From: Petter Reinholdtsen <pere@hungry.com>
Date: Mon, 13 Feb 2012 22:26:47 +0000 (+0000)
Subject: New post.
X-Git-Url: https://pere.pagekite.me/gitweb/homepage.git/commitdiff_plain/a40560dff22ca7d922d46e98f1fca073aa47ce81

New post.
---

diff --git a/blog/data/2012-02-13-skolelinux-wpad.txt b/blog/data/2012-02-13-skolelinux-wpad.txt
new file mode 100644
index 0000000000..5670cab52a
--- /dev/null
+++ b/blog/data/2012-02-13-skolelinux-wpad.txt
@@ -0,0 +1,70 @@
+Title: Automatic proxy configuration with Debian Edu / Skolelinux
+Tags: english, debian edu
+Date: 2012-02-13 23:30
+
+<p>New in the Squeeze version of
+<a href="http://www.skolelinux.org/">Debian Edu / Skolelinux</a> is the
+ability for clients to automatically configure their proxy settings
+based on their environment.  We want all systems on the client to use
+the WPAD based proxy definition fetched from http://wpad/wpad.dat, to
+allow sites to control the proxy setting from a central place and make
+sure clients do not have hardcoded proxy settings.</p>
+
+<p>The problem is that some systems do not understand the WPAD system.
+In other words, how do one get from a WPAD file like this (this is a
+simple one, they can run arbitrary code):</p>
+
+<blockquote><pre
+function FindProxyForURL(url, host)
+{
+   if (!isResolvable(host) ||
+       isPlainHostName(host) ||
+       dnsDomainIs(host, ".intern"))
+      return "DIRECT";
+   else
+      return "PROXY webcache:3128; DIRECT";
+}
+</pre></blockquote>
+
+<p>to a proxy setting in the process environment looking like this:</p>
+
+<blockquote><pre>
+http_proxy=http://webcache:3128/
+ftp_proxy=http://webcache:3128/
+</pre><blockquote>
+
+<p>To do this conversion I developed a perl script that will execute
+the javascript fragment in the WPAD file and return the proxy that
+would be used for http://www.debian.org/, and insert this extracted
+proxy URL in /etc/environment and /etc/apt/apt.conf.  The perl script
+wpad-extract work just fine in Squeeze, but in Wheezy the library it
+need to run the javascript code is
+<a href="http://bugs.debian.org/631045">no longer able to build</a>
+because the C library it depended on is now a C++ library.  I hope
+someone find a solution to that problem before Wheezy is frozen.  An
+alternative would be for us to rewrite wpad-extract to use some other
+javascript library currently working in Wheezy, but no known
+alternative is known at the moment.</p>
+
+<p>This automatic proxy system allow the roaming workstation (aka
+laptop) setup in Debian Edu/Squeeze to use the proxy when the laptop
+is connected to the backbone network in a Debian Edu setup, and to
+automatically use any proxy present and announced using the WPAD
+feature when it is connected to other networks.  And if no proxy is
+announced, direct connections will be used instead.</p>
+
+<p>Silenty using a proxy announced on the network might be a privacy
+or security problem.  But those controlling DHCP and DNS on a network
+could just as easily set up a transparent proxy, and force all HTTP
+and FTP connections to use a proxy anyway, so I consider that
+distinction to be academic.  If you are afraid of using the wrong
+proxy, you should avoid connecting to the network in question in the
+first place.  In Debian Edu, the proxy setup is updated using dhcp and
+ifupdown hooks, to make sure the configuration is updated every time
+the newtork setup changes.</p>
+
+The WPAD system is documented in a
+<a href="http://tools.ietf.org/html/draft-ietf-wrec-wpad-01">IETF
+draft</a> and a
+<a href="http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol">Wikipedia
+page</a> for those that want to learn more.