9. Configuring a Proxy server

To configure a Proxy server, you should go through several steps:

Installing the Proxy service onto your system

We have been supporting Proxy since calculate-server 2.0.13. We use Squid, a most common Proxy server.

Before installing, make sure you have installed LDAP service. If this is not the case, please enter:

cl-setup ldap

To install Proxy, execute:

cl-setup proxy

The service will be then installed with default settings: proxy host name set to the name of the host machine and connection port set to 8080.

To install Proxy with trusted networks, enter:

cl-setup -a proxy

When installing, the following basic groups will be created:
  • http - port 80 availible
  • ftp - port 21 availible
  • https - port 443 availible
  • gopher - port 70 availible
  • wais - port 210 availible
  • unregistered - ports from 1025 to 65535 availible
  • http-mgmt - port 280 availible
  • gss-http - port 488 availible
  • filemaker - port 591 availible
  • multiling - port 777 availible
  • swat - port 901 availible

The default interval to refresh the cached permissions changes is 5 minutes.

Managing accounts

Add an account

To add a Proxy user account, use the cl-useradd command:

# add the user "john" with a full name in comments
cl-useradd -p -c "John Black" john proxy

Change the password

If you need to change the password, use_cl-passwd_, for instance:

cl-passwd john proxy

Delete or lock an account

If you want to delete an account, you can do this with cl-userdel:

cl-userdel john proxy

For just locking the account, use cl-usermod-L, for example:

cl-usermod -L john proxy

You will be able to unlock the account with cl-usermod -U:

cl-usermod -U john proxy


A group is set of accounts for setting access rules.
Any group has a parameter defining the range of network ports.
The user is allowed access to a resource only if at least one group this user belongs to is granted such access.

Managing groups

Create a group

To create a group for Proxy, use the cl_groupadd command. Here is an example: let us create a group, named "adsl":

cl-groupadd -p 80,83,2000-3000 adsl proxy

Members added to this group will have access to network ports 80 and 83, as well as to the ports from 2000 to 3000, which can run certain services. Naming the group "adsl" is a matter of convention.

Delete a group

To remove a group from Proxy, use cl-groupdel:

cl-groupdel adsl proxy

Renaming groups

You can rename a group with cl-groupmod. Below we show how to change the group name from "adsl" to "adsl2":

cl-groupmod -n adsl2 adsl proxy

Change group membership

To change the membership of groups, you should use the cl-groupmod and cl-usermod commands. Examples:

Add "john" to the "http" group (granting them access to internet sites):

cl-usermod -G http john proxy

Remove the "john" user from "http":

cl-groupmod -d john http proxy

Add the users "john" and "guest" to the groups "http" and "proxy":

cl-groupmod -a john,guest http proxy

To give users access to FTP, you will have to give them access to port 21 and to the Proxy server port (which defaults to 8080):

# Allow the "guest" user to access to FTP
cl-usermod -G ftp,unregistered guest proxy

Thank you!