--- /dev/null
+Title: Automatic proxy configuration with Debian Edu / Skolelinux
+Tags: english, debian edu
+Date: 2012-02-13 23:30
+
+<p>New in the Squeeze version of
+<a href="http://www.skolelinux.org/">Debian Edu / Skolelinux</a> is the
+ability for clients to automatically configure their proxy settings
+based on their environment. We want all systems on the client to use
+the WPAD based proxy definition fetched from http://wpad/wpad.dat, to
+allow sites to control the proxy setting from a central place and make
+sure clients do not have hardcoded proxy settings.</p>
+
+<p>The problem is that some systems do not understand the WPAD system.
+In other words, how do one get from a WPAD file like this (this is a
+simple one, they can run arbitrary code):</p>
+
+<blockquote><pre
+function FindProxyForURL(url, host)
+{
+ if (!isResolvable(host) ||
+ isPlainHostName(host) ||
+ dnsDomainIs(host, ".intern"))
+ return "DIRECT";
+ else
+ return "PROXY webcache:3128; DIRECT";
+}
+</pre></blockquote>
+
+<p>to a proxy setting in the process environment looking like this:</p>
+
+<blockquote><pre>
+http_proxy=http://webcache:3128/
+ftp_proxy=http://webcache:3128/
+</pre><blockquote>
+
+<p>To do this conversion I developed a perl script that will execute
+the javascript fragment in the WPAD file and return the proxy that
+would be used for http://www.debian.org/, and insert this extracted
+proxy URL in /etc/environment and /etc/apt/apt.conf. The perl script
+wpad-extract work just fine in Squeeze, but in Wheezy the library it
+need to run the javascript code is
+<a href="http://bugs.debian.org/631045">no longer able to build</a>
+because the C library it depended on is now a C++ library. I hope
+someone find a solution to that problem before Wheezy is frozen. An
+alternative would be for us to rewrite wpad-extract to use some other
+javascript library currently working in Wheezy, but no known
+alternative is known at the moment.</p>
+
+<p>This automatic proxy system allow the roaming workstation (aka
+laptop) setup in Debian Edu/Squeeze to use the proxy when the laptop
+is connected to the backbone network in a Debian Edu setup, and to
+automatically use any proxy present and announced using the WPAD
+feature when it is connected to other networks. And if no proxy is
+announced, direct connections will be used instead.</p>
+
+<p>Silenty using a proxy announced on the network might be a privacy
+or security problem. But those controlling DHCP and DNS on a network
+could just as easily set up a transparent proxy, and force all HTTP
+and FTP connections to use a proxy anyway, so I consider that
+distinction to be academic. If you are afraid of using the wrong
+proxy, you should avoid connecting to the network in question in the
+first place. In Debian Edu, the proxy setup is updated using dhcp and
+ifupdown hooks, to make sure the configuration is updated every time
+the newtork setup changes.</p>
+
+The WPAD system is documented in a
+<a href="http://tools.ietf.org/html/draft-ietf-wrec-wpad-01">IETF
+draft</a> and a
+<a href="http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol">Wikipedia
+page</a> for those that want to learn more.
projects / homepage.git / commitdiff