Enhancement #3266
WPAD improvements
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-squid | |||
Target version: | v6.7 | |||
Resolution: | NEEDINFO: | No |
Description
WPAD implementation should be updated with the following improvements:
- WPAD must be accessible from all networks using the IP address of the gateway to avoid problems with name resolution
- as an exception to previous point, if the server is joined to an AD, all clients must use the host name, since Kerberos authentication doesn't work with the IP
- if Squid is configured in transparent mode, the WPAD should return DIRECT access to avoid problems with dumb clients. Be aware that the proxy can be in transparent mode for green network and manual for the blue one (or viceversa)
Thanks to Adam for the idea: http://community.nethserver.org/t/wpad-dhcp-dns-etc/1627
PAC functions are documented here:
http://findproxyforurl.com/pac-functions/
Related issues
Associated revisions
WPAD fixes. Refs #3266
WPAD fixes. Refs #3266
New WPAD implementation. Refs #3266
Also support source and destination bypasses.
WPAD: fix bad JS syntax. Refs #3266
WPAD: signal squid-save event on bypass edit. Refs #3266
Revert "WPAD: signal squid-save event on bypass edit. Refs #3266"
This reverts commit 4065c4e7820c2a6ea429ab350ba571429d8901ff.
createlinks: expand wpad when necessary. Refs #3266
WPAD: resolve hosts when needed. Refs #3266
WPAD: limit WPAD access to trusted networks. Refs #3266
WPAD: fix httpd allow directive. Refs #3266
History
#1 Updated by Davide Marini almost 6 years ago
I suggest an improvement for this scenario:
- Nethserver member of AD domain
- DC located in the green
- Proxy web authenticated in the green zone
- Proxy web manual/transparent in the blue zone
GREEN network : clients are using DC as DNS, the DC can resolve the hostname written in the wpad.dat, everything will work fine
BLUE network: clients in this zone can't resolve the hostname (this zone usually is completely separated from the green one)
In this case it could better to write in the wpad.dat file the ip address and not the hostname for the blue clients
to semplify the concept in pseudocode... for EVERY zone:
if (authenticated && AD_joined) { $HOSTNAME} else{ $IP_ADDRESS }
#2 Updated by Giacomo Sanchietti almost 6 years ago
- Status changed from NEW to TRIAGED
- Target version set to v6.7
- % Done changed from 0 to 20
#3 Updated by Giacomo Sanchietti almost 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#4 Updated by Giacomo Sanchietti almost 6 years ago
- Assignee deleted (
Giacomo Sanchietti)
#5 Updated by Giacomo Sanchietti over 5 years ago
- Assignee set to Giacomo Sanchietti
#6 Updated by Giacomo Sanchietti over 5 years ago
Current implementation is wrong since it uses the host
variable to check client ip source address, but it should use the myUpAddress()
function.
#7 Updated by Giacomo Sanchietti over 5 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
New implementation also supports source and destination bypass.
#8 Updated by Giacomo Sanchietti over 5 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
nethserver-squid-1.3.10-1.7.g55bf32c.ns6.noarch.rpm- nethserver-squid-1.3.10-1.11.g557da40.ns6.noarch.rpm
NOTE: you can use this tool to test the WPAD implementation: https://github.com/pacparser/pacparser
Test case 0- Disable the proxy
- Check the WPAD returns "DIRECT"
- Configure the proxy in manual mode
- Check the wpad returns the proxy ip address for each green and blue network
- Repeat the same configuring the proxy in authenticated mode
- Enable the AD join (fake config:
config set smb service status enabled ServerRole ADS
) - Repeat previous tests and check the proxy is returned with host name "proxy.<domain>:3128"
- Set the proxy mode to transparent or transparent_ssl on green networks
- Check the WPAD return "DIRECT" for green
- Repeat the test for blue networks
- Configure 3 destination bypasses using host, host group and cidr
- Verify the listed sites will be reached without proxy
- Configure 4 source bypasses using host, host group, ip range and cidr
- Verify the listed hosts will not use the proxy
#9 Updated by Davide Principi over 5 years ago
- Assignee set to Davide Principi
#10 Updated by Davide Principi over 5 years ago
- File pactest.py added
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 90
System and Package Version installed
NethServer 6.7, upgraded to nethserver-squid-1.3.10-1.11.g557da40.ns6.noarch
Installed paclibrary
Test Original Problem
Enhancement
Install Updated Package
yum --enablerepo=nethserver-testing update nethserver-squid-1.3.10-1.11.g557da40.ns6.noarch
Test Results after update
- green is 192.168.122.0/24
- blue is 192.168.150.0/24
Test case 1
- proxy disabled, OK
green1.1 192.168.122.12 http://192.168.122.100 DIRECT green1.2 192.168.122.11 http://www.centos.org DIRECT green1.3 (bypass) 192.168.122.1 http://www.centos.org DIRECT green2.1 192.168.123.13 http://www.nethserver.org DIRECT blue1 192.168.150.7 http://www.centos.org DIRECT
Test case 2
- manual green,blue OK
green1.1 192.168.122.12 http://192.168.122.100 PROXY 192.168.122.114:3128 green1.2 192.168.122.11 http://www.centos.org PROXY 192.168.122.114:3128 green1.3 (bypass) 192.168.122.1 http://www.centos.org DIRECT green2.1 192.168.123.13 http://www.nethserver.org PROXY 192.168.123.0:3128 blue1 192.168.150.7 http://www.centos.org PROXY 192.168.150.1:3128
- authenticated green,blue OK
green1.1 192.168.122.12 http://192.168.122.100 PROXY 192.168.122.114:3128 green1.2 192.168.122.11 http://www.centos.org PROXY 192.168.122.114:3128 green1.3 (bypass) 192.168.122.1 http://www.centos.org DIRECT green2.1 192.168.123.13 http://www.nethserver.org PROXY 192.168.123.0:3128 blue1 192.168.150.7 http://www.centos.org PROXY 192.168.150.1:3128 - NOTE I had to install
nethserver-samba
(however,nethserver-directory
was probably enough) to get authenticated mode working. The following error appeared in/var/log/messages
Dec 1 12:19:44 vm2 esmith::event[16051]: 2015/12/01 12:19:44| Processing Configuration File: /etc/squid/squid.conf (depth 0) Dec 1 12:19:44 vm2 esmith::event[16051]: 2015/12/01 12:19:44| Processing: acl no_cache dstdomain "/etc/squid/acls/no_cache.acl" Dec 1 12:19:44 vm2 esmith::event[16051]: 2015/12/01 12:19:44| Warning: empty ACL: acl no_cache dstdomain "/etc/squid/acls/no_cache.acl" Dec 1 12:19:44 vm2 esmith::event[16051]: 2015/12/01 12:19:44| Processing: no_cache deny no_cache ... Dec 1 12:19:44 vm2 esmith::event[16051]: 2015/12/01 12:19:44| Processing: acl authenticated proxy_auth REQUIRED Dec 1 12:19:44 vm2 esmith::event[16051]: 2015/12/01 12:19:44| Can't use proxy auth because no authentication schemes are fully configured. Dec 1 12:19:44 vm2 esmith::event[16051]: FATAL: ERROR: Invalid ACL: acl authenticated proxy_auth REQUIRED
- In my config I added one host under "Hosts without proxy"
- After I installed
nethserver-samba
the problem was fixed
- NOTE I had to install
- with
smb
inADS
mode, OKgreen1.1 192.168.122.12 http://192.168.122.100 PROXY proxy.dpnet.nethesis.it:3128 green1.2 192.168.122.11 http://www.centos.org PROXY proxy.dpnet.nethesis.it:3128 green1.3 (bypass) 192.168.122.1 http://www.centos.org DIRECT green2.1 192.168.123.13 http://www.nethserver.org PROXY proxy.dpnet.nethesis.it:3128 blue1 192.168.150.7 http://www.centos.org PROXY proxy.dpnet.nethesis.it:3128
Test case 2
- green transparent OK
green1.1 192.168.122.12 http://192.168.122.100 DIRECT green1.2 192.168.122.11 http://www.centos.org DIRECT green1.3 (bypass) 192.168.122.1 http://www.centos.org DIRECT green2.1 192.168.123.13 http://www.nethserver.org DIRECT blue1 192.168.150.7 http://www.centos.org PROXY proxy.dpnet.nethesis.it:3128
- blue transparent(_ssl), green transparent(_ssl) OK
green1.1 192.168.122.12 http://192.168.122.100 DIRECT green1.2 192.168.122.11 http://www.centos.org DIRECT green1.3 (bypass) 192.168.122.1 http://www.centos.org DIRECT green2.1 192.168.123.13 http://www.nethserver.org DIRECT blue1 192.168.150.7 http://www.centos.org DIRECT
- blue transparent, green manual OK
green1.1 192.168.122.12 http://192.168.122.100 PROXY proxy.dpnet.nethesis.it:3128 green1.2 192.168.122.11 http://www.centos.org PROXY proxy.dpnet.nethesis.it:3128 green1.3 (bypass) 192.168.122.1 http://www.centos.org DIRECT green2.1 192.168.123.13 http://www.nethserver.org PROXY proxy.dpnet.nethesis.it:3128 blue1 192.168.150.7 http://www.centos.org DIRECT
Test case 3
Destination bypasses
src bypass iprange from green | 192.168.122.91 | http://www.nethserver.org | DIRECT |
src bypass iprange from blue | 192.168.150.91 | http://www.nethserver.org | DIRECT |
src bypass host from green | 192.168.122.10 | http://www.nethserver.org | DIRECT |
src bypass host from blue | 192.168.150.20 | http://www.nethserver.org | DIRECT |
src bypass host-group from green | 192.168.122.3 | http://www.nethserver.org | DIRECT |
src bypass host-group from blue | 192.168.150.33 | http://www.nethserver.org | DIRECT |
src bypass cidr from green | 192.168.122.249 | http://www.nethserver.org | DIRECT |
src bypass cidr from blue | 192.168.150.249 | http://www.nethserver.org | DIRECT |
Test case 4
src bypass iprange from green | 192.168.122.91 | http://www.nethserver.org | DIRECT |
src bypass iprange from blue | 192.168.150.91 | http://www.nethserver.org | DIRECT |
src bypass host from green | 192.168.122.10 | http://www.nethserver.org | DIRECT |
src bypass host from blue | 192.168.150.20 | http://www.nethserver.org | DIRECT |
src bypass host-group from green | 192.168.122.3 | http://www.nethserver.org | DIRECT |
src bypass host-group from blue | 192.168.150.33 | http://www.nethserver.org | DIRECT |
src bypass cidr from green | 192.168.122.249 | http://www.nethserver.org | DIRECT |
src bypass cidr from blue | 192.168.150.249 | http://www.nethserver.org | DIRECT |
Disabled all rules
src bypass iprange from green | 192.168.122.91 | http://www.nethserver.org | PROXY 192.168.122.114:3128 |
src bypass iprange from blue | 192.168.150.91 | http://www.nethserver.org | PROXY 192.168.150.1:3128 |
src bypass host from green | 192.168.122.10 | http://www.nethserver.org | PROXY 192.168.122.114:3128 |
src bypass host from blue | 192.168.150.20 | http://www.nethserver.org | PROXY 192.168.150.1:3128 |
src bypass host-group from green | 192.168.122.3 | http://www.nethserver.org | PROXY 192.168.122.114:3128 |
src bypass host-group from blue | 192.168.150.33 | http://www.nethserver.org | PROXY 192.168.150.1:3128 |
src bypass cidr from green | 192.168.122.249 | http://www.nethserver.org | PROXY 192.168.122.114:3128 |
src bypass cidr from blue | 192.168.150.249 | http://www.nethserver.org | PROXY 192.168.150.1:3128 |
Verified Or Reopen
VERIFIED
Note
see pactest.py
#11 Updated by Davide Principi over 5 years ago
- Related to Bug #3330: Error when proxy is set to "authenticated" added
#12 Updated by Giacomo Sanchietti over 5 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
- nethserver-squid-1.3.11-1.ns6.noarch.rpm