proxyserver.html

perl教程

<p>If you are running Perl 5.005 and did compile it for threads, then the
server will create a new thread for each connection. The thread will
execute the server's <code>Run()</code> method and then terminate. This mode is the
default, you can force it with &quot;--mode=threads&quot;.</p>
</dd>
<dd>
<p>If threads are not available, but you have a working fork(), then the
server will behave similar by creating a new process for each connection.
This mode will be used automatically in the absence of threads or if
you use the &quot;--mode=fork&quot; option.</p>
</dd>
<dd>
<p>Finally there's a single-connection mode: If the server has accepted a
connection, he will enter the <code>Run()</code> method. No other connections are
accepted until the <code>Run()</code> method returns (if the client disconnects).
This operation mode is usefull if you have neither threads nor fork(),
for example on the Macintosh. For debugging purposes you can force this
mode with &quot;--mode=single&quot;.</p>
</dd>
</li>
<dt><strong><a name="item_pidfile"><em>pidfile</em> (<strong>--pidfile=file</strong>)</a></strong>

<dd>
<p>(UNIX only) If this option is present, a PID file will be created at the
given location. Default is to not create a pidfile.</p>
</dd>
</li>
<dt><strong><a name="item_user"><em>user</em> (<strong>--user=uid</strong>)</a></strong>

<dd>
<p>After doing a bind(), change the real and effective UID to the given.
This is usefull, if you want your server to bind to a privileged port
(&lt;1024), but don't want the server to execute as root. See also
the --group and the --chroot options.</p>
</dd>
<dd>
<p>UID's can be passed as group names or numeric values.</p>
</dd>
</li>
<dt><strong><a name="item_version"><em>version</em> (<strong>--version</strong>)</a></strong>

<dd>
<p>Supresses startup of the server; instead the version string will
be printed and the program exits immediately.</p>
</dd>
</li>
</dl>
<p>
</p>
<hr />
<h1><a name="configuration_file">CONFIGURATION FILE</a></h1>
<p>The configuration file is just that of <em>RPC::PlServer</em> or <em>Net::Daemon</em>
with some additional attributes in the client list.</p>
<p>The config file is a Perl script. At the top of the file you may include
arbitraty Perl source, for example load drivers at the start (usefull
to enhance performance), prepare a chroot environment and so on.</p>
<p>The important thing is that you finally return a hash ref of option
name/value pairs. The possible options are listed above.</p>
<p>All possibilities of Net::Daemon and RPC::PlServer apply, in particular</p>
<dl>
<dt><strong><a name="item_host_and_2for_user_dependent_access_control">Host and/or User dependent access control</a></strong>

<dt><strong><a name="item_host_and_2for_user_dependent_encryption">Host and/or User dependent encryption</a></strong>

<dt><strong><a name="item_changing_uid_and_2for_gid_after_binding_to_the_por">Changing UID and/or GID after binding to the port</a></strong>

<dt><strong>Running in a <code>chroot()</code> environment</strong>

</dl>
<p>Additionally the server offers you query restrictions. Suggest the
following client list:</p>
<pre>
    <span class="string">'clients'</span> <span class="operator">=&gt;</span> <span class="operator">[</span>
        <span class="operator">{</span> <span class="string">'mask'</span> <span class="operator">=&gt;</span> <span class="string">'^admin\.company\.com$'</span><span class="operator">,</span>
          <span class="string">'accept'</span> <span class="operator">=&gt;</span> <span class="number">1</span><span class="operator">,</span>
          <span class="string">'users'</span> <span class="operator">=&gt;</span> <span class="operator">[</span> <span class="string">'root'</span><span class="operator">,</span> <span class="string">'wwwrun'</span> <span class="operator">]</span><span class="operator">,</span>
        <span class="operator">}</span><span class="operator">,</span>
        <span class="operator">{</span>
          <span class="string">'mask'</span> <span class="operator">=&gt;</span> <span class="string">'^admin\.company\.com$'</span><span class="operator">,</span>
          <span class="string">'accept'</span> <span class="operator">=&gt;</span> <span class="number">1</span><span class="operator">,</span>
          <span class="string">'users'</span> <span class="operator">=&gt;</span> <span class="operator">[</span> <span class="string">'root'</span><span class="operator">,</span> <span class="string">'wwwrun'</span> <span class="operator">]</span><span class="operator">,</span>
          <span class="string">'sql'</span> <span class="operator">=&gt;</span> <span class="operator">{</span>
               <span class="string">'select'</span> <span class="operator">=&gt;</span> <span class="string">'SELECT * FROM foo'</span><span class="operator">,</span>
               <span class="string">'insert'</span> <span class="operator">=&gt;</span> <span class="string">'INSERT INTO foo VALUES (?, ?, ?)'</span>
               <span class="operator">}</span>
        <span class="operator">}</span>
</pre>
<p>then only the users root and wwwrun may connect from admin.company.com,
executing arbitrary queries, but only wwwrun may connect from other
hosts and is restricted to</p>
<pre>
    <span class="variable">$sth</span><span class="operator">-&gt;</span><span class="variable">prepare</span><span class="operator">(</span><span class="string">"select"</span><span class="operator">);</span>
</pre>
<p>or</p>
<pre>
    <span class="variable">$sth</span><span class="operator">-&gt;</span><span class="variable">prepare</span><span class="operator">(</span><span class="string">"insert"</span><span class="operator">);</span>
</pre>
<p>which in fact are &quot;SELECT * FROM foo&quot; or &quot;INSERT INTO foo VALUES (?, ?, ?)&quot;.</p>
<p>
</p>
<hr />
<h1><a name="proxyserver_configuration_file__bigger_example_">Proxyserver Configuration file (bigger example)</a></h1>
<p>This section tells you how to restrict a DBI-Proxy: Not every user from
every workstation shall be able to execute every query.</p>
<p>There is a perl program &quot;dbiproxy&quot; which runs on a machine which is able
to connect to all the databases we wish to reach. All Perl-DBD-drivers must
be installed on this machine. You can also reach databases for which drivers 
are not available on the machine where you run the programm querying the 
database, e.g. ask MS-Access-database from Linux.</p>
<p>Create a configuration file &quot;proxy_oracle.cfg&quot; at the dbproxy-server:</p>
<pre>
    <span class="operator">{</span>
        <span class="comment"># This shall run in a shell or a DOS-window </span>
        <span class="comment"># facility =&gt; 'daemon',</span>
        <span class="string">pidfile</span> <span class="operator">=&gt;</span> <span class="string">'your_dbiproxy.pid'</span><span class="operator">,</span>
        <span class="string">logfile</span> <span class="operator">=&gt;</span> <span class="number">1</span><span class="operator">,</span>
        <span class="string">debug</span> <span class="operator">=&gt;</span> <span class="number">0</span><span class="operator">,</span>
        <span class="string">mode</span> <span class="operator">=&gt;</span> <span class="string">'single'</span><span class="operator">,</span>
        <span class="string">localport</span> <span class="operator">=&gt;</span> <span class="string">'12400'</span><span class="operator">,</span>
</pre>
<pre>
        # Access control, the first match in this list wins!
        # So the order is important
        clients =&gt; [
                # hint to organize:
                # the most specialized rules for single machines/users are 1st
                # then the denying rules
                # the the rules about whole networks</pre>
<pre>
                <span class="comment"># rule: internal_webserver</span>
                <span class="comment"># desc: to get statistical information</span>
                <span class="operator">{</span>
                        <span class="comment"># this IP-address only is meant</span>
                        <span class="string">mask</span> <span class="operator">=&gt;</span> <span class="string">'^10\.95\.81\.243$'</span><span class="operator">,</span>
                        <span class="comment"># accept (not defer) connections like this</span>
                        <span class="string">accept</span> <span class="operator">=&gt;</span> <span class="number">1</span><span class="operator">,</span>
                        <span class="comment"># only users from this list </span>
                        <span class="comment"># are allowed to log on</span>
                        <span class="string">users</span> <span class="operator">=&gt;</span> <span class="operator">[</span> <span class="string">'informationdesk'</span> <span class="operator">]</span><span class="operator">,</span>
                        <span class="comment"># only this statistical query is allowed</span>
                        <span class="comment"># to get results for a web-query</span>
                        <span class="string">sql</span> <span class="operator">=&gt;</span> <span class="operator">{</span>
                                <span class="string">alive</span> <span class="operator">=&gt;</span> <span class="string">'select count(*) from dual'</span><span class="operator">,</span>
                                <span class="string">statistic_area</span> <span class="operator">=&gt;</span> <span class="string">'select count(*) from e01admin.e01e203 where geb_bezei like ?'</span><span class="operator">,</span>
                        <span class="operator">}</span>
                <span class="operator">},</span>
</pre>
<pre>
                <span class="comment"># rule: internal_bad_guy_1</span>
                <span class="operator">{</span>
                        <span class="string">mask</span> <span class="operator">=&gt;</span> <span class="string">'^10\.95\.81\.1$'</span><span class="operator">,</span>
                        <span class="string">accept</span> <span class="operator">=&gt;</span> <span class="number">0</span><span class="operator">,</span>
                <span class="operator">},</span>
</pre>
<pre>
                <span class="comment"># rule: employee_workplace</span>
                <span class="comment"># desc: get detailled informations</span>
                <span class="operator">{</span>
                        <span class="comment"># any IP-address is meant here</span>
                        <span class="string">mask</span> <span class="operator">=&gt;</span> <span class="string">'^10\.95\.81\.(\d+)$'</span><span class="operator">,</span>
                        <span class="comment"># accept (not defer) connections like this</span>
                        <span class="string">accept</span> <span class="operator">=&gt;</span> <span class="number">1</span><span class="operator">,</span>
                        <span class="comment"># only users from this list </span>
                        <span class="comment"># are allowed to log on</span>
                        <span class="string">users</span> <span class="operator">=&gt;</span> <span class="operator">[</span> <span class="string">'informationdesk'</span><span class="operator">,</span> <span class="string">'lippmann'</span> <span class="operator">]</span><span class="operator">,</span>
                        <span class="comment"># all these queries are allowed:</span>
                        <span class="string">sql</span> <span class="operator">=&gt;</span> <span class="operator">{</span>
                                <span class="string">search_city</span> <span class="operator">=&gt;</span> <span class="string">'select ort_nr, plz, ort from e01admin.e01e200 where plz like ?'</span><span class="operator">,</span>
                                <span class="string">search_area</span> <span class="operator">=&gt;</span> <span class="string">'select gebiettyp, geb_bezei from e01admin.e01e203 where geb_bezei like ? or geb_bezei like ?'</span><span class="operator">,</span>
                        <span class="operator">}</span>
                <span class="operator">},</span>
</pre>
<pre>
                <span class="comment"># rule: internal_bad_guy_2 </span>
                <span class="comment"># This does NOT work, because rule "employee_workplace" hits</span>
                <span class="comment"># with its ip-address-mask of the whole network</span>
                <span class="operator">{</span>
                        <span class="comment"># don't accept connection from this ip-address</span>
                        <span class="string">mask</span> <span class="operator">=&gt;</span> <span class="string">'^10\.95\.81\.5$'</span><span class="operator">,</span>
                        <span class="string">accept</span> <span class="operator">=&gt;</span> <span class="number">0</span><span class="operator">,</span>
                <span class="operator">}</span>
                        <span class="operator">]</span>
                    <span class="operator">}</span>
</pre>
<p>Start the proxyserver like this:</p>
<pre>
        rem well-set Oracle_home needed for Oracle
        set ORACLE_HOME=d:\oracle\ora81
        dbiproxy --configfile proxy_oracle.cfg</pre>
<p>
</p>
<h2><a name="testing_the_connection_from_a_remote_machine">Testing the connection from a remote machine</a></h2>
<p>Call a programm &quot;dbish&quot; from your commandline. I take the machine from rule &quot;internal_webserver&quot;</p>
<pre>
        <span class="variable">dbish</span> <span class="string">"dbi:Proxy:hostname=oracle.zdf;port=12400;dsn=dbi:Oracle:e01"</span> <span class="variable">informationdesk</span> <span class="variable">xxx</span>
</pre>
<p>There will be a shell-prompt:</p>
<pre>
        informationdesk@dbi...&gt; alive</pre>