There are basically two ways to include a Proxy server in the configuration of the clients. On the one hand, you can enter it manually in the browser or system, and on the other hand it can be defined transparently. Both options have advantages and disadvantages which should not be listed in here. However the main difference of the two versions concerns to me in here. If the Proxy operates in transparent mode there is usually no need to make adjustments on the clients, the HTTP traffic goes through the Proxy automatically. This also means, that you are not able to configure any exceptions. Unfortunately, there are some sites that don't work properly, if accessed through a proxy. This is exactly why you sometimes need exceptions. So we don't want the Proxy to operate transparently, but we also do not want to touch every client to make the manual entries for the proxy configuration, and the exceptions. Everything should be configured at a central point ( the IPFire appliance ) with automatic distribution to all clients.
The distribution can be be done via DHCP or via DNS.
Browser / Configuration | DHCP | DNS |
---|---|---|
Internet Explorer | Y | ? |
Chrome | Y | ? |
Firefox | N | Y |
There is a proxy configuration script provided by IPFire by default. It can be found under:
http://[IPFireIP]:81/proxy.pac
For a system to use this script, there is the need to distribute it.
To achieve this, there are two possibilities which we arrange in the course of this guidance. The first possibility is the distribution by DHCP options. Therefore we define the following option under the"network" tab in the"DHCP Server" configuration.
wpad code 252=text wpad "http://[IPFireIP]:81/proxy.pac"
In some cases, the supplies of the DHCP server could be ignored. However, most browsers will be able to detect the proxy configuration automatically. In such a case, the Browser/Program will search the URL:
http://wpad.[localdomain]/wpad.dat
-or-
http://wpad/wpad.dat
for the WPAD-File.
There are different ways to provide this file. You can apply another http-vhost on port 80, a firewall-redirect-rule, a haparoxy-frontend/backend or similar, which only has the proxy.pac and wpad.dat in his Webroot.
Therefor we initially create the directory /srv/web/ipfire/wpad
mkdir /srv/web/ipfire/wpad
and subsequently the file /etc/httpd/conf/vhosts.d/wpad.conf
touch /etc/httpd/conf/vhosts.d/wpad.conf
with the following content:
filename = /etc/httpd/conf/vhosts.d/wpad.conf
Listen 80 <VirtualHost *:80> DocumentRoot "/srv/web/ipfire/wpad" ServerName wpad.[localdomain] Alias /wpad.dat /srv/web/ipfire/html/proxy.pac Alias /proxy.pac /srv/web/ipfire/html/proxy.pac </VirtualHost>
To give the directory the desired content, we create two links to the already existing proxy.pac / wpad.dat.
ln -s /srv/web/ipfire/html/proxy.pac /srv/web/ipfire/wpad/proxy.pac ln -s /srv/web/ipfire/html/proxy.pac /srv/web/ipfire/wpad/wpad.dat
Afterwards we restart the Apache2 with:
/etc/init.d/apache restart
The following code-snippets are examples for adding a WPAD-Backend to a multi-domain-frontend on Port 80:
Note! |
---|
This is not a complete config file for haproxy! |
filename = /etc/haproxy/haproxy.cfg
#--------------------------------------------------------------------- # main frontend which proxys to the backends #--------------------------------------------------------------------- frontend http bind :80 reqadd X-Forwarded-Proto:\ http # Logging capture request header host len 40 # wpad acl is_wpad_domain hdr_beg(host) -i wpad.[localdomain] wpad [IPFireIP_on_green] [IPFireIP_on_blue] acl is_wpad_path path_reg ^/wpad.dat$ ^/proxy.pac$ acl is_local_ip src [localsubnet/localsubnetmask] use_backend wpad if is_local_ip is_wpad_domain is_wpad_path # default default_backend no_match #--------------------------------------------------------------------- # Backend: WPAD #--------------------------------------------------------------------- backend wpad option httpchk HEAD /wpad.dat HTTP/1.1\r\nHost:\ 127.0.0.1:81 server ipfire 127.0.0.1:81 check #--------------------------------------------------------------------- # Backend: No Match #--------------------------------------------------------------------- backend no_match http-request deny deny_status 400
FIXME
Now an additional entry under "Edit Hosts" (findable under the tab "network" -> "Edit Hosts") named wpad with the IPFire-IP still has to be created,
to get the script under:
http://wpad.[localdomain]/proxy.pac and http://wpad.[localdomain]/wpad.dat
The exceptions can be entered into the corresponding fields in the WebGUI of IPFire (Network --> Proxy --> WPAD). Please note:
*
).The IPFire team would like to say thanks for this Wiki to WhyTea!
Older Revisions • Friday at 3:24 am • Jon