WEB Proxy function of Second Life Viewer
The WEB proxy function of the Second Life Viewer(v1.19) is not very good and its use is limited.
Though the specified WEB proxy is used when logging it in, the viewer talks directly with the SIM server when communicating CAPs.
Moreover, for Windows, it seems to use the proxy server specified by the Proxy Setting of IE (system setting?) when sending media data (related to land) with MediaURL (ParcelProperties). It is not known how this occurs for MacOS and Linux.
However, it seems to use the WEB Proxy setting of Viewer when an outside WEB page is seen, for the login screen and In World. In these cases it seems to be effective.
Solution for sl_relay
It is necessary to do some work in order to make (sl_relay) function correctly when a WEB Proxy is used with the Viewer.
This is because for security reasons each Relay Process of sl_relay only allows connection from a single Viewer IP address and port number.
When you set up the Viewer to use a WEB Proxy, the connection at login (connection from WEB Proxy) and the later connection of CAPs (connection direct from the Viewer) have different IP addresses. The change in IP address causes the Relay Process to refuse the connection from Viewer and as a result, communication is interrupted.
To avoid this you need to specify the -xp option when starting sl_relay. The FQDN or IP address and the port number of the WEB Proxy server are specified as arguments to the -xp option (form of FQDN:port or IP:port).
You can also specify the WEB Proxy server address using the configuration file ExternalWebProxy. The configuration file (ExternalWebProxy) is given to priority when the WEB Proxy server is specified by both the command line and configuration file.
When sl_relay is started with a -xp option to specify a WEB Proxy server, the connected IP address and the port number are changed to that of the WEB proxy server by the relay process. As a result, when the connection starts after processing of login, IP address and the port number are known and communication continues normally.
Security
If a process makes a connection with the relay process before the regular Viewer, then communication is established with that process. As a result, the regular Viewer cannot connect or communicate.
For interception to occur it is necessary to tap the login information before the process before connection with the relay process. This risk arises when HTTPS is not used between Viewer and sl_relay.
We recommend HTTPS is used when communicating between the Viewer and Relay Server whenever all the users at a site cannot be trusted.
Internal WEB Proxy function
If there isn't a WEB Proxy such as squid available (or you can't provide one for yourself), or when the proxy in use at your site requires authentication, it is not possible for the Viewer to use an external WEB Proxy. The Viewer(at least as of version v1.19.x) doesn't work with a WEB Proxy that needs authentication.
sl_relay has an internal WEB Proxy that can be enabled by using the -ip option. Note however that there are things that need to be considered when using the internal WEB Proxy function.
In particular there is the potential for the internal WEB Proxy of sl_relay to be used to by-pass the authenticating proxy in use at the install site for general web traffic.
To prevent this from happening the -xp option can be used. When started with the -xp option the internal WEB Proxy runs in a limited mode and connection is only allowed to sites contained in the Proxy_Allow_File configuration file.
It is important to consider the use of the internal Web Proxy in balance with the security policy of the site and make use of the additional limitations available to ensure appropriate compliance.
The default Proxy_Allow_File is /usr/local/etc/sl_proxy/proxy_dist.allow. The format is the same as Hosts_Allow_File.
Actual settings
When should you set the WEB Proxy function of Viewer?
- When PC used is behind a firewall, and external (Internet) WEB pages cannot be seen directly.
- When you want to display an external (Internet) WEB page on the login screen. (This is usually the Lindenlab page [http://secondlife.com/app/login/].)
- When you want to have a WEB page displayed In World.
To do any of these you need to set the WEB Proxy function of the Viewer. Also if,
- Your site uses an authenticating proxy or perhaps doesn't use a suitable WEB Proxy at all.
In this case you can use the internal WEB Proxy function of sl_relay (If necessary in limited mode).
If you are using Windows then the internal WEB Proxy might be useful for IE as well as the Viewer. Video and Audio data specified by the MediaURL (See About Land - Media) can also use the proxy. Note however that only those pages specified can be seen when the proxy is operated in limited mode.
Please think carefully about the security implications of the settings you use with the WEB Proxy. It is important to use settings that maintain the intended security parameters of the site.
Other techniques
It is also possible to have media (MediaURL) data relayed through sl_relay by using the -mm option. When this option is used sl_relay automatically changes the MediaURL received from the SIM to point to sl_relay as the information is being passed back to the Viewer. The viewer then requests the media from sl_relay which fetches the required data. However it is possible for the Viewer to confuse the returned MediaURL and the SIM URLs and send the request back to the SIM.