RE: [squid-users] Wiki help for WPAD/PAC stuff (was Re: [squid-users] proxy.pac config)
tis 2007-05-15 klockan 16:56 -0700 skrev Jeff Smith: > However, if the browser is not configured to use a PAC > file but a PAC file is delivered it brings up a > Security Alert because the browser never requested it. > I know the old Netscape browsers did this but am not > sure about IE. What they do varies. Some just show an error page, some asks you where to save the file. Some displays it on the screen. To do the automatic configuration thing this way you need to write a program to automatically reconfigure the client. It's not possible via javascript or similar (at least not when fetched over the network, not sure when loaded from file:///) Regards Henrik signature.asc Description: Detta är en digitalt signerad meddelandedel
Re: [squid-users] Wiki help for WPAD/PAC stuff (was Re: [squid-users] proxy.pac config)
I'll take a look at the updated Wiki later today. On 5/15/07, SSCR Internet Admin <[EMAIL PROTECTED]> wrote: >>However, if the browser is not configured to use a PAC >>file but a PAC file is delivered it brings up a >>Security Alert because the browser never requested it. >>I know the old Netscape browsers did this but am not >>sure about IE. Well, im sure local users will accept it happily by clicking OK, if not they don't have access.. :) The Netscape alert doesn't give the option to accept the PAC, it just gives a warning that an unsolicited PAC was received. If there was a trivial way to reconfigure browsers to use a PAC just by returning the right Active-X or Java, then we'd see all sorts of malicious sites using that technique to force random Internet users to use the attacker's proxy. So how do you force your users to use the PAC? What you can do is make sure your DHCP server and DNS are set up to be fully compatible with WPAD, and then if any clients do make an attempt to go DIRECT, return a web page containing: 1) Text instructing how to correctly enable WPAD and/or how to configure PAC in the most popular browsers. 2) A link to a .REG file which forces the registry settings for IE to use PAC on Microsoft Windows clients. 3) Instructions for manual configuration, for UNIX and for ancient MacOS clients. Even with all of this, expect to get plenty of support calls from confused users. I manage an environment with tens of thousands of internal customers, and all default route HTTP/HTTPS/SMTP/etc traffic is denied, the only exception being for a couple of really braindead clients that are downright proxy-hostile, maybe a half dozen workstations total have an exception to the policy. Kevin (P.S. Think carefully before conditioning users to accept REG files from strangers).
RE: [squid-users] Wiki help for WPAD/PAC stuff (was Re: [squid-users] proxy.pac config)
>>However, if the browser is not configured to use a PAC >>file but a PAC file is delivered it brings up a >>Security Alert because the browser never requested it. >>I know the old Netscape browsers did this but am not >>sure about IE. Well, im sure local users will accept it happily by clicking OK, if not they don't have access.. :) -Original Message- From: Jeff Smith [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 16, 2007 7:56 AM To: squid-users@squid-cache.org Subject: RE: [squid-users] Wiki help for WPAD/PAC stuff (was Re: [squid-users] proxy.pac config) It has been a few years since I played with PAC files in browsers. I think redirecting a request from browser to automatically configure the browser will only work if the browser is first configured to use a PAC file. When the browser starts up and it is configured to use a PAC file, its first request goes to the URL the PAC file is located at and the file is downloaded. Subsequent requests use the information contained in the PAC file to go DIRECT or to a PROXY etc. However, if the browser is not configured to use a PAC file but a PAC file is delivered it brings up a Security Alert because the browser never requested it. I know the old Netscape browsers did this but am not sure about IE. Jeff Smith --- SSCR Internet Admin <[EMAIL PROTECTED]> wrote: > That is great Adrian. Ill keep visiting you wiki, > and lets see what I could > help out. Anyway about your Q about redirecting > port 80 to a site, iptables > will redirect all browsers connecting to port 80 to > a local site where a > script can be fired automatically to configure the > browser to use the PAC. > (of course it should check if it's a valid ip). I > don't know if Php or > javascript can do this. > > Regards > > -Original Message- > From: Adrian Chadd [mailto:[EMAIL PROTECTED] > Sent: Saturday, May 12, 2007 4:47 PM > To: squid-users@squid-cache.org > Subject: [squid-users] Wiki help for WPAD/PAC stuff > (was Re: [squid-users] > proxy.pac config) > > I've started building the WPAD and ProxyPac sections > in the Wiki and > I'd really, really appreciate any help I can get in > fleshing out the > content. > I've implemented both of them enough in a > small-sized network to know > they mostly work but I've not got the operational > experience some of > you have. > > I'd really appreciate some help here. I might even > organise the helpers to > get sent some CafePress Squid shirts when its done. > > > > > Adrian > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > 8:00? 8:25? 8:40? Find a flick in no time with the Yahoo! Search movie showtime shortcut. http://tools.search.yahoo.com/shortcuts/#news -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: [squid-users] Wiki help for WPAD/PAC stuff (was Re: [squid-users] proxy.pac config)
It has been a few years since I played with PAC files in browsers. I think redirecting a request from browser to automatically configure the browser will only work if the browser is first configured to use a PAC file. When the browser starts up and it is configured to use a PAC file, its first request goes to the URL the PAC file is located at and the file is downloaded. Subsequent requests use the information contained in the PAC file to go DIRECT or to a PROXY etc. However, if the browser is not configured to use a PAC file but a PAC file is delivered it brings up a Security Alert because the browser never requested it. I know the old Netscape browsers did this but am not sure about IE. Jeff Smith --- SSCR Internet Admin <[EMAIL PROTECTED]> wrote: > That is great Adrian. Ill keep visiting you wiki, > and lets see what I could > help out. Anyway about your Q about redirecting > port 80 to a site, iptables > will redirect all browsers connecting to port 80 to > a local site where a > script can be fired automatically to configure the > browser to use the PAC. > (of course it should check if it's a valid ip). I > don't know if Php or > javascript can do this. > > Regards > > -Original Message- > From: Adrian Chadd [mailto:[EMAIL PROTECTED] > Sent: Saturday, May 12, 2007 4:47 PM > To: squid-users@squid-cache.org > Subject: [squid-users] Wiki help for WPAD/PAC stuff > (was Re: [squid-users] > proxy.pac config) > > I've started building the WPAD and ProxyPac sections > in the Wiki and > I'd really, really appreciate any help I can get in > fleshing out the > content. > I've implemented both of them enough in a > small-sized network to know > they mostly work but I've not got the operational > experience some of > you have. > > I'd really appreciate some help here. I might even > organise the helpers to > get sent some CafePress Squid shirts when its done. > > > > > Adrian > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > 8:00? 8:25? 8:40? Find a flick in no time with the Yahoo! Search movie showtime shortcut. http://tools.search.yahoo.com/shortcuts/#news
RE: [squid-users] Wiki help for WPAD/PAC stuff (was Re: [squid-users] proxy.pac config)
That is great Adrian. Ill keep visiting you wiki, and lets see what I could help out. Anyway about your Q about redirecting port 80 to a site, iptables will redirect all browsers connecting to port 80 to a local site where a script can be fired automatically to configure the browser to use the PAC. (of course it should check if it's a valid ip). I don't know if Php or javascript can do this. Regards -Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: Saturday, May 12, 2007 4:47 PM To: squid-users@squid-cache.org Subject: [squid-users] Wiki help for WPAD/PAC stuff (was Re: [squid-users] proxy.pac config) I've started building the WPAD and ProxyPac sections in the Wiki and I'd really, really appreciate any help I can get in fleshing out the content. I've implemented both of them enough in a small-sized network to know they mostly work but I've not got the operational experience some of you have. I'd really appreciate some help here. I might even organise the helpers to get sent some CafePress Squid shirts when its done. Adrian -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: [squid-users] proxy.pac config
Hi Adrian, Maybe a VB script or active X that will configure browsers... Regards... -Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: Saturday, May 12, 2007 4:49 PM To: SSCR Internet Admin Cc: squid-users@squid-cache.org Subject: Re: [squid-users] proxy.pac config On Sat, May 12, 2007, SSCR Internet Admin wrote: > Last night when in bed thinking over this, ive come up an idea. When a user > try to browse directly (port 80), iptables should redirect those traffic to > a specific part on your site where it magically configures the browsers to > use PAC. So no user intervention or manual config will occur, I guess > firefox can be configured automatically.. > > Just my two cents idea, who knows someone has already done this (not me, I > only understand programming algo but not into coding). Hm, how do you magically configure a browser to use a proxy.pac file from one port 80 access? Its easy to setup a port 80 redirect to a web page which shows the user how to setup their proxy server settings. Adrian -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [squid-users] proxy.pac config
On Sat, May 12, 2007, SSCR Internet Admin wrote: > Last night when in bed thinking over this, ive come up an idea. When a user > try to browse directly (port 80), iptables should redirect those traffic to > a specific part on your site where it magically configures the browsers to > use PAC. So no user intervention or manual config will occur, I guess > firefox can be configured automatically.. > > Just my two cents idea, who knows someone has already done this (not me, I > only understand programming algo but not into coding). Hm, how do you magically configure a browser to use a proxy.pac file from one port 80 access? Its easy to setup a port 80 redirect to a web page which shows the user how to setup their proxy server settings. Adrian
[squid-users] Wiki help for WPAD/PAC stuff (was Re: [squid-users] proxy.pac config)
I've started building the WPAD and ProxyPac sections in the Wiki and I'd really, really appreciate any help I can get in fleshing out the content. I've implemented both of them enough in a small-sized network to know they mostly work but I've not got the operational experience some of you have. I'd really appreciate some help here. I might even organise the helpers to get sent some CafePress Squid shirts when its done. Adrian
RE: [squid-users] proxy.pac config
That's really informative and ill try this one out. At least 75% of my network uses IE, so I have to manually edit 25% which uses firefox and safari (Mac users who are Spanish, better review my Spanish 101 hehe). Last night when in bed thinking over this, ive come up an idea. When a user try to browse directly (port 80), iptables should redirect those traffic to a specific part on your site where it magically configures the browsers to use PAC. So no user intervention or manual config will occur, I guess firefox can be configured automatically.. Just my two cents idea, who knows someone has already done this (not me, I only understand programming algo but not into coding). -Original Message- From: K K [mailto:[EMAIL PROTECTED] Sent: Saturday, May 12, 2007 2:04 AM To: squid-users@squid-cache.org Subject: Re: [squid-users] proxy.pac config On 5/11/07, Adrian Chadd <[EMAIL PROTECTED]> wrote: > You can turn that cache behaviour off. I'll hunt around for the instructions > to tell IE not to cache proxy.pac lookups and add it to the documentation. That'd be handy. > > (P.S. Have you heard about the magical PAC refresh option in Microsoft's > > IEAK?) > > Nope! Please tell. Inside Internet Explorer Administration Kit, you can build a custom installer for IE6 or IE7 and tune just about everything remotely related to IE. Great for a corporate deployment, or for the OP's question about forcing PAC settings to all desktops. One of the options you can control is "Connections Customization". When you check this in the first menu, after going through a dozen or so dialogs, deep in "Stage 4" you will reach "Connection Settings". This gives you the option to "Import the current connection settings from this machine", and a button for "Modify Settings". If you use this button, it will open the connections menu, just like under IE, but there are extra options visible which never normally appear, including an "Advanced" button next to the PAC url. This reveals new options for PAC, including refresh time; changes here are effective immediately on your local machine. Once you exit IEAK, the "Advanced" button vanishes from the control panel, but the settings remain in effect -- if you set a proxy URL and refresh time in the Brigadoon "Advanced" tab then choosing a new URL in the normal connection setting window is ineffective. There's probably a registry hack you could find to accomplish the same results, and then just push down a .REG file to all the clients. Kevin -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [squid-users] proxy.pac config
On 5/11/07, Adrian Chadd <[EMAIL PROTECTED]> wrote: You can turn that cache behaviour off. I'll hunt around for the instructions to tell IE not to cache proxy.pac lookups and add it to the documentation. That'd be handy. > (P.S. Have you heard about the magical PAC refresh option in Microsoft's > IEAK?) Nope! Please tell. Inside Internet Explorer Administration Kit, you can build a custom installer for IE6 or IE7 and tune just about everything remotely related to IE. Great for a corporate deployment, or for the OP's question about forcing PAC settings to all desktops. One of the options you can control is "Connections Customization". When you check this in the first menu, after going through a dozen or so dialogs, deep in "Stage 4" you will reach "Connection Settings". This gives you the option to "Import the current connection settings from this machine", and a button for "Modify Settings". If you use this button, it will open the connections menu, just like under IE, but there are extra options visible which never normally appear, including an "Advanced" button next to the PAC url. This reveals new options for PAC, including refresh time; changes here are effective immediately on your local machine. Once you exit IEAK, the "Advanced" button vanishes from the control panel, but the settings remain in effect -- if you set a proxy URL and refresh time in the Brigadoon "Advanced" tab then choosing a new URL in the normal connection setting window is ineffective. There's probably a registry hack you could find to accomplish the same results, and then just push down a .REG file to all the clients. Kevin
Re: [squid-users] proxy.pac config
On Fri, May 11, 2007, Pitti, Raul wrote: > pls. look at this .reg file > http://www.globaltecsa.com/squid/IE-auto-proxy-cache.reg > hope this helps! Whats it do? Does this turn off the proxy result cache? Adrian
Re: [squid-users] proxy.pac config
Adrian Chadd wrote: On Thu, May 10, 2007, K K wrote: On 5/10/07, Adrian Chadd <[EMAIL PROTECTED]> wrote: There's plenty of examples of proxy.pac file based load balancing and failover. It's important to keep in mind that some PAC behavior, including failover, is different for different browsers and browser versions -- this particularly applies to IE, which for example, caches everything about PAC, included failed proxies, and won't forget until the iexplore.exe process ends and is restarted. You can turn that cache behaviour off. I'll hunt around for the instructions to tell IE not to cache proxy.pac lookups and add it to the documentation. pls. look at this .reg file http://www.globaltecsa.com/squid/IE-auto-proxy-cache.reg hope this helps! RP (P.S. Have you heard about the magical PAC refresh option in Microsoft's IEAK?) Nope! Please tell. Adrian -- Raúl Pittí Palma, Eng. Global Engineering and Technology S.A. mobile (507)-6616-0194 office (507)-390-4338 Republic of Panama www.globaltecsa.com
Re: [squid-users] proxy.pac config
On Thu, May 10, 2007, K K wrote: > On 5/10/07, Adrian Chadd <[EMAIL PROTECTED]> wrote: > >There's plenty of examples of proxy.pac file based load balancing and > >failover. > > It's important to keep in mind that some PAC behavior, including > failover, is different for different browsers and browser versions -- > this particularly applies to IE, which for example, caches everything > about PAC, included failed proxies, and won't forget until the > iexplore.exe process ends and is restarted. You can turn that cache behaviour off. I'll hunt around for the instructions to tell IE not to cache proxy.pac lookups and add it to the documentation. > (P.S. Have you heard about the magical PAC refresh option in Microsoft's > IEAK?) Nope! Please tell. Adrian
Re: [squid-users] proxy.pac config
On 5/10/07, Adrian Chadd <[EMAIL PROTECTED]> wrote: There's plenty of examples of proxy.pac file based load balancing and failover. It's important to keep in mind that some PAC behavior, including failover, is different for different browsers and browser versions -- this particularly applies to IE, which for example, caches everything about PAC, included failed proxies, and won't forget until the iexplore.exe process ends and is restarted. This means that once IE has detected a failed proxy, it will automatically failo ver, but will not "fail back", will never try a failed proxy again until you exit and restart. Watch this list, I have a feeling I'm going to be writing a couple of Squid Wiki articles on successfully deploying WPAD and proxy.pac files to finally demystify the mess.. Tell me about it. I've been told that I should write a WPAD/APC/PAC book, but O'Reilly said that one chapter in the rock thrush book was more than enough for their needs. Kevin (P.S. Have you heard about the magical PAC refresh option in Microsoft's IEAK?)
Re: [squid-users] proxy.pac config
well, you can be sure i'll provide a fully working example as soon as I get my config working. :-D (just to prevent others to waste as much time as myself.) RP Adrian Chadd wrote: On Fri, May 11, 2007, SSCR Internet Admin wrote: Thanks Adrian it works! I could see that it shift to the other server when I manually shutdown squid. Now, this could be a harder (for a noob like me). What if I have 500 workstation, so I have to config each browser to use my new pac file, is there a way that this pac will eventually force all browser to use pac. Like blindly install pac on their browser when they go directly to port 80. You can do it via WPAD DHCP or WPAD DNS (thats what WPAD is for) but it requires users' browsers to have the "proxy autodetection" feature ticked. Watch this list, I have a feeling I'm going to be writing a couple of Squid Wiki articles on successfully deploying WPAD and proxy.pac files to finally demystify the mess.. Adrian -- Raúl Pittí Palma, Eng. Global Engineering and Technology S.A. mobile (507)-6616-0194 office (507)-390-4338 Republic of Panama www.globaltecsa.com
Re: [squid-users] proxy.pac config
On Fri, May 11, 2007, SSCR Internet Admin wrote: > Thanks Adrian it works! I could see that it shift to the other server when > I manually shutdown squid. > > Now, this could be a harder (for a noob like me). What if I have 500 > workstation, so I have to config each browser to use my new pac file, is > there a way that this pac will eventually force all browser to use pac. > Like blindly install pac on their browser when they go directly to port 80. You can do it via WPAD DHCP or WPAD DNS (thats what WPAD is for) but it requires users' browsers to have the "proxy autodetection" feature ticked. Watch this list, I have a feeling I'm going to be writing a couple of Squid Wiki articles on successfully deploying WPAD and proxy.pac files to finally demystify the mess.. Adrian
RE: [squid-users] proxy.pac config
Thanks Adrian it works! I could see that it shift to the other server when I manually shutdown squid. Now, this could be a harder (for a noob like me). What if I have 500 workstation, so I have to config each browser to use my new pac file, is there a way that this pac will eventually force all browser to use pac. Like blindly install pac on their browser when they go directly to port 80. Thanks -Original Message- From: Adrian Chadd [mailto:[EMAIL PROTECTED] Sent: Friday, May 11, 2007 9:37 AM To: SSCR Internet Admin Cc: squid-users@squid-cache.org Subject: Re: [squid-users] proxy.pac config On Fri, May 11, 2007, SSCR Internet Admin wrote: > Hi, > > > > I wanted to ask if this is possible. Ive just installed a second squid > server and was wondering if I could create somewhat a loadbalancing without > using TCP-loadbalancer or HA by using a proxy.pac that is capable of > detecting a busy/failed server and connect to the next available proxy > server. > > > > Squid 1 > > Internet<--+->Workstation(with proxy.pac) > > Squid 2 There's plenty of examples of proxy.pac file based load balancing and failover. Failover is easy, just give a number of entries in a list, ie: return "proxy1:3128; proxy2:3128" And to failover to direct, try: return "proxy1:3128; proxy2:3128; DIRECT" let me know if this doesn't work. Adrian -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: [squid-users] proxy.pac config
On Fri, May 11, 2007, SSCR Internet Admin wrote: > Hi, > > > > I wanted to ask if this is possible. Ive just installed a second squid > server and was wondering if I could create somewhat a loadbalancing without > using TCP-loadbalancer or HA by using a proxy.pac that is capable of > detecting a busy/failed server and connect to the next available proxy > server. > > > > Squid 1 > > Internet<--+->Workstation(with proxy.pac) > > Squid 2 There's plenty of examples of proxy.pac file based load balancing and failover. Failover is easy, just give a number of entries in a list, ie: return "proxy1:3128; proxy2:3128" And to failover to direct, try: return "proxy1:3128; proxy2:3128; DIRECT" let me know if this doesn't work. Adrian
[squid-users] proxy.pac config
Hi, I wanted to ask if this is possible. Ive just installed a second squid server and was wondering if I could create somewhat a loadbalancing without using TCP-loadbalancer or HA by using a proxy.pac that is capable of detecting a busy/failed server and connect to the next available proxy server. Squid 1 Internet<--+->Workstation(with proxy.pac) Squid 2 If you have any idea or experience, can you share it with me? TIA Nats -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.