<link>http://people.skolelinux.org/pere/blog/</link>
<atom:link href="http://people.skolelinux.org/pere/blog/index.rss" rel="self" type="application/rss+xml" />
+ <item>
+ <title>Automatic proxy configuration with Debian Edu / Skolelinux</title>
+ <link>http://people.skolelinux.org/pere/blog/Automatic_proxy_configuration_with_Debian_Edu___Skolelinux.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Automatic_proxy_configuration_with_Debian_Edu___Skolelinux.html</guid>
+ <pubDate>Mon, 13 Feb 2012 23:40:00 +0100</pubDate>
+ <description><p>New in the Squeeze version of
+<a href="http://www.skolelinux.org/">Debian Edu / Skolelinux</a> is the
+ability for clients to automatically configure their proxy settings
+based on their environment. We want all systems on the client to use
+the WPAD based proxy definition fetched from <tt>http://wpad/wpad.dat</tt>, to
+allow sites to control the proxy setting from a central place and make
+sure clients do not have hard coded proxy settings. The schools can
+change the global proxy setting by editing
+<tt>tjener:/etc/debian-edu/www/wpad.dat</tt> and the change propagate
+to all Debian Edu clients in the network.</p>
+
+<p>The problem is that some systems do not understand the WPAD system.
+In other words, how do one get from a WPAD file like this (this is a
+simple one, they can run arbitrary code):</p>
+
+<blockquote><pre>
+function FindProxyForURL(url, host)
+{
+ if (!isResolvable(host) ||
+ isPlainHostName(host) ||
+ dnsDomainIs(host, ".intern"))
+ return "DIRECT";
+ else
+ return "PROXY webcache:3128; DIRECT";
+}
+</pre></blockquote>
+
+<p>to a proxy setting in the process environment looking like this:</p>
+
+<blockquote><pre>
+http_proxy=http://webcache:3128/
+ftp_proxy=http://webcache:3128/
+</pre></blockquote>
+
+<p>To do this conversion I developed a perl script that will execute
+the javascript fragment in the WPAD file and return the proxy that
+would be used for
+<tt><a href="http://www.debian.org/">http://www.debian.org/</a></tt>,
+and insert this extracted proxy URL in <tt>/etc/environment</tt> and
+<tt>/etc/apt/apt.conf</tt>. The perl script wpad-extract work just
+fine in Squeeze, but in Wheezy the library it need to run the
+javascript code is <a href="http://bugs.debian.org/631045">no longer
+able to build</a> because the C library it depended on is now a C++
+library. I hope someone find a solution to that problem before Wheezy
+is frozen. An alternative would be for us to rewrite wpad-extract to
+use some other javascript library currently working in Wheezy, but no
+known alternative is known at the moment.</p>
+
+<p>This automatic proxy system allow the roaming workstation (aka
+laptop) setup in Debian Edu/Squeeze to use the proxy when the laptop
+is connected to the backbone network in a Debian Edu setup, and to
+automatically use any proxy present and announced using the WPAD
+feature when it is connected to other networks. And if no proxy is
+announced, direct connections will be used instead.</p>
+
+<p>Silently using a proxy announced on the network might be a privacy
+or security problem. But those controlling DHCP and DNS on a network
+could just as easily set up a transparent proxy, and force all HTTP
+and FTP connections to use a proxy anyway, so I consider that
+distinction to be academic. If you are afraid of using the wrong
+proxy, you should avoid connecting to the network in question in the
+first place. In Debian Edu, the proxy setup is updated using dhcp and
+ifupdown hooks, to make sure the configuration is updated every time
+the network setup changes.</p>
+
+The WPAD system is documented in a
+<a href="http://tools.ietf.org/html/draft-ietf-wrec-wpad-01">IETF
+draft</a> and a
+<a href="http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol">Wikipedia
+page</a> for those that want to learn more.
+</description>
+ </item>
+
<item>
<title>Skolelinux-intervju: Axel Bojer</title>
<link>http://people.skolelinux.org/pere/blog/Skolelinux_intervju__Axel_Bojer.html</link>
</description>
</item>
- <item>
- <title>Fixing an hanging debian installer for Debian Edu</title>
- <link>http://people.skolelinux.org/pere/blog/Fixing_an_hanging_debian_installer_for_Debian_Edu.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Fixing_an_hanging_debian_installer_for_Debian_Edu.html</guid>
- <pubDate>Tue, 3 Jan 2012 11:25:00 +0100</pubDate>
- <description><p>During christmas, I have been working getting the next version of
-<a href="http://www.skolelinux.org/">Debian Edu / Skolelinux</a> ready
-for release. The initial problem I looked at was particularly
-interesting.</p>
-
-<P>The installer would hang at the end when it was doing it
-post-installation configuration, and whatevery I did to try to find
-the cause and fix it always worked while I tested it, but never when I
-integrated it into the installer and ran the installation from
-scratch. I would try to restart processes, close file descriptors,
-remove or create files, and the installer would always unblock and
-wrap up its tasks.</p>
-
-<p>Eventually the cause was found. The kernel was simply running out
-of entropy, causing the Kerberos setup to hang waiting for more.
-Pressing keys was adding entropy to the kernel, and thus all my tries
-to fix the problem worked not because what I was typing to fix it, but
-because I was typing.</P>
-
-<p>The fix I implemented was to add a background process looking at
-the level of entropy in the kernel (by checking
-/proc/sys/kernel/random/entropy_avail), and if it was too small, the
-installer will flush the kernel file buffers and do 'find /' to
-generate some disk IO. Disk IO generate entropy in the kernel, and is
-one of the few things that can be initated from within the system to
-generate entropy.</p>
-
-<p>The fix is in
-<a href="http://wiki.debian.org/DebianEdu/Documentation/Squeeze/Installation">beta1
-of the Debian Edu/Squeeze</a> version, and we
-<a href="http://wiki.debian.org/DebianEdu">welcome more testers and
-developers</a>. We plan to release beta2 this weekend.</p>
-</description>
- </item>
-
</channel>
</rss>
projects / homepage.git / blobdiff