Very Poor performance of HTTP Proxy Service in Zentyal 2.2

[Zent User]

I don't know why zentyal developers added not working features in HTTP Proxy.Following are the failures cases currently I'm facing

1. Failed to block ads: I've followed the steps in this link http://doc.zentyal.org/2.2/en/proxy.html#blocking-ads-from-the-web,even though failed to block the ads in web pages.

2. Failed to Limit on downloads:Worst performance of Delay Pools,there is effect even we configure this service in Limiting the downloads.

       Is these features are not properly developed in 2.2 ? or anything going wrong from my side,I hope it was not wrong from my side because these two features are not that much difficult to configure also.

[Escorpiom]

I cannot comment on the bandwidth limiting because I don't use that.
However, the add blocking works perfectly.
But you have to understand that the add blocker works with a file with a bunch of rules.
As you install Zentyal, this file is rather old and needs to be updated so the add blocker can "zap" more adds.

You can do that in two ways:
1. Zentyal subscription, the rules will be updated automatically
2. Manually, you have to maintain the file yourself.

I find that reasonable, Zentyal as a community edition does not include fully updated definition files.
   
Cheers.

[christian]

I don't know why zentyal developers added not working features in HTTP Proxy.

  strange statement isn't it 
What do you mean exactly here ?

[Zent User]

See how foolishly,Firewall is designed,

  1. HTTPs request we can control by using Firewall only( this statement is given you in lot of posts,mentioned in direct or indirect way)
  2. In Firewall we can give only IP addresses by grouping in the form of object.
  3. For a web site,IP's are not constant,it way be change any in second,If I want to block 15 https website,then is it correct way/approach we are doing currently.Why can't we have "Generic" settings like how able to control HTTP sites.

  "As a Forum Moderator instead of twitting on each and every post,it would be better if we(you) give valuable answers to the Zentyal users which we(you) know,that make lot of sense".

[christian]

See how foolishly,Firewall is designed,

  1. HTTPs request we can control by using Firewall only( this statement is given you in lot of posts,mentioned in direct or indirect way)

This statement is only in case you decide to use transparent proxy otherwise explicit proxy permits to control HTTPS at proxy level. Is tihs crystal clear to you ?

  2. In Firewall we can give only IP addresses by grouping in the form of object.
  3. For a web site,IP's are not constant,it way be change any in second,If I want to block 15 https website,then is it correct way/approach we are doing currently.Why can't we have "Generic" settings like how able to control HTTP sites.

because this is not the way firewall works. This is as simple as this. You try to control HTTPS flow with tool that is not design to do this. Right tool is proxy but this assumes, again and again, that you are NOT using transparent proxy.

  "As a Forum Moderator instead of twitting on each and every post,it would be better if we(you) give valuable answers to the Zentyal users which we(you) know,that make lot of sense".

1 - I'm replying on each and every post because YOU did create all these different post to address same topic. Shall I, as forum moderator, merge all?
2 - I can't provide any valuable answer to your question because there is none until you understand that mistake is on your side, trying to emulate via firewall what proxy is supposed to provide when used in explicit mode
3 - And please understand this one very clearly:
I do not reply as "forum moderator knowing the right magic answer but not wiling to share it" 
I reply as forum member trying to share what I know and I don't know everything 
When I have to act as forum moderator, I make is very clear using [MODERATOR] stamp so that you see the difference.

[Zent User]

@Christian,

      Ya,I might be asked similar questions again and again because, to get appropriate answer for my question(doubt) and that too Forum user as well Moderators give answers to new posts only due to this newbie users like are posting same question again and again in different ways.My main intention is to not consume Forum users time,to get suitable solution for problem and make our(Zentyal) forum valuable,how other forums like SE(StackExchange) sites.

      Than coming to our topic,how can I get explicit proxy ? Is I need to install other Proxy server manually ?

[christian]

No, you just need to deselect the "transparent proxy" choice in proxy general setting and be sure that you either:
- define proxy in each and every browser
- or try to (manually unfortunately because this is not handled by Zentyal) implement WPAD so that proxy can be automatically discovered by browsers. Some hint here.

Be also sure that you do not permit HTTP and HTTPS directly though FW otherwise users will not be obliged to use your proxy and will bypass your controls.

[Zent User]

 I've went through the link which you have provided,before proceeding to convert transparent to explicit proxy,I've unchecked the checkbox in HTTP Proxy->General settings and from link I've created wpad.dat file ( I want to choose WPAD protocol instead changing on each and every browser).After that how I need to proceed ? Chistian if you don't mind can you explain clearly in easiest approach,helpful if it is GUI.

 I've tried how you mentioned http://forum.zentyal.org/index.php/topic,8131.msg42635.html#msg42635 in this link,but it showing error like "no service /etc/services".

Doubt: If I implement explicit Proxy with WPAD is I need to append "WPAD" in each and every url ?

[christian]

I think I already described all what I can do (I'm not very good at this) in the link I provided.
Not that this is perfect but unless you ask further question, I don't know what I could add 

WPAD, client side, is implemented at browser level that is, most of the time configured to "discover" proxy. You should not need to change anything.

This said, what I would like to add is that you should rather progress step by step and not target the holy-grail first.
Start implementing rules at proxy level, configure one browser with proxy (manually) and ensure everything is working as expected. It would be total waste of time if you spend time and energy implementing WPAD to realize later that proxy feature doesn't fit your expectations.
Then next step will be to focus on WPAD 

[Escorpiom]

Wasn't this topic about ad blocking and limiting download?
I must be lost 

Cheers.

[christian]

I can understand you're lost. I was supposed to lock all related topics so that everyone can focus on only one single topic but I had to leave and forgot.

Zent User created multiple similar topics all related to issue he faced while trying to control access to HTTP/HTTPS.
I think this is now clear to him that unless he goes fro explicit proxy, it will be quite painful with some side effects but I still don't now what current status is.