DeleGate – A Multi-platform, Multi-purpose Proxy Server

Introduction

A proxy server works as an intermediary for requests from clients seeking resources from other servers. There are various types of proxy servers. In this article we will be breifly discussing some of the capabilities of DeleGate.

DeleGate is a multi-platform and multi-purpose general purpose proxy server which runs on Unix, Windows, MacOSX and OS/2. It allows various protocols to pass through it and apply cache and conversion to the pass-through data, access control and routing. Some of the protocols supported by delegate are – HTTP, FTP, NNTP, SMTP, POP, IMAP, LDAP, Telnet, SOCKS, DNS etc. DeleGate can also translate protocol between clients and server such as converting IPv4and IPv6. Multiple servers can be combined to look as single server using aliasing and filtering capabilities of DeleGate. For various automated purposes, DeleGate can also be used as an origin server for HTTP, FTP and NNTP.

Configuring DeleGate

In order to install DeleGate on linux, either the binary can be compiled from source or ready-to-use binaries can be used for 32-bit and 64-bit linux implementations. I could not find a package for DeleGate in Debian, Ubuntu, Fedora or CentOS repositories, so the binary was the only option. Since I had only 64-bit environments at hand, I could only use the 64-bit version of the software. The 64-bit binary worked fine on Fedora 13 and CentOS 5.5, however I could not get it to work on Debian Lenny and Ubuntu. I did not try for too long, but to me it looked like there were some compatibility issues with the binaries. I will leave it to the readers to explore further or compile there own binaries using the source.

# mkdir -p /opt/delegate/{bin,etc} && cd /opt/delegate/bin
# wget http://www.delegate.org/anonftp/DeleGate/bin/linux/9.9.7/linux64-dg.gz
# gunzip linux64-dg.gz && chmod +x linux64-dg.gz
# touch ../etc/dg.conf

The above commands have just created a directory layout for delegate. Next we need to create a user for running delegate as running it as root is a very very bad idea.

# useradd -M -c "Delegate Proxy User" -d /opt/delegate delegate
# chown -R delegate:delegate /opt/delegate

Let us use the /opt/delegate/etc/dg.conf as the configuration file for the delegate. I will discuss one sample configurations – DeleGate as an HTTP proxy. After you have created the desired configuration, you can start delegate as:

# su - delegate
$ bin/linux64-dg DGROOT="/opt/delegate" +=etc/dg.conf

After doing configuration changes, do not forget to reload the latest changes by sending a HUP to the delegate process.

DeleGate Configuration Options Used

Following table discusses some of the common configuration options we have used in this article.

-P -P specifies on which port DeleGate will receive the requests from clients. A host/ip-address can be specified like -Plocalhost:8080 or -P 192.168.1.1:8080. By default the port is a TCP port except if UDP based application protocol is specified in the SERVER=protocol parameter. But still you can still specify -P8080/UDP. You can also specify multiple host:ports where DeleGate will be listening using a comma separated list.
-T -T is used to trace system calls. If this option is used then the signals occurring in the DeleGate process will be watched by the parent DeleGate using “ptrace(2)”. -Tx here will ensure that the DeleGate processes which are going to execute “execve(2)” system call will be trapped and killed. This is a very useful security measure.
DGROOT At startup time DeleGate searches for an available DGROOT which is both readable and writable by the user. Typically it will be ${HOME}/delegate and “/” if CHROOT is used. This parameter needs to be specified on the command line.
SERVER Specifies the protocol to be used for communication with the clients.
REMITTABLE Only the listed protocols (to the SERVER) will be permitted to be relayed by the DeleGate proxy. A typical list of protocols which are expected to be relayed through an HTTP proxy are http, https, gopher, ftp, wais.
CACHE Specifies if cache is to be used by the proxy or not. A value of ‘no’ will disable the cache use and a value of ‘do’ will enable the cache and create CACHEDIR if it does not exists.
TIMEOUT Specifies timeout period for an action in seconds(by default). A timeout value of “0” means “never timeout”. The value of timeout can be specified in terms of days, hour and minutes as e.g 1d, 1h, 1m. The action can be, for example, “shutout” which specifies that a suspicious client host will be shut out until a relevant file (under ADMDIR/shutout/) is removed or the file is expired by TIMEOUT. This is a good defense against attacks on the proxy.
MAXIMA Specifies a maximum number of resource usage, processes, connections etc. “randstack” randomizes the range of stack base for security, “randenv” randomizes the range of environment variables base and “randfd” randomizes range of client socket file-descriptor.
ADMIN Specifies the admin contact who will receive emails from DeleGate on various events.
AUTHORIZER Specifies the server for authentication and authorization. If specified an access by a client is not permitted without authenticated successfully by the auth-server. We are using the list of usernames and passwords in pairs for authentication. There are various other schemes available for authentication such as PAM.

DeleGate as HTTP Proxy

In this sample configuration we have configured DeleGate as an HTTP proxy with authentication and no caching. If you wish caching also, please change the “CACHE=no” to “CACHE=do”.

# su - delegate
$ vi /opt/delegate/etc/dg.conf
-P8080
-Tx
DGROOT="/opt/delegate"
SERVER=http
REMITTABLE="http,https/443,gopher,ftp,wais"
CACHE=no
TIMEOUT="shutout:30m"
MAXIMA="randstack:32"
MAXIMA="randenv:1024"
MAXIMA="randfd:32"
ADMIN=tech.support@unixclinic.net
AUTHORIZER="-list{user1:password1,user2:password2}"

Moving On

In this article I have explored on the tip of the iceberg and have only introduced the readers to this marvelous piece of engineering. We have not covered many of the Delegate features such as SOCKS proxy, transparent SOCKS proxy, chaining of proxy etc. Further exploration is left to the readers and I am pretty sure that interested readers will explore and benefit from the capabilities provided by DeleGate.

Interested readers may also want to explore another proxy server – Dante. I have provided the link in the references section below.

Time permitting I may write in future about implementing other features of DeleGate. Dante is also in my todo list, so watch out.

References

DeleGate Home Page
Dante – A Free SOCKS Proxy Implementation

This entry was posted in FLOSS, Published Articles and tagged , . Bookmark the permalink.

Leave a Reply