Welcome to the IPFire Wiki

This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!

Looking for something?

Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.

IPFire Community

Differences in Revisions: add_distri

»
Newer Revision
Monday at 10:06 pm
deleted old page. replaced by: https://wiki.ipfire.org/configuration/network/proxy/extend/wpad
# Automatic distribution of the proxy settings
 
| Stop! |
|---|
| This page has been replaced by [](/configuration/network/proxy/extend/wpad) with IPFire 2.23 - Core Update 132. |
 
 
**[Back to proxy main Page](/configuration/network/proxy)**
 
## Introduction
 
There are basically two ways to include a Proxy server in the configuration of the clients. On the one hand, you can enter it manually in the browser or system, and on the other hand it can be defined transparently. Both options have advantages and disadvantages which should not be listed in here. However the main difference of the two versions concerns to me in here. If the Proxy operates in transparent mode there is usually no need to make adjustments on the clients, the HTTP traffic goes through the Proxy automatically. This also means, that you are not able to configure any exceptions. Unfortunately, there are some sites that don't work properly, if accessed through a proxy. This is exactly why you sometimes need exceptions. So we don't want the Proxy to operate transparently, but we also do not want to touch every client to make the manual entries for the proxy configuration, and the exceptions. Everything should be configured at a central point ( the IPFire appliance ) with automatic distribution to all clients.
 
## Browser Support
 
| Browser / Configuration | DHCP | DNS |
| --- | --- | --- |
| Internet Explorer | Y | ? |
| Chrome | Y | ? |
| Firefox | N | Y |
 
## Distribution via DHCP-option
 
There is a proxy configuration script provided by IPFire by default. It can be found under
`http://IPFireIP:81/proxy.pac`
 
For a system to use this script, there is the need to distribute
 
![](/configuration/network/proxy_config_automatic_distribution_dhcp_options_en.jpg)
 
it.
To achieve this there are two possibilities which we arrange in the course of this guidance.
The first possibility is the distribution by DHCP options. Therefore we define the following option under the*"network"* tab in the*"DHCP Server"* configuration.
 
`wpad code 252=text`
`wpad "http://IPFireIP:81/proxy.pac"`
 
## Let the browser automatically detect the Proxy configuration
 
In some cases, the supplies of the DHCP server could be ignored. However, most browsers will be able to detect the proxy configuration automatically. In such a case, you have to apply another http-vhost on port 80, which only has the proxy.pac and wpad.dat in his Webroot.
 
Therefor we initially create the directory*/srv/web/ipfire/wpad*
 
`mkdir /srv/web/ipfire/wpad`
 
and subsequently the file*/etc/httpd/conf/vhosts.d/wpad.conf*
 
`touch /etc/httpd/conf/vhosts.d/wpad.conf`
 
with the following content:
 
```bash
Listen 80
<VirtualHost *:80>
DocumentRoot "/srv/web/ipfire/wpad"
ServerName wpad.[localdomain]
Alias /wpad.dat /srv/web/ipfire/html/proxy.pac
Alias /proxy.pac /srv/web/ipfire/html/proxy.pac
</VirtualHost>
```
 
 
To give the directory the desired content, we create two links to the already existing proxy.pac / wpad.dat.
 
`ln -s /srv/web/ipfire/html/proxy.pac /srv/web/ipfire/wpad/proxy.pac`
 
`ln -s /srv/web/ipfire/html/proxy.pac /srv/web/ipfire/wpad/wpad.dat`
 
Afterwards we restart the Apache2 with:
 
`/etc/init.d/apache restart`
 
Now there still is an additional entry to be created under "Edit Hosts" (findable under the tab*"network"* ->*"Edit Hosts"*) named **wpad** with the IPFire-IP, so that you get
 
![](/configuration/network/proxy_config_automatic_distribution_addhost_eng.jpg)
 
under
 
http://wpad.[localdomain]/proxy.pac and http://wpad.[localdomain]/wpad.dat
 
also the script.
 
Thus, both ways to distribute a proxy configuration automatically are established.
 
## Configuring exceptions
 
To configure centralized exceptions, we can create a file named*"src_no_proxy.acl"*.
 
`touch /var/ipfire/proxy/advanced/acls/src_no_proxy.acl`
 
Into this we write in plain text, **only one per line**, the URLs or domains that should be called directly.
 
 
```
*.ipfire.org
http://wiki.ipfire.org/configuration/network/proxy
```
 
<WRAP center round important 80%>The last line cannot be empty!</WRAP>
 
<WRAP center round alert 80%>Please note here that each registered URL/domain are no longer run through the proxy and thus the [URL-Filter](/configuration/network/url-filter) and [ClamAV](/addons/clamav) do NOT check the pages.</WRAP>
 
Then the following lines was integrated to the file*/var/web/ipfire/cgi-bin/proxy.cgi* .
 
<WRAP center round alert 80%>**Make a backup copy of this file** before you start to edit, because a built-in error leads to the problem that the complete "network" tab on the IPFire WUI can no longer be invoked !!!</WRAP>
 
To create a variable that can be used later, we add this line at the beginning, where all the other variables are defined:
 
`my $acl_src_noproxy = "$acldir/src_no_proxy.acl";`
 
 
```perl
#!/usr/bin/perl
###############################################################################
# #
# IPFire.org - A linux based firewall #
# Copyright (C) 2007-2011 IPFire Team <info@ipfire.org> #
# #
# This program is free software: you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation, either version 3 of the License, or #
# (at your option) any later version. #
# #
# This program is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
# #
###############################################################################
#
# (c) 2004-2009 marco.s - http://www.advproxy.net
#
# This code is distributed under the terms of the GPL
#
# $Id: advproxy.cgi,v 3.0.2 2009/02/04 00:00:00 marco.s Exp $
#
 
use strict;
 
# enable only the following on debugging purpose
#use warnings;
#use CGI::Carp 'fatalsToBrowser';
 
require '/var/ipfire/general-functions.pl';
require "${General::swroot}/lang.pl";
require "${General::swroot}/header.pl";
 
my $acl_src_noproxy = "$acldir/src_no_proxy.acl";
my @squidversion = `/usr/sbin/squid -v`;
my $http_port='81';
my $https_port='444';
 
```
 
Further down in the file (around line 2915) we find the section "sub writepacfile". There we add the following lines after the first END;
 
 
```perl
if ($proxysettings{'ENABLE'} eq 'on')
{
print FILE "if (\n";
 
undef @templist;
if (-e "$acl_src_no_proxy") {
open(NOPROXY,"$acl_src_no_proxy");
@templist = <NOPROXY>;
close(NOPROXY);
chomp (@templist);
}
 
foreach (@templist)
{
print FILE " (shExpMatch(url, \"*$_*\")) ||\n";
}
print FILE <<END
(shExpMatch(url, \"*ipfire.org*\"))\n
)
return "DIRECT";
 
else
 
END
;
 
```
 
When we added the rows successfully and saved the file once, we have to restart the proxy via the web interface.
(Make a click under the tab "network" -> "Webproxy" -> "Save and Restart")
 
At each restart we initiate in such a way, a new **proxy.pac** will be created.
So if we change the file **/var/ipfire/proxy/advanced/acls/src_no_proxy.acl**, we need to trigger a restart of the proxy server.
 
The proxy.pac looks almost like this:
 
 
```perl
function FindProxyForURL(url, host)
{
if (
(isPlainHostName(host)) ||
(dnsDomainIs(host, ".lan.ipfire")) ||
(isInNet(host, "10.0.0.0", "255.0.0.0")) ||
(isInNet(host, "172.16.0.0", "255.240.0.0")) ||
(isInNet(host, "192.168.0.0", "255.255.0.0")) ||
(isInNet(host, "169.254.0.0", "255.255.0.0"))
)
return "DIRECT";
 
else
 
if (
(shExpMatch(url, "*testdomain1.de*")) ||
(shExpMatch(url, "*testdomain2.de*")) ||
(shExpMatch(url, \"*ipfire.org*\"))
)
return "DIRECT";
 
else
 
if (
(isInNet(myIpAddress(), "192.168.6.0", "255.255.255.0")) ||
(isInNet(myIpAddress(), "10.66.78.0", "24"))
 
 
)
return "PROXY 192.168.6.1:800";
 
else
 
if (
(isInNet(myIpAddress(), "192.168.61.0", "255.255.255.0"))
)
return "PROXY 192.168.61.1:800";
}
```
 
<WRAP center round important 80%>!!! Please pay attention to the permissions of the files !!!</WRAP>
 
`/var/ipfire/proxy/advanced/acls/src_no_proxy.acl`
`(nobody:nobody 644)`
 
`/srv/web/ipfire/cgi-bin/proxy.cgi`
`(root:root 755)`
 
So that was it already, now we can make also exceptions in the automatic Proxy configuration.
 
The IPFire team would like to say thanks for this Wiki to [WhyTea](http://forum.ipfire.org/index.php?action=profile;u=3565)
 
 
**[Back to proxy main Page](/configuration/network/proxy)**