Author Topic: [solved] Getting trouble in configuring explicit proxy in zentyal 3.0  (Read 7854 times)

christian

  • Guest
Re: Getting trouble in configuring explicit proxy in zentyal 3.0
« Reply #15 on: November 19, 2012, 11:03:17 am »
Unfortunately (at least for you) you will not get any "screen shot based" howto because I do not believe this is the right way to proceed.
With such material, you might be able to reproduce or mimic what you see but you will not learn anything.
If I tell you "put here server FQDN" or if I show you my own screen copy with my own FQDN, until you know what FQDN is, screenshot will just make you more confused, if you see what I mean.

wpad.dat you show above mean: "when targeting one of the 62 hosts on my LAN, do not use proxy".
So far so good but what do you do for anything else, including internet ?

You do need rules (or at least no "allow any to any") at FW level if you want to prevent users to access internet (from their browser) without using your proxy.

Zent User

  • Zen Warrior
  • ***
  • Posts: 121
  • Karma: +1/-3
    • View Profile
Re: Getting trouble in configuring explicit proxy in zentyal 3.0
« Reply #16 on: November 19, 2012, 11:14:11 am »
@Christian,

      ok,then. Atleast will you explain (more elaborately ) "configuring explicit proxy using DHCP 252 option",I hope when I go for DHCP 252 option DNS role won't be there.

      When explicit proxy is setup FW level "alllow to any" rule should be place or not ? here I want to access internet.
Regards
Zent User

christian

  • Guest
Re: Getting trouble in configuring explicit proxy in zentyal 3.0
« Reply #17 on: November 19, 2012, 11:35:17 am »
OK, let me try to explain one more time. Sorry for this long post.

1 - the more useful link is definitely this one. Be sure to understand and apply what it explains.
2 - if you want to be sure that users are using proxy, your FW should NOT contain any "allow any to any" rule (it looks so obvious to me  ::) )
3 - referring to this link, DNS based advertisement has wider coverage than DHCP.
4 - your are currently facing issues that are not due to DNS implementation but to wrong wpad.dat file, or at least you don't know because you have not been able (or wiling) to validate this step.

So I will explain again (last time perhaps) how to proceed, step by step.

1 - configure your Zentyal proxy as explicit proxy. Do not set filtering rules, profiling, authentication or whatever, only simple "non transparent" proxy.
2 - configure your browser to use this proxy and ensure it works (feel free to remove any "allow any to any rule in your FW  :P)
3 - once (and only once) this works, configure web server and wpad.dat file so that you get access to proxy when proxy is not explicitly configured in your browser but when you are using URL to  point to web server exposing your wpad.dat file (this must be something like http://wpad.yourdomain/
4 - once above works (and only once it works  >:() you can start working at DNS level to expose A and SRV records. If you're not happy with DNS, you can go with DHCP. In any case, as you can see, this is the very last step, only everything above works.

I hope I'm crystal clear now. If not, just tell me  :)

Zent User

  • Zen Warrior
  • ***
  • Posts: 121
  • Karma: +1/-3
    • View Profile
Re: Getting trouble in configuring explicit proxy in zentyal 3.0
« Reply #18 on: November 20, 2012, 03:08:35 pm »
@Christian,

In this link http://trac.zentyal.org/wiki/Documentation/Community/HowTo/SelectRightHTTPproxyDesign I'm almost did,expect few,if you guide I can proceed with those steps also which I've left.

Quote
First step is to set up webserver for wpad.yourdomain.com[4]. This can be done with Zentyal web server module → Virtual host → wpad.yourdomain.com[4] This server is mandatory to handle your wpad.dat file.

  First of fall one doubt, you have mentioned "yourdomain.com"(in some parts only) what it mean exactly ? upto my knowledge domains will have some extension then from where ".com" came into the document ?

  I've created Vhost in web server,just creating Vhost in web server is enough ? shall we need to take the help of .htaccess file to handle "wpad.dat" file mandatory by web server ?  I've attached a screenshot which is of "when I've given "wpad.msserver01.lan" in client browser.
 
Quote
wpad            IN       A       192.168.0.10  (your wpad address here... if CNAME is not used)
                    IN      TXT     "service: wpad:!http://wpad.yourdomain:80/proxy.pac"
wpad.tcp       IN      SRV     0 0 80 wpad.yourdomain.

Quote
Please notice the "dot" at the end of SRV record...

      Should we keep "dot" or not in SRV record and one more,when service name is given as "wpad.tcp" it showing error as "no service with name given in /etc/services/'. What we need to give in the service name exactly ?

          I hope if we given "proxy.pac' in the TXT then we need to save the file with "proxy.pac" only here saving the file with "wpad.dat" won't be meaning I think.
   
     In example of proxy.pac or wpad.dat,you have mentioned "zentyal.yourdomain.com:3218" in my case I hope "msserver01.msserver01.lan:3218" is it correct ?

              Lot of questions I've asked you  :), please don't mind.
Regards
Zent User

christian

  • Guest
Re: Getting trouble in configuring explicit proxy in zentyal 3.0
« Reply #19 on: November 20, 2012, 04:35:45 pm »
In this link http://trac.zentyal.org/wiki/Documentation/Community/HowTo/SelectRightHTTPproxyDesign I'm almost did,expect few,if you guide I can proceed with those steps also which I've left.

Applying only some step is non-sense. Sorry if my comment sounds harsh but it will not give you any result if you decide to apply only some settings  ::)

Quote
  First of fall one doubt, you have mentioned "yourdomain.com"(in some parts only) what it mean exactly ? upto my knowledge domains will have some extension then from where ".com" came into the document ?

Sorry if I'm not clear enough. This document was supposed, when written, to be read by people having some basic knowledge about server and domain name. What I mean to say is that such doc focus on HTTP proxy only. If you don't understand what "domain.com" means, please do a bit of your homework too.
".com" is the common extension for TLD (top level domain).
You are perhaps using ".lan" or ".ind" or whatever, this is one example and you have to adapt to your own case.

However, and you're right here, I'm not using consistent naming scheme as I sometimes wrote "yourdomain" or "domain.com" with same meaning  :-[
My fault. I'll fix it later.

BTW, this is why I don't like to provide screen-shot. Some people will look at it without thinking twice and trying to understand what it means but just mimic what it shows  ::) ::)


 
Quote
Quote
wpad            IN       A       192.168.0.10  (your wpad address here... if CNAME is not used)
                    IN      TXT     "service: wpad:!http://wpad.yourdomain:80/proxy.pac"
wpad.tcp       IN      SRV     0 0 80 wpad.yourdomain.

Please notice the "dot" at the end of SRV record...

      Should we keep "dot" or not in SRV record and one more,when service name is given as "wpad.tcp" it showing error as "no service with name given in /etc/services/'. What we need to give in the service name exactly ?

This is another mistake I made that is to provide too much information for people only wiling to copy/paste. Sorry  :-[

Just create wpad service using Zentyal interface, it will be fine.
Then if you look at DNS content, yes it does have "dot" at the end of the line but Zentyal interface should handle it for you in  a transparent way.


Quote
          I hope if we given "proxy.pac' in the TXT then we need to save the file with "proxy.pac" only here saving the file with "wpad.dat" won't be meaning I think.

Correct, if your file is wpad.dat, set it as wpad.dat  ::)
   
Quote
     In example of proxy.pac or wpad.dat,you have mentioned "zentyal.yourdomain.com:3218" in my case I hope "msserver01.msserver01.lan:3218" is it correct ?

Yes correct.

Zent User

  • Zen Warrior
  • ***
  • Posts: 121
  • Karma: +1/-3
    • View Profile
Re: Getting trouble in configuring explicit proxy in zentyal 3.0
« Reply #20 on: November 21, 2012, 06:43:50 am »
Thanks Christian,

   I don't want to tell philosophy but," Millions away destination should also start with a single step",So, after reading "HowTo" and "other" documents I will started configuring the explicit proxy with what I understand because once I start the configuration then only I can know where I'm lacking.

    Anyhow if you wish please try to clarify this poor fellow's doubts. 

   I've created a "wpad" service using zentyal interface,should I left the configuration of the service as it is,means no need to mention any protocol,source & destination port of "wpad" service?

  After creating "wpad" service I tired for "SRV" record,then it showing previous error "there is no service with name wpad in /ect/services".

   Then coming to Vhosts, if I don't go for multiple web application then Vhost is not necessary I think,Currently only one "A record" is there in DNS i,e. "wpad". When I give "wpad.msserver01.lan/proxy.pac" in client browser file is being downloading,when Vhost is enabled it showing error.

My proxy.pac looks like

 if (shExpMatch(url, "http:*"))
         return "PROXY msserver01.msserver01.lan:3128" ;
      if (shExpMatch(url, "https:*"))
         return "PROXY msserver01.msserver01.lan:3128" ;
      if (shExpMatch(url, "ftp:*"))
         return "PROXY msserver01.msserver01.lan:3128" ;
      return "DIRECT";

       I hope in I can apply filter using "Access Rules" and "Filter Profiles".

     Please clarify the above mentioned points,myself feeling guilty in asking again and again.

Thanks

Regards
Zent User

christian

  • Guest
Re: Getting trouble in configuring explicit proxy in zentyal 3.0
« Reply #21 on: November 21, 2012, 07:34:16 am »
   I've created a "wpad" service using zentyal interface,should I left the configuration of the service as it is,means no need to mention any protocol,source & destination port of "wpad" service?

If you mean "Zentyal service", I don't think such entry is required. What's the purpose?


Quote
  After creating "wpad" service I tired for "SRV" record,then it showing previous error "there is no service with name wpad in /ect/services".

Indeed, you do need to manually update /etc/services adding below line

Code: [Select]
wpad            3128/tcp        wpad            # http proxy

 
Quote
  Then coming to Vhosts, if I don't go for multiple web application then Vhost is not necessary I think,Currently only one "A record" is there in DNS i,e. "wpad". When I give "wpad.msserver01.lan/proxy.pac" in client browser file is being downloading,when Vhost is enabled it showing error.

I suppose that without vhost, you can download wpad.dat file because unknown URL will point to default configuration.
BTW, did you decide whenever you are going to use proxy.pac or wpad.dat file name?
What is the error message with vhost enabled?

Quote
My proxy.pac looks like

 if (shExpMatch(url, "http:*"))
         return "PROXY msserver01.msserver01.lan:3128" ;
      if (shExpMatch(url, "https:*"))
         return "PROXY msserver01.msserver01.lan:3128" ;
      if (shExpMatch(url, "ftp:*"))
         return "PROXY msserver01.msserver01.lan:3128" ;
      return "DIRECT";

looks ok for me in a first approach.

At this stage, did you try to use this proxy.pac file by configuring "http://wpad.msserver01.lan/" as URL in your browser settings?

Quote
       I hope in I can apply filter using "Access Rules" and "Filter Profiles".

As I explained multiple times (and above again regarding proxy.pac content), you should:
- ensure your proxy is working fine (which means access rules and profiles are OK): this is done configuring proxy FQDN in your browser
- ensure your proxy.pac file is working fine: this is done configuring proxy.pac URL in your browser instead of using FQDN
- ensure autodiscovery is working fine: this is done enabling the auto discovery feature in your browser 

Zent User

  • Zen Warrior
  • ***
  • Posts: 121
  • Karma: +1/-3
    • View Profile
Re: Getting trouble in configuring explicit proxy in zentyal 3.0
« Reply #22 on: November 21, 2012, 08:19:49 am »
Due to misunderstand,I've created record "wpad" in "Zentyal service",now I removed that. I've added " wpad   3128/tcp   wpad  # http proxy" in /etc/services file (at #Local services section,which is at bottom of the file).I hope now no need of SRV record in Zentyal GUI ?

       Now I think only problem with web server is exist in my configuration.

      When I give following url in client browser,                                         
                                                        Without Vhost entry                                 |  With Vhost   
http://wpad.msserver01.lan                 # pointing to index.html page of web server.   # pointing to Vhost         
http://wpad.msserver01.lan/prox.pac   # File is downloading to client system            # showing 404 error

      I'm creating Vhost with name "wpad.msserver01.lan" is it enough or I should do any changes ? Currently proxy.pac file is at /var/www/.

    I've tried blocked some sites using Access Rules,I've selected "Auto Proxy option" in client browser and tried for blocked site but able to access the blocked-site. I also tried with "Auto Proxy URL" by giving url as "http://wpad.msserver01.lan/proxy.pac" even in this case also same. When I remove "allow to any rule" in FW then I'm unable to access internet.

          Thanks a lot
Regards
Zent User

christian

  • Guest
Re: Getting trouble in configuring explicit proxy in zentyal 3.0
« Reply #23 on: November 21, 2012, 08:41:45 am »
Due to misunderstand,I've created record "wpad" in "Zentyal service",now I removed that. I've added " wpad   3128/tcp   wpad  # http proxy" in /etc/services file (at #Local services section,which is at bottom of the file).I hope now no need of SRV record in Zentyal GUI ?

Yes, you misunderstand  :-[ you DO need this entry in /etc/services in order to be able to create, using Zentyal GUI, DNS SRV record. This is because detection (i.e. proxy auto-discovery) is done relying on DNS. If you do not create any DNS SRV record, nothing will happen.

As this was not enough clear, I've updated the HowTo, explaining, clear text, that in order to create surch SRV record, updating /etc/services file is mandatory.


Quote
       Now I think only problem with web server is exist in my configuration.

      When I give following url in client browser,                                         
                                                        Without Vhost entry                                 |  With Vhost   
http://wpad.msserver01.lan                 # pointing to index.html page of web server.   # pointing to Vhost         
http://wpad.msserver01.lan/prox.pac   # File is downloading to client system            # showing 404 error

      I'm creating Vhost with name "wpad.msserver01.lan" is it enough or I should do any changes ? Currently proxy.pac file is at /var/www/.

Error is because vhost does not store pages in /var/www/
(I know this is a strange choice  :-X

Look at your Apache configuration (/etc/apache2/sites-available
this is rather something like /srv/www/wpad.yourdomain

Quote
    I've tried blocked some sites using Access Rules,I've selected "Auto Proxy option" in client browser and tried for blocked site but able to access the blocked-site. I also tried with "Auto Proxy URL" by giving url as "http://wpad.msserver01.lan/proxy.pac" even in this case also same. When I remove "allow to any rule" in FW then I'm unable to access internet.

This is the very first step. We should not discuss in very long and complex posts all above stuff until you are sure that your proxy configuration (without transparent, discovery and proxy.pac stuff) works  ::)
So please drop anything else and focus on this preliminary step: How to configure Zentyal proxy so that it provide some filtering. Everything is described in Zentyal documentation. Once your proxy works, we can move further.

To ensure your proxy works, explicit mode, configure it using msserver01.msserver01.lan in your browser setting.

Zent User

  • Zen Warrior
  • ***
  • Posts: 121
  • Karma: +1/-3
    • View Profile
Re: Getting trouble in configuring explicit proxy in zentyal 3.0
« Reply #24 on: November 21, 2012, 10:01:41 am »
@Christian,

       Just now I've checked by giving in "Manual Proxy Configuration" as "msserver01.msserver01.lan" and "Port" as "3128" in Firefox,greatly the blocked sites are inaccessible.Thank god its working( I think  :) ).

After that

Quote
Look at your Apache configuration (/etc/apache2/sites-available
this is rather something like /srv/www/wpad.yourdomain

         Ya, document root is pointing to "srv/www/wpad.mssserver01.lan" ,So I've moved "proxy.pac" to "srv/www/wpad.msserver01.lan/" (because this a root folder).After that also I've checked by changing browser settings to "Auto detect proxy settings for this network" option and "Auto proxy configuration URL" as "http://wpad.msserver.lan/proxy.pac" but I'm able to access blocked-sites,means browser is not picking up "proxy file" or proxy.pac might be not redirecting to "msserver01.msserver01.lan:3128" .

      How to resolve this ?

           Thanks
Regards
Zent User

christian

  • Guest
Re: Getting trouble in configuring explicit proxy in zentyal 3.0
« Reply #25 on: November 21, 2012, 10:54:53 am »
       Just now I've checked by giving in "Manual Proxy Configuration" as "msserver01.msserver01.lan" and "Port" as "3128" in Firefox,greatly the blocked sites are inaccessible.Thank god its working( I think  :) ).

Good  :)

Quote

         Ya, document root is pointing to "srv/www/wpad.mssserver01.lan" ,So I've moved "proxy.pac" to "srv/www/wpad.msserver01.lan/" (because this a root folder).After that also I've checked by changing browser settings to "Auto detect proxy settings for this network" option and "Auto proxy configuration URL" as "http://wpad.msserver.lan/proxy.pac" but I'm able to access blocked-sites,means browser is not picking up "proxy file" or proxy.pac might be not redirecting to "msserver01.msserver01.lan:3128" .

it can not be
Code: [Select]
changing browser settings to "Auto detect proxy settings for this network" option [b]and[/b] "Auto proxy configuration URL"
This is either one or the other, at least with Firefox.
For the time being, do not look at "auto detect". This is the very last step.

What if you type this URL in your browser ? Are you prompted to download the file?
If not, file is not accessed...

Zent User

  • Zen Warrior
  • ***
  • Posts: 121
  • Karma: +1/-3
    • View Profile
Re: Getting trouble in configuring explicit proxy in zentyal 3.0
« Reply #26 on: November 21, 2012, 11:02:09 am »
When I give http://wpad.msserver01.lan/proxy.pac in browser ( in client machine) then file is listing,once we click on that file then it is downloading.
Regards
Zent User

christian

  • Guest
Re: Getting trouble in configuring explicit proxy in zentyal 3.0
« Reply #27 on: November 21, 2012, 11:07:17 am »
 ??? what is your browser ?
typing such URL should not bring you to directory content but prompt you for file download directly.

BTW, perform test with both IE and Firefox because behaviour is slightly different.
May I also suggest that you duplicate your proxy.pac file to wpad.dat file. I'm not sure Firefox will search wpad.dap file first... I'll check on my side too.

Zent User

  • Zen Warrior
  • ***
  • Posts: 121
  • Karma: +1/-3
    • View Profile
Re: Getting trouble in configuring explicit proxy in zentyal 3.0
« Reply #28 on: November 21, 2012, 11:14:05 am »
Sorry Christian, File is downloading when I give http://wpad.msserver01.lan/proxy.pac in both FF & Chrome. Shall I have to duplicate proxy.pac file ?
Regards
Zent User

christian

  • Guest
Re: Getting trouble in configuring explicit proxy in zentyal 3.0
« Reply #29 on: November 21, 2012, 11:37:23 am »
your previous answer was "listing then download" then you tell me "download"  ???
Any change in the middle ?

What's about IE ?

can you post again result of:
Quote
dig wpad.msserver01.lan @