Poll

How is HTTP proxy set and used in your gateway?

Transparent proxy + firewall rules for HTTPS
18 (75%)
Explicit (non transparent) proxy
4 (16.7%)
proxy.pac
0 (0%)
WPAD DHCP
1 (4.2%)
WPAD DNS
1 (4.2%)
other
0 (0%)

Total Members Voted: 21

Author Topic: How are you using HTTP proxy?  (Read 7103 times)

christian

  • Guest
How are you using HTTP proxy?
« on: September 07, 2011, 10:13:15 am »
As it looks like there is a lot of confusion with use of HTTP proxy in either transparent or non transparent mode, especially for what concerns the pros and cos of each approach, I feel it could be interesting to learn how you guys are using this feature.

This may also trigger feature request for integration of mechanisms aiming to ease some deployment (notice search request has already been done).

WPAD and proxy.pac stuff has already been discussed in the past and is discussed in Portuguese and Spanish section too.

Does it ring any bell for you or is it something totally unknown and without any interest  ???

jsalamero

  • Zentyal Staff
  • Zen Hero
  • *****
  • Posts: 1419
  • Karma: +45/-1
    • View Profile
Re: How are you using HTTP proxy?
« Reply #1 on: September 11, 2011, 11:09:06 pm »
Very interesting poll, thanks christian!

Escorpiom

  • Zen Hero
  • *****
  • Posts: 897
  • Karma: +25/-1
    • View Profile
Re: How are you using HTTP proxy?
« Reply #2 on: September 12, 2011, 06:56:10 am »
I should add that my firewall denies any connection except specified network objects with a mac/ip address binding. Those allowed are also allowed https (any-rule)
Proxy has been set up in a similar way, deny all except specified network objects.

pac and pad stuff is like Chinese to me, will read up on it later.

Cheers.
Marcus' Rule:
Blanks & capitals = avoid it and you'll avoid problems...

christian

  • Guest
Re: How are you using HTTP proxy?
« Reply #3 on: September 12, 2011, 07:20:45 am »
I can easily understand that you don't know about .pac and  wpad if you don't know what it is.
I believe quite a lot of Zentyal users don't know it, reason why I wrote a kind of "How To" explaining concept and a bit of implementation.
http://trac.zentyal.org/wiki/Documentation/Community/HowTo/SelectRightHTTPproxyDesign

Notice, and I would like to make it very clear, that I'm not pushing for anyone in one direction rather than the other  :)

The idea is really to use proxy design fitting your needs and to understand the side effect of each approach.

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: How are you using HTTP proxy?
« Reply #4 on: September 12, 2011, 04:07:18 pm »
Thanks for the documentation Christian.  I am going to give this a try..... having automatic proxy configuration on the client side is exactly what I need !!!!

christian

  • Guest
Re: How are you using HTTP proxy?
« Reply #5 on: September 12, 2011, 04:08:12 pm »
Although there is only few votes, it's very clear that preference is for transparent proxy  :)
This explains somewhat questions and debate we had and also kind of misunderstanding  ::) I need to open my chakras  :P

I'll keep this pool for a couple of week more but doubt figures will really change.

christian

  • Guest
Re: How are you using HTTP proxy?
« Reply #6 on: September 12, 2011, 04:30:44 pm »
I am going to give this a try.....

Easiest implementation is to use DNS A or CNAME record assuming your clients are configured to use internal DNS.
This done, creating virtual host and publishing wpad.dat file is a matter of minutes  ;)

Let us know how it works for you.
Keep also in mind that FW rules for HTTPS are no more required  8)

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: How are you using HTTP proxy?
« Reply #7 on: September 12, 2011, 04:35:53 pm »
Yes... I will be reinstalling my home server once the final release of Zentyal 2.2 comes out later this week.  During that install I will setup DNS properly and try using your outlined method for proxy.  Hopefully by next week I will let you know how this worked out for me !!

vshaulsk

  • Zen Samurai
  • ****
  • Posts: 477
  • Karma: +9/-1
    • View Profile
Re: How are you using HTTP proxy?
« Reply #8 on: September 13, 2011, 04:58:38 am »
Christian.... in your instructions I have a couple of questions.

Do I use specifically wpad.domain.com or do I change the domain.com to my personal domain?

Also I am not very familiar with aliases in DHCP so I am not sure what to do there.

Thank you !!!

stuartiannaylor

  • Guest
Re: How are you using HTTP proxy?
« Reply #9 on: September 13, 2011, 06:23:08 am »
 ::) Me again. Firstly with MS Exploder I have had some problems with wpad and pac files. I have know idea why this should work but going into the advanced options and setting Exploder advanced option to reset to default fixed all.
I remember scratching my head for a while on that one. New installs work, some of my clients worked and a few didn't. Thing is I was absolutely sure none of the options had been changed from default so whatever it does I am totally unsure.

My best tip is to use Firefox but like many I am a constantly harrased sys admin :). Believe it or not we run courses for deprived, unemployed and people with special needs. Strangely some of the tutors will only use Exploder for tutorials.

I have tried the argument that possibly training the dissadvantaged through commercial software possibly isn't the best way to go. To be honest a lot of the trainers basic qualifications are that they have completed the training course that they are training. These are all UK government led iniatives and personally the quality and context of the courses are dreadfull. Anyway I am a firefox man.

As to wpad or pac files the contents is the simplest piece of javascript you will ever come across and all you need to do is modify a sample and change the port details. This then gets copied to the root www apache directory. This has all been much better documented than this dribble. I just wanted to check if my memory was playing tricks on me and that I have a feeling somehow it worked without a DNS entry. I could swear I just got nervy that all the web literature mentioned either a DNS or DHCP method and with Zentyal the DNS method is easier.

I have a static IP and a domain registered 123reg.co.uk only mentioned as there control panel is a simple. I didn't bother enabling the Zentyal DNS but just entered a cname of wpad which is added to the FQD. After using Zentyal for a while I do use the local DNS now which points to the local LAN of 192.168.x.x rather than my wan IP address which my 123reg.co.uk domainname points to. I just thought I would mention that as does anybody do the same? My website is now pulled from the local intranet or over the WAN depending on which side the client is.

Anyway lol sorry people but just a general discussion I did enable the proxy so that I could use group filters. We have public internet access so filters are very important. Some of you might want to stop social networking or dating or whatever ...
I have a public / staff roaming scenario and the group filters are great, there are a few things that need tweaking but they are seriously tight.

If you don't need group filters / object filters then I can't see any point than running in the standard transparent mode. No need for wpad or PAC, no need for any settings just run and go.

I did set up group filters as I wanted to set up a difference for staff, admins and users. Problem is that my understanding is that the only proxy authentication method is plain text. So on every new browser instance you are prompted for a username / password. This just seemed to cause annoyance so everybody is back to transparent using a strict filter.

SSO & Kerberos and whispers about post 2.2 have been heard so am I right in saying my preferred way of group filters without login boxes will become a reality from windows clients?

Also anyone want to touch on https and proxy / filtering as thats a bit of a bum aswell?

Stuart 

christian

  • Guest
Re: How are you using HTTP proxy?
« Reply #10 on: September 13, 2011, 07:11:58 am »
Do I use specifically wpad.domain.com or do I change the domain.com to my personal domain?

Thank you for highlighting that my doc is not clear. I will try to fix it.
you have to create wpad.yourdomain and create an alias in DNS, not DHCP to resolve this virtual host; So if you do it on Zentyal, this is an alias attached to Zentyal host. If this is a new server, this is not an alias but host.
What has to be understood here is that "yourdomain" must match client domain name because discovery mechanism is based on client FQDN.

christian

  • Guest
Re: How are you using HTTP proxy?
« Reply #11 on: September 13, 2011, 07:35:40 am »
Stuart,

Interesting inputs. I fully share that main point is to understand difference between transparent and non transparent proxy. This really does matter especially because of the way it handles HTTPS therefore filtering, workaround with FW and so far and so on...
Most of admin do not set non transparent because it mean to maintain settings at browser level, therefore my point with proxy.pac  ;)
With few users and stable design, non transparent proxy with manual browser administration perfectly makes sense.

One comment here: never store wpad.yourdomain outside, I mean on public DNS because for client connected to internet with client1.yourdomain FQDN, it will search DNS for wpad.yourdomain, will resolve it and try to connect to your private network... meaningless  :P

Then filtering doesn't mean authentication and when it comes to enable authentication, the very first debate is SSO.
Without Kerberos, SSO is very difficult but understanding implementation and management of SSO based infrastructure is much more difficult than anything we discuss in this forum. This is not because Microsoft did, as usual, something working transparently that everything is easy, smooth and simple under the wood.

One of the issue to be faced with SSO, as far as Single sign on is targeted, it to point all authentication back-ends to SSO, which means, e.g. getting Kerberos tickect from LDAP because some applications or services will be ldap enabled but not Kerberos ready. This work... but not straightforward. Same for Ubuntu client. PAM_Kerberos exists but Linux relying on central infrastructure is today built against LDAP (to replace NIS). So authentication is not enough and what works today is PAM_LDAP + NSS_LDAP  thus replacing PAM_LDAP with PAM_Kerberos is not that obvious  (reason why we have to achieve PAM_LDAP pointing to "LDAP Kerberos enabled"). Do you see why this is not totally straight?

stuartiannaylor

  • Guest
Re: How are you using HTTP proxy?
« Reply #12 on: September 13, 2011, 08:20:26 am »
Yeah get what you mean on the external DNS but strangely at first I did it that way and again with my memory I am sure it worked.
Please don't as it was a pants idea, but at first I never used to enable the Zentyal DNS. Its so simple you might aswell and Christian is right.

Tiered filtering for groups does mean authentication? IE different filters for different groups.

PS ever get the problem with adobe Flash or is that just an english problem :) hardly the most offensive word but hey.

Then seriously the authetication SSO debacle / vista-win7 kerberos has me stumped.

stuartiannaylor

  • Guest
Re: How are you using HTTP proxy?
« Reply #13 on: September 13, 2011, 08:33:54 am »
Christian the https / ssl filtering has me confused as well. My ignorance is that its a secure socket between the web server and the client. So you can't snoop or filter?

christian

  • Guest
Re: How are you using HTTP proxy?
« Reply #14 on: September 13, 2011, 09:30:34 am »
No, because of SSL, one can not filter content (meaning decide not to relay page to requester because of non authorized content, virus or whatever).
However, proxy can decide, at the time user requests access to server, not to relay because domain or URL is part of black list. Link between client and server is not yet established at this stage.

Then you may notice that more and more proxy providers are implementing mechanisms permitting to "intercept" HTTPS flow at proxy level in order to filter content. This is done implementing "man in the middle" stuff: with this, one will have SSL between client and proxy and SSL between proxy and server, proxy faking certificate exposed by server in front of client. This is another debate but good to know isn't it?
I wonder if this is now feasible with Squid ???