New in the Squeeze version of
-Debian Edu / Skolelinux is the
-ability for clients to automatically configure their proxy settings
-based on their environment. We want all systems on the client to use
-the WPAD based proxy definition fetched from http://wpad/wpad.dat, to
-allow sites to control the proxy setting from a central place and make
-sure clients do not have hard coded proxy settings. The schools can
-change the global proxy setting by editing
-tjener:/etc/debian-edu/www/wpad.dat and the change propagate
-to all Debian Edu clients in the network.
-
-
The problem is that some systems do not understand the WPAD system.
-In other words, how do one get from a WPAD file like this (this is a
-simple one, they can run arbitrary code):
-
-
-function FindProxyForURL(url, host)
-{
- if (!isResolvable(host) ||
- isPlainHostName(host) ||
- dnsDomainIs(host, ".intern"))
- return "DIRECT";
- else
- return "PROXY webcache:3128; DIRECT";
-}
-
-
-
to a proxy setting in the process environment looking like this:
-
-
-http_proxy=http://webcache:3128/
-ftp_proxy=http://webcache:3128/
-
-
-
To do this conversion I developed a perl script that will execute
-the javascript fragment in the WPAD file and return the proxy that
-would be used for
-http://www.debian.org/,
-and insert this extracted proxy URL in /etc/environment and
-/etc/apt/apt.conf. The perl script wpad-extract work just
-fine in Squeeze, but in Wheezy the library it need to run the
-javascript code is no longer
-able to build because the C library it depended on is now a C++
-library. I hope someone find a solution to that problem before Wheezy
-is frozen. An alternative would be for us to rewrite wpad-extract to
-use some other javascript library currently working in Wheezy, but no
-known alternative is known at the moment.
-
-
This automatic proxy system allow the roaming workstation (aka
-laptop) setup in Debian Edu/Squeeze to use the proxy when the laptop
-is connected to the backbone network in a Debian Edu setup, and to
-automatically use any proxy present and announced using the WPAD
-feature when it is connected to other networks. And if no proxy is
-announced, direct connections will be used instead.
-
-
Silently using a proxy announced on the network might be a privacy
-or security problem. But those controlling DHCP and DNS on a network
-could just as easily set up a transparent proxy, and force all HTTP
-and FTP connections to use a proxy anyway, so I consider that
-distinction to be academic. If you are afraid of using the wrong
-proxy, you should avoid connecting to the network in question in the
-first place. In Debian Edu, the proxy setup is updated using dhcp and
-ifupdown hooks, to make sure the configuration is updated every time
-the network setup changes.
-
-
The WPAD system is documented in a
-IETF
-draft and a
-Wikipedia
-page for those that want to learn more.
-
