.

exclude-external-domain domain-name

By default, no external link domain names to be not proxied are specified for an HTTP proxy service.

6. (Optional.) Enable the external link proxying failure informing feature.

failed-extlink inform

By default, the external link proxying failure informing feature is disabled.

7. (Optional.) Enable the external link proxying failure redirection feature.

failed-extlink redirect error-code

By default, the external link proxying failure redirection feature is disabled.

Configuring the advanced features for an HTTP proxy service

Configuring a source IP pool used for Web server connection

About this task

By default, the device uses the IP address of the outgoing interface in the default route to establish TCP connections with Web servers. An IP address supports a maximum of 65535 TCP connections. To allow the device to establish more TCP connections with Web servers, you can configure source IP pools. The device will use an IP address in the source IP pools for Web server connection.

Restrictions and guidelines

You can specify a maximum of 64 source IP pools. An IP pool can contain a maximum of 512 IP addresses. The IP addresses in different source IP pools cannot overlap with each other.

Procedure

1. Enter system view.

system-view

2. Enter the view of an HTTP proxy service.

In standalone mode:

http-proxy service service-name slot slot-number

In IRF mode:

http-proxy service service-name chassis chassis-number slot slot-number

3. Configure a source IP pool used for Web server connection.

ip-pool start-address end-address [ vpn-instance vpn-instance-name ]

By default, no source IP pools are specified for Web server connection.

Enabling caching of Web server resources

About this task

You can enable this feature to cache Web server resources locally. When a client requests the same Web server resources, the device uses the locally saved data to response the client directly. This method reduces the traffic sent to the servers, reduces the traffic transmission cost, lessens the burden on the servers, reduces the response time of the device to the clients, and enhances the user experience.

Prerequisites

Before configuring the cache file directory for an HTTP proxy service, first disable the HTTP proxy service.

Procedure

1. Enter system view.

system-view

2. Enter the view of an HTTP proxy service.

In standalone mode:

http-proxy service service-name slot slot-number

In IRF mode:

http-proxy service service-name chassis chassis-number slot slot-number

3. Enable the device to cache Web server resources and specify the directory for storing cache files.

cache-data directory directory

By default, the device does not cache Web server resources and the directory for storing cache files is not specified.

Specifying a keyword to be monitored and a keyword to replace the monitored keyword

About this task

If the webpage on the Web servers proxied by an HTTP proxy service contains sensitive information, you can configure this feature to specify the keywords to be monitored and to specify the keywords to replace the monitored keywords. To view the monitored keywords and keywords used to replace the monitored keywords, execute the display http-proxy monitor-info command. After you specify the keywords to be monitored and the keywords used to replace the monitored keywords for an HTTP proxy service, the HTTP proxy service will use the specified keywords to replace the monitored keywords and send the keywords to the IPv6 clients.

Prerequisites

Before specifying a keyword to be monitored by an HTTP proxy service or specifying the keyword to replace the monitored keyword, first disable the HTTP proxy service.

Procedure

1. Enter system view.

system-view

2. Enter the view of an HTTP proxy service.

In standalone mode:

http-proxy service service-name slot slot-number

In IRF mode:

http-proxy service service-name chassis chassis-number slot slot-number

3. Specify a keyword to be monitored by the HTTP proxy service and a keyword to replace the monitored keyword.

keyword monitor keyword-string

By default, no keywords are specified to be monitored by an HTTP proxy service.

Enabling referer protection

About this task

This feature prevents illegal clients from accessing or stealing the webpage resources on the Web servers proxied by an HTTP proxy service. With this feature enabled for an HTTP proxy service, the HTTP proxy service will match the referer field in the HTTP or HTTPS request of a client with the specified allowlist domain names. If no match is found, the device will reject the HTTP or HTTPS requests. Enable this feature when multiple types of resource addresses exist on the webpages of the Web servers proxied by an HTTP proxy service.

Prerequisites

Before enabling referer protection for an HTTP proxy service, first disable the HTTP proxy service.

To make the referer protection feature take effect, first execute the domain-name command to specify an allowlist domain name.

Procedure

1. Enter system view.

system-view

2. Enter the view of an HTTP proxy service.

In standalone mode:

http-proxy service service-name slot slot-number

In IRF mode:

http-proxy service service-name chassis chassis-number slot slot-number

3. Enable referer protection for the HTTP proxy service.

referer-protection enable

By default, the referer protection feature for an HTTP proxy service is disabled.

Enabling URL protection

About this task

This feature can prevent the clients from inserting SQL or XSS statements into the requests to trick the servers into executing malicious SQL or XSS commands, enhancing the security and stability of the network.

Prerequisites

Before enabling URL protection for an HTTP proxy service, first disable the HTTP proxy service.

Procedure

1. Enter system view.

system-view

2. Enter the view of an HTTP proxy service.

In standalone mode:

http-proxy service service-name slot slot-number

In IRF mode:

http-proxy service service-name chassis chassis-number slot slot-number

3. Enable URL protection for the HTTP proxy service.

url-protection enable

By default, the URL protection feature for an HTTP proxy service is disabled.

Enabling an HTTP proxy service

1. Enter system view.

system-view

2. Enter the view of an HTTP proxy service.

In standalone mode:

http-proxy service service-name slot slot-number

In IRF mode:

http-proxy service service-name chassis chassis-number slot slot-number

3. Enable the HTTP proxy service.

service enable

By default, an HTTP proxy service is disabled.

Configuring the HTTP proxy operation recording

About this task

This feature enables an HTTP proxy service to record all proxy operations in chorological order in a file and save the file in the specified directory. You can execute the more command to view the content of the file. For more information about the more command, see file management commands in Fundamentals Command Reference.

With this feature configured, the device will create a directory named as the main file name of the recording file plus suffix _history to store the historical HTTP operation records. For example, if you specify directory flash:/httpproxy/record.log to store HTTP operation records, the device automatically creates directory flash:/httpproxy/record_history to store historical HTTP operation records. When file record.log exceeds the upper limit, the device will create a file named as record_YYYYMMDDhhmm.log in directory flash:/httpproxy/record_history to store the contents of the record.log file and will clear the contents of the record.log file. By default, the maximum file size is 10 MB. For the record_YYYYMMDDhhmm.log file name, YYYY represents year, MM represents month, DD represents day, hh represents hour, and mm represents minute.

Procedure

1. Enter system view.

system-view

2. Enter the view of an HTTP proxy service.

In standalone mode:

http-proxy service service-name slot slot-number

In IRF mode:

http-proxy service service-name chassis chassis-number slot slot-number

3. Enable the HTTP proxy operation recording and specify the directory for saving the HTTP proxy operation recording file.

access-record enable file-path path [ gzip ]

By default, the HTTP proxy operation recording is disabled and no directory is specified for saving the HTTP proxy operation recording file.

4. (Optional.) Specify the size of the log file zone and the size of a single log file.

access-record max-size max-zone-size single-file-size single-file-size

By default, the size for a single file is 10 MB and the size of the log file zone is 4 GB.

Display and maintenance commands for HTTP proxy in an HTTP proxy service view

Execute display commands in any view.

Task	Command
Display HTTP proxy configuration information in an HTTP proxy service view.	display http-proxy { server-group [ group-name ] \| service [ service-name ] }
Display keyword monitoring information of an HTTP proxy service.	display http-proxy monitor-info service service-name [ keyword monitor-string ]
Display statistics for an HTTP proxy service.	display http-proxy statistics service service-name

‌

HTTP proxy configuration examples (in standalone mode)

Example: Configuring the device to proxy HTTP requests to the specified Web server group

Network configuration

As shown in Figure 5, configure HTTP-based HTTP proxy on the device to establish a connection between an IPv6 host and IPv4 Web servers.

· Specify domain name test.example.cn for the HTTP proxy service and specify 2001::1/64 as the IPv6 address of the HTTP proxy service.

· Add external hyperlink www.example.org to be proxied by the HTTP proxy service and enable the external media link proxy feature.

· Specify the DNS server with IP address 8.8.8.8 for the HTTP proxy service.

· Enable the HTTP proxy operation recording.

Figure 5 Network diagram

‌

Prerequisites

Assign IP addresses and subnet mask to interfaces. (Details not shown.)

Make sure the domain name test.example.cn of the HTTP proxy service can be resolved into the IPv6 address 2001::1/64.

Procedure

1. Configure a Web server group:

# Create Web server group httpback and enter its view.

<Device> system-view

[Device] http-proxy server-group httpback

# Add the Web server with IP address 192.168.1.1 and port number 80 to Web server group httpback.

[Device-http-proxy-server-group-httpback] ip-address 192.168.1.1 port 80

# Add the Web server with IP address 192.168.1.2 and port number 80 to Web server group httpback.

[Device-http-proxy-server-group-httpback] ip-address 192.168.1.2 port 80

# Specify HTTP as the protocol type of Web server group httpback.

[Device-http-proxy-server-group-httpback] protocol-type http

[Device-http-proxy-server-group-httpback] quit

2. Enable DNS proxy.

[Device] dns proxy enable

3. Configure an HTTP proxy service:

# Create HTTP proxy service proxyservice and enter its view.

[Device] http-proxy service proxyservice slot 1

# Specify HTTP as the protocol type of HTTP proxy service proxyservice and bind Web server group httpback to the HTTP proxy service.

[Device-http-proxy-service-proxyservice-slot1] protocol-type http server-group httpback

# Specify DNS server at 8.8.8.8 for HTTP proxy service proxyservice.

[Device-http-proxy-service-proxyservice-slot1] dns-server 8.8.8.8

# Specify domain name test.example.cn for HTTP proxy service proxyservice.

[Device-http-proxy-service-proxyservice-slot1] domain-name test.example.cn

# Specify 2001::1 as the IPv6 address of HTTP proxy service proxyservice.

[Device-http-proxy-service-proxyservice-slot1] ipv6-address 2001::1

# Enable the external media link proxy feature for HTTP proxy service proxyservice.

[Device-http-proxy-service-proxyservice-slot1] medialink-proxy enable

# Specify external hyperlink www.example.org to be proxied by HTTP proxy service proxyservice.

[Device-http-proxy-service-proxyservice-slot1] hyperlink-proxy www.example.org

# Enable the HTTP proxy operation recording.

[Device-http-proxy-service-proxyservice-slot1] access-record enable record-path slot1#flash:/httpproxy/20191010.log

4. Enable the HTTP proxy service.

[Device-http-proxy-service-proxyservice-slot1] service enable

[Device-http-proxy-service-proxyservice-slot1] quit

[Device] quit

Verifying the configuration

# Display the configuration information about Web server group httpback.

<Device> display http-proxy server-group

Server group name: httpback

Protocol type: HTTP

Server IP addresses: 192.168.1.1:80

192.168.1.2:80

The output shows that the Web server group httpback is configured with the correct protocol type and IPv4 Web servers have been added to the Web server group.

# Display the configuration information about HTTP proxy service proxyservice.

<Device> display http-proxy service proxyservice

Service name: proxyservice

IPv6 address: 2001::1

Allowlist domain names: test.example.cn

Protocol types: HTTP [Server group: httpback]

SSL certificate directory: N/A

Domain name: N/A

SSL certificate file: N/A

SSL key files: N/A

Hyperlink proxy strings: www.example.org

Failed extlink error codes: N/A

DNS servers: 8.8.8.8

Denylist domain names: N/A

Monitored keyword: N/A

Replaced by N/A

Excluded external domain name: N/A

Include Server: N/A

IP pools: N/A

Wildcard domain name: extlink.cn

URL protection: Disabled

Referer protection: Disabled

Extlink href: Disabled

Medialink proxy: Enabled

Failed extlink inform: Disabled

Cache data: Disabled

Cache file path: N/A

HTTP proxy operation recording: Enabled

Operation record file path: slot1#flash:/httpproxy/20191010.log

Max zone size 4096MB

Single file size 10MB

Extlink encryption algorithm: N/A

HTTP proxy status: Enabled

The output shows that the HTTP proxy service proxyservice is configured with correct parameters and has been enabled.

# Display the content of the HTTP proxy operation recording file generated by HTTP proxy service proxyservice.

<Device> more slot1#flash:/httpproxy/20191010.log

[03/Dec/2019:16:11:35 +0800] Client=2001::4 URL=http://test.example.cn/desert.jpg Server=192.168.1.1:80

[03/Dec/2019:16:11:35 +0800] Client=2001::4 URL=http://test.example.cn/config.js Server=192.168.1.1:80

[03/Dec/2019:16:11:36 +0800] Client=2001::4 URL=http://test.example.cn/config.js Server=192.168.1.2:80

[03/Dec/2019:16:11:36 +0800] Client=2001::4 URL=http://test.example.cn/desert.jpg Server=192.168.1.2:80

The output shows the following:

· The IPv6 host can access the IPv4 Web servers proxied by the HTTP proxy service and the proxy information is correctly recorded in the file, indicating that the HTTP proxy service has taken effect.

· The requests to access the same URL are distributed to different Web servers, indicating that the two Web servers load balance the traffic.

Example: Configuring the device to proxy HTTP requests to the Web servers through the DNS server

Network configuration

As shown in Figure 6, configure the device to proxy HTTP requests from an IPv6 host to the IPv4 Web servers through the DNS server.

· Configure a source IP pool on the device to allow the device to provide more TCP connections to the IPv4 Web servers.

· The device proxies only the connection to Server A and Sever B rather than Server C.

· Configure the device to monitor keyword abc and use keyword aaa to replace monitored keyword abc.

· Enable the external link reference on the device.

· Enable the HTTP proxy operation recording.

· Server A uses domain name testa.example.cn and port number 8001 to provide the service. Server B uses domain name testb.example.cn and port number 8002 to provide the service. Server C uses domain name testc.example.cn and port number 8003 to provide the service.

Figure 6 Network diagram

‌

Prerequisites

Assign IP addresses and subnet mask to interfaces. (Details not shown.)

Make sure domain names testa.example.cn, testb.example.cn, and testc.example.cn can be resolved into IPv6 address 2001::1/64 or an IPv4 address reachable for the device through the DNS server.

Make sure wildcard domain name example.cn can be resolved into IPv6 address 2001::1/64.

Procedure

1. Enable DNS proxy.

<Device> system-view

[Device] dns proxy enable

2. Configure an HTTP proxy service:

# Create HTTP proxy service proxyservice and enter its view.

[Device] http-proxy service proxyservice slot 1

# Specify HTTP as the protocol type of HTTP proxy service proxyservice and configure the HTTP proxy service to listen port 8001 on Server A, port 8002 on Server B, and port 8003 on Server C.

[Device-http-proxy-service-proxyservice-slot1] protocol-type http port 8001

[Device-http-proxy-service-proxyservice-slot1] protocol-type http port 8002

[Device-http-proxy-service-proxyservice-slot1] protocol-type http port 8003

# Specify 2001::1 as the IPv6 address of HTTP proxy service proxyservice.

[Device-http-proxy-service-proxyservice-slot1] ipv6-address 2001::1

# Specify DNS server at 8.8.8.8 for HTTP proxy service proxyservice.

[Device-http-proxy-service-proxyservice-slot1] dns-server 8.8.8.8

# Specify denylist domain name testc.example.cn for HTTP proxy service proxyservice.

[Device-http-proxy-service-proxyservice-slot1] denylist-domain-name testc.example.cn

# Specify wildcard domain name example.cn for HTTP proxy service proxyservice.

[Device-http-proxy-service-proxyservice-slot1] wildcard-domain-name example.cn

# Enable the external link reference feature.

[Device-http-proxy-service-proxyservice-slot1] extlink-href enable

# Configure a source IP pool that contains IP addresses 192.168.1.10 to 192.168.1.20 for HTTP proxy service proxyservice.

[Device-http-proxy-service-proxyservice-slot1] ip-pool 192.168.1.10 192.168.1.20

# Configure keyword aaa to replace monitored keyword abc.

[Device-http-proxy-service-proxyservice-slot1] keyword monitor abc aaa

# Enable the HTTP proxy operation recording.

[Device-http-proxy-service-proxyservice-slot1] access-record enable file-path slot1#flash:/httpproxy/20200828.log

3. Enable the HTTP proxy service.

[Device-http-proxy-service-proxyservice-slot1] service enable

[Device-http-proxy-service-proxyservice-slot1] quit

[Device] quit

Verifying the configuration

# Display the configuration information about HTTP proxy service proxyservice.

<Device> display http-proxy service proxyservice

Service name: proxyservice

IPv6 address: 2001::1

Allowlist domain names: N/A

Protocol types: HTTP at port 8001

HTTP at port 8002

HTTP at port 8003

SSL certificate directory: N/A

Domain name: N/A

SSL certificate file: N/A

SSL key files: N/A

Hyperlink proxy strings: N/A

Failed extlink error codes: N/A

DNS servers: 8.8.8.8

Denylist domain names: testc.example.cn

Monitored keyword: abc

Replaced by aaa

Excluded external domain name: N/A

Include Server: N/A

IP pools: 192.168.1.10 to 192.168.1.20

Wildcard domain name: example.cn

URL protection: Disabled

Referer protection: Disabled

Extlink href: Enabled

Medialink proxy: Disabled

Failed extlink inform: Disabled

Cache data: Disabled

Cache file path: N/A

HTTP proxy operation recording: Enabled

Operation record file path: slot1#flash:/httpproxy/20200828.log

Max zone size 4096MB

Single file size 10MB

Extlink encryption algorithm: N/A

HTTP proxy status: Enabled

The output shows that the HTTP proxy service proxyservice is configured with correct parameters and has been enabled.

# Display the content of the HTTP proxy operation recording file generated by HTTP proxy service proxyservice.

<Device> more slot1#flash:/httpproxy/20200828.log

[28/Aug/2020:16:11:35 +0800] Client=2001::4 URL=http://testa.example.cn/desert.jpg Server=192.168.1.101:8001

[28/Aug/2020:16:11:35 +0800] Client=2001::4 URL=http://testa.example.cn/config.js Server=192.168.1.101:8001

[28/Aug/2020:16:11:36 +0800] Client=2001::4 URL=http://testb.example.cn/config.js Server=192.168.1.102:8002

[28/Aug/2020:16:11:36 +0800] Client=2001::4 URL=http://testb.example.cn/desert.jpg Server=192.168.1.102:8002

The output shows the following:

· The IPv6 host can access the IPv4 Web servers A and B proxied by the HTTP proxy service and the proxy information is correctly recorded in the file, indicating that the HTTP proxy service has taken effect.

· The device does not proxy the connection to Server C, so the denylist domain name has taken effect.

Example: Configuring the device to proxy HTTPS requests to the specified Web server group

Network configuration

As shown in Figure 7, configure HTTPS-based HTTP proxy on the device to establish a connection between an IPv6 host and IPv4 Web servers.

· Specify domain name test.example.cn for the HTTP proxy service and specify 2001::1/64 as the IPv6 address of the HTTP proxy service.

· Add external hyperlink www.example.org to be proxied by the HTTP proxy service and enable the external media link proxy feature.

· Specify the DNS server with IP address 8.8.8.8 for the HTTP proxy service.

· Enable the HTTP proxy operation recording.

Figure 7 Network diagram

‌

Prerequisites

Assign IP addresses and subnet mask to interfaces. (Details not shown.)

Make sure the domain name test.example.cn of the HTTP proxy service can be resolved into the IPv6 address 2001::1/64.

Procedure

1. Upload an SSL certificate file and SSL certificate key file to the device through FTP or TFTP. For more information about FTP and TFTP, configuration, see Fundamentals Configuration Guide.

<Device> tftp 2001::1 get httpproxy.key slot1#flash:/cert.key

Press CTRL+C to abort.

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 8 100 8 0 0 330 0 --:--:-- --:--:-- --:--:-- 571

Writing file...Done.

<Device> tftp 2001::1 get httpproxy.pem slot1#flash:/cert.pem

Press CTRL+C to abort.

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 8 100 8 0 0 330 0 --:--:-- --:--:-- --:--:-- 571

Writing file...Done.

2. Configure a Web server group:

# Create Web server group httpsback and enter its view.

<Device> system-view

[Device] http-proxy server-group httpsback

# Add the Web server with IP address 192.168.1.1 and port number 443 to Web server group httpsback.

[Device-http-proxy-server-group-httpsback] ip-address 192.168.1.1 port 443

# Add the Web server with IP address 192.168.1.2 and port number 443 to Web server group httpsback.

[Device-http-proxy-server-group-httpsback] ip-address 192.168.1.2 port 443

# Specify HTTPS as the protocol type of Web server group httpsback.

[Device-http-proxy-server-group-httpsback] protocol-type https

[Device-http-proxy-server-group-httpsback] quit

3. Enable DNS proxy.

[Device] dns proxy enable

4. Configure an HTTP proxy service:

# Create HTTP proxy service proxyservice and enter its view.

[Device] http-proxy service proxyservice slot 1

# Specify HTTP as the protocol type of HTTP proxy service proxyservice and bind Web server group httpsback to the HTTP proxy service.

[Device-http-proxy-service-proxyservice-slot1] protocol-type https server-group httpsback

# Specify the SSL certificate file cert.pem for HTTP proxy service proxyservice.

[Device-http-proxy-service-proxyservice-slot1] ssl certificate file slot1#flash:/cert.pem

# Specify the SSL certificate key file cert.key for HTTP proxy service proxyservice.

[Device-http-proxy-service-proxyservice-slot1] ssl certificate key-file slot1#flash:/cert.key