blog/data/2012-02-13-skolelinux-wpad.txt

   1 Title: Automatic proxy configuration with Debian Edu / Skolelinux
   2 Tags: english, debian edu
   3 Date: 2012-02-13 23:40
   4
   5 <p>New in the Squeeze version of
   6 <a href="http://www.skolelinux.org/">Debian Edu / Skolelinux</a> is the
   7 ability for clients to automatically configure their proxy settings
   8 based on their environment.  We want all systems on the client to use
   9 the WPAD based proxy definition fetched from <tt>http://wpad/wpad.dat</tt>, to
  10 allow sites to control the proxy setting from a central place and make
  11 sure clients do not have hard coded proxy settings.  The schools can
  12 change the global proxy setting by editing
  13 <tt>tjener:/etc/debian-edu/www/wpad.dat</tt> and the change propagate
  14 to all Debian Edu clients in the network.</p>
  15
  16 <p>The problem is that some systems do not understand the WPAD system.
  17 In other words, how do one get from a WPAD file like this (this is a
  18 simple one, they can run arbitrary code):</p>
  19
  20 <blockquote><pre>
  21 function FindProxyForURL(url, host)
  22 {
  23    if (!isResolvable(host) ||
  24        isPlainHostName(host) ||
  25        dnsDomainIs(host, ".intern"))
  26       return "DIRECT";
  27    else
  28       return "PROXY webcache:3128; DIRECT";
  29 }
  30 </pre></blockquote>
  31
  32 <p>to a proxy setting in the process environment looking like this:</p>
  33
  34 <blockquote><pre>
  35 http_proxy=http://webcache:3128/
  36 ftp_proxy=http://webcache:3128/
  37 </pre></blockquote>
  38
  39 <p>To do this conversion I developed a perl script that will execute
  40 the javascript fragment in the WPAD file and return the proxy that
  41 would be used for
  42 <tt><a href="http://www.debian.org/">http://www.debian.org/</a></tt>,
  43 and insert this extracted proxy URL in <tt>/etc/environment</tt> and
  44 <tt>/etc/apt/apt.conf</tt>.  The perl script wpad-extract work just
  45 fine in Squeeze, but in Wheezy the library it need to run the
  46 javascript code is <a href="http://bugs.debian.org/631045">no longer
  47 able to build</a> because the C library it depended on is now a C++
  48 library.  I hope someone find a solution to that problem before Wheezy
  49 is frozen.  An alternative would be for us to rewrite wpad-extract to
  50 use some other javascript library currently working in Wheezy, but no
  51 known alternative is known at the moment.</p>
  52
  53 <p>This automatic proxy system allow the roaming workstation (aka
  54 laptop) setup in Debian Edu/Squeeze to use the proxy when the laptop
  55 is connected to the backbone network in a Debian Edu setup, and to
  56 automatically use any proxy present and announced using the WPAD
  57 feature when it is connected to other networks.  And if no proxy is
  58 announced, direct connections will be used instead.</p>
  59
  60 <p>Silently using a proxy announced on the network might be a privacy
  61 or security problem.  But those controlling DHCP and DNS on a network
  62 could just as easily set up a transparent proxy, and force all HTTP
  63 and FTP connections to use a proxy anyway, so I consider that
  64 distinction to be academic.  If you are afraid of using the wrong
  65 proxy, you should avoid connecting to the network in question in the
  66 first place.  In Debian Edu, the proxy setup is updated using dhcp and
  67 ifupdown hooks, to make sure the configuration is updated every time
  68 the network setup changes.</p>
  69
  70 <p>The WPAD system is documented in a
  71 <a href="http://tools.ietf.org/html/draft-ietf-wrec-wpad-01">IETF
  72 draft</a> and a
  73 <a href="http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol">Wikipedia
  74 page</a> for those that want to learn more.</p>