Enhancement #3266

WPAD improvements

Added by Giacomo Sanchietti almost 6 years ago. Updated over 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-squid
Target version:v6.7
Resolution: NEEDINFO:No

Description

WPAD implementation should be updated with the following improvements:

  • WPAD must be accessible from all networks using the IP address of the gateway to avoid problems with name resolution
  • as an exception to previous point, if the server is joined to an AD, all clients must use the host name, since Kerberos authentication doesn't work with the IP
  • if Squid is configured in transparent mode, the WPAD should return DIRECT access to avoid problems with dumb clients. Be aware that the proxy can be in transparent mode for green network and manual for the blue one (or viceversa)

Thanks to Adam for the idea: http://community.nethserver.org/t/wpad-dhcp-dns-etc/1627

PAC functions are documented here:
http://findproxyforurl.com/pac-functions/

pactest.py Magnifier - Test cases (1.75 KB) Davide Principi, 12/01/2015 09:44 AM


Related issues

Related to NethServer 6 - Bug #3330: Error when proxy is set to "authenticated" CLOSED

Associated revisions

Revision 88f579d8
Added by Giovanni Bezicheri over 5 years ago

WPAD fixes. Refs #3266

Revision e1d7cee1
Added by Giovanni Bezicheri over 5 years ago

WPAD fixes. Refs #3266

Revision 55bf32cf
Added by Giacomo Sanchietti over 5 years ago

New WPAD implementation. Refs #3266

Also support source and destination bypasses.

Revision cf6b6667
Added by Giacomo Sanchietti over 5 years ago

WPAD: fix bad JS syntax. Refs #3266

Revision 4065c4e7
Added by Giacomo Sanchietti over 5 years ago

WPAD: signal squid-save event on bypass edit. Refs #3266

Revision 1fe6446b
Added by Giacomo Sanchietti over 5 years ago

Revert "WPAD: signal squid-save event on bypass edit. Refs #3266"

This reverts commit 4065c4e7820c2a6ea429ab350ba571429d8901ff.

Revision 557da40f
Added by Giacomo Sanchietti over 5 years ago

createlinks: expand wpad when necessary. Refs #3266

Revision 03ab7279
Added by Giacomo Sanchietti over 5 years ago

WPAD: resolve hosts when needed. Refs #3266

Revision 4f0f9106
Added by Giacomo Sanchietti over 5 years ago

WPAD: limit WPAD access to trusted networks. Refs #3266

Revision e78c5f75
Added by Giacomo Sanchietti over 5 years ago

WPAD: fix httpd allow directive. Refs #3266

History

#1 Updated by Davide Marini almost 6 years ago

I suggest an improvement for this scenario:

  • Nethserver member of AD domain
  • DC located in the green
  • Proxy web authenticated in the green zone
  • Proxy web manual/transparent in the blue zone

GREEN network : clients are using DC as DNS, the DC can resolve the hostname written in the wpad.dat, everything will work fine

BLUE network: clients in this zone can't resolve the hostname (this zone usually is completely separated from the green one)
In this case it could better to write in the wpad.dat file the ip address and not the hostname for the blue clients

to semplify the concept in pseudocode... for EVERY zone:

if (authenticated && AD_joined) {
    $HOSTNAME}
else{
    $IP_ADDRESS
}

#2 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from NEW to TRIAGED
  • Target version set to v6.7
  • % Done changed from 0 to 20

#3 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti almost 6 years ago

  • Assignee deleted (Giacomo Sanchietti)

#5 Updated by Giacomo Sanchietti over 5 years ago

  • Assignee set to Giacomo Sanchietti

#6 Updated by Giacomo Sanchietti over 5 years ago

Current implementation is wrong since it uses the host variable to check client ip source address, but it should use the myUpAddress() function.

#7 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

New implementation also supports source and destination bypass.

#8 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
In nethserver-testing:
  • nethserver-squid-1.3.10-1.7.g55bf32c.ns6.noarch.rpm
  • nethserver-squid-1.3.10-1.11.g557da40.ns6.noarch.rpm

NOTE: you can use this tool to test the WPAD implementation: https://github.com/pacparser/pacparser

Test case 0
  • Disable the proxy
  • Check the WPAD returns "DIRECT"
Test case 1
  • Configure the proxy in manual mode
  • Check the wpad returns the proxy ip address for each green and blue network
  • Repeat the same configuring the proxy in authenticated mode
  • Enable the AD join (fake config: config set smb service status enabled ServerRole ADS)
  • Repeat previous tests and check the proxy is returned with host name "proxy.<domain>:3128"
Test case 2
  • Set the proxy mode to transparent or transparent_ssl on green networks
  • Check the WPAD return "DIRECT" for green
  • Repeat the test for blue networks
Test case 3
  • Configure 3 destination bypasses using host, host group and cidr
  • Verify the listed sites will be reached without proxy
Test case 4
  • Configure 4 source bypasses using host, host group, ip range and cidr
  • Verify the listed hosts will not use the proxy

#9 Updated by Davide Principi over 5 years ago

  • Assignee set to Davide Principi

#10 Updated by Davide Principi over 5 years ago

  • File pactest.pyMagnifier added
  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

System and Package Version installed
NethServer 6.7, upgraded to nethserver-squid-1.3.10-1.11.g557da40.ns6.noarch
Installed paclibrary

Test Original Problem
Enhancement

Install Updated Package

yum --enablerepo=nethserver-testing update nethserver-squid-1.3.10-1.11.g557da40.ns6.noarch

Test Results after update

  • green is 192.168.122.0/24
  • blue is 192.168.150.0/24

Test case 1

Test case 2

  • authenticated green,blue OK
    green1.1 192.168.122.12 http://192.168.122.100 PROXY 192.168.122.114:3128
    green1.2 192.168.122.11 http://www.centos.org PROXY 192.168.122.114:3128
    green1.3 (bypass) 192.168.122.1 http://www.centos.org DIRECT
    green2.1 192.168.123.13 http://www.nethserver.org PROXY 192.168.123.0:3128
    blue1 192.168.150.7 http://www.centos.org PROXY 192.168.150.1:3128
    • NOTE I had to install nethserver-samba (however, nethserver-directory was probably enough) to get authenticated mode working. The following error appeared in /var/log/messages
      Dec  1 12:19:44 vm2 esmith::event[16051]: 2015/12/01 12:19:44| Processing Configuration File: /etc/squid/squid.conf (depth 0)
      Dec  1 12:19:44 vm2 esmith::event[16051]: 2015/12/01 12:19:44| Processing: acl no_cache dstdomain "/etc/squid/acls/no_cache.acl" 
      Dec  1 12:19:44 vm2 esmith::event[16051]: 2015/12/01 12:19:44| Warning: empty ACL: acl no_cache dstdomain "/etc/squid/acls/no_cache.acl" 
      Dec  1 12:19:44 vm2 esmith::event[16051]: 2015/12/01 12:19:44| Processing: no_cache deny no_cache
      ...
      Dec  1 12:19:44 vm2 esmith::event[16051]: 2015/12/01 12:19:44| Processing: acl authenticated proxy_auth REQUIRED
      Dec  1 12:19:44 vm2 esmith::event[16051]: 2015/12/01 12:19:44| Can't use proxy auth because no authentication schemes are fully configured.
      Dec  1 12:19:44 vm2 esmith::event[16051]: FATAL: ERROR: Invalid ACL: acl authenticated proxy_auth REQUIRED
      
    • In my config I added one host under "Hosts without proxy"
    • After I installed nethserver-samba the problem was fixed
  • with smb in ADS mode, OK
    green1.1 192.168.122.12 http://192.168.122.100 PROXY proxy.dpnet.nethesis.it:3128
    green1.2 192.168.122.11 http://www.centos.org PROXY proxy.dpnet.nethesis.it:3128
    green1.3 (bypass) 192.168.122.1 http://www.centos.org DIRECT
    green2.1 192.168.123.13 http://www.nethserver.org PROXY proxy.dpnet.nethesis.it:3128
    blue1 192.168.150.7 http://www.centos.org PROXY proxy.dpnet.nethesis.it:3128

Test case 2

Test case 3

Destination bypasses

src bypass iprange from green 192.168.122.91 http://www.nethserver.org DIRECT
src bypass iprange from blue 192.168.150.91 http://www.nethserver.org DIRECT
src bypass host from green 192.168.122.10 http://www.nethserver.org DIRECT
src bypass host from blue 192.168.150.20 http://www.nethserver.org DIRECT
src bypass host-group from green 192.168.122.3 http://www.nethserver.org DIRECT
src bypass host-group from blue 192.168.150.33 http://www.nethserver.org DIRECT
src bypass cidr from green 192.168.122.249 http://www.nethserver.org DIRECT
src bypass cidr from blue 192.168.150.249 http://www.nethserver.org DIRECT

Test case 4

src bypass iprange from green 192.168.122.91 http://www.nethserver.org DIRECT
src bypass iprange from blue 192.168.150.91 http://www.nethserver.org DIRECT
src bypass host from green 192.168.122.10 http://www.nethserver.org DIRECT
src bypass host from blue 192.168.150.20 http://www.nethserver.org DIRECT
src bypass host-group from green 192.168.122.3 http://www.nethserver.org DIRECT
src bypass host-group from blue 192.168.150.33 http://www.nethserver.org DIRECT
src bypass cidr from green 192.168.122.249 http://www.nethserver.org DIRECT
src bypass cidr from blue 192.168.150.249 http://www.nethserver.org DIRECT

Disabled all rules

src bypass iprange from green 192.168.122.91 http://www.nethserver.org PROXY 192.168.122.114:3128
src bypass iprange from blue 192.168.150.91 http://www.nethserver.org PROXY 192.168.150.1:3128
src bypass host from green 192.168.122.10 http://www.nethserver.org PROXY 192.168.122.114:3128
src bypass host from blue 192.168.150.20 http://www.nethserver.org PROXY 192.168.150.1:3128
src bypass host-group from green 192.168.122.3 http://www.nethserver.org PROXY 192.168.122.114:3128
src bypass host-group from blue 192.168.150.33 http://www.nethserver.org PROXY 192.168.150.1:3128
src bypass cidr from green 192.168.122.249 http://www.nethserver.org PROXY 192.168.122.114:3128
src bypass cidr from blue 192.168.150.249 http://www.nethserver.org PROXY 192.168.150.1:3128

Verified Or Reopen
VERIFIED

Note
see pactest.py

see also http://dev.nethserver.org/issues/3330

#11 Updated by Davide Principi over 5 years ago

  • Related to Bug #3330: Error when proxy is set to "authenticated" added

#12 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-updates:
  • nethserver-squid-1.3.11-1.ns6.noarch.rpm

Also available in: Atom PDF