Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: Zent User on November 17, 2012, 10:42:14 am
-
@ Christian,
I've mistakenly removed the old topic,So posting newly again here,
My question follows:
@Christian,
Sorry to interrupt you,I've read each and every post relating to explicit proxy setup,even though I'm not able to configure correctly,So,I'm posting everything what I've configured still now,if everything goes fine then I'll upload a video relating this
server name: msserver01.lan,its eth1(internal interface) ip is 192.168.6.1,clients range 192.168.6.2-192.168.6.30
Currently one client is there connected to server who's name is system01.desktop ip is 192.168.6.5(assigned by DHCP)
How steps followed from http://trac.zentyal.org/wiki/Documentation/Community/HowTo/SelectRightHTTPproxyDesign link,I want to go with WPAD with DNS option instead of DHCP
Steps
1)
Quote
DNS, with the “well known aliases” method, is easier because, if your clients FQDN is, thanks to DHCP, inherited from domain name, then browser will search for wpad.(whatever).yourdomain[4]. Let's make it clearer
you domain is "mydomain.com"
client, thanks to DHCP is known as "client.private.mydomain.com"
WPAD mechanism will search in DNS for
wpad.private.mydomain.com
wpad.mydomain.com
Already I've one entry in DNS module,with DOMAIN (msserver01.lan),in host tab I've added two entries newly one for wpad having Hostname as "wpad",IP as 192.168.6.1,alias as "wpad.msserver01.lan" and other for client having Hostname as "system01.desktop",IP as 192.168.6.5
2)
Quote
create a wpad.dat file and store it at the root of your wpad.yourdomain[4] web server, that's it.
Generic wpad.pad example:
proxy.pac or wpad.dat example:
function FindProxyForURL(url, host)
{
if (isInNet(host, "192.168.0.0", "255.255.255.0")) {
return "DIRECT";
} else {
if (shExpMatch(url, "http:*"))
return "PROXY zentyal.yourdomain.com:3128" ;
if (shExpMatch(url, "https:*"))
return "PROXY zentyal.yourdomain.com:3128" ;
if (shExpMatch(url, "ftp:*"))
return "PROXY zentyal.yourdomain.com:3128" ;
return "DIRECT";
}
}
I've created a file with name "wpad.dat" in "/var/www" with content as
function FindProxyForURL(url, host)
{
if (isInNet(host, "192.168.6.0", "255.255.255.192")) {
return "DIRECT";
} else {
if (shExpMatch(url, "http:*"))
return "PROXY msserver01.lan:3128" ;
if (shExpMatch(url, "https:*"))
return "PROXY msserver01.lan:3128" ;
if (shExpMatch(url, "ftp:*"))
return "PROXY msserver01.lan:3128" ;
return "DIRECT";
}
}
And in webserver module I've added virtual host with name as "wpad.msserver01.lan" and removed all entries in Firewall->Rules for internal network.I've tried in chrome and in firefox,after some it showing "Error 7(net::ERR_TIMED_OUT):The operation timed out."
Christian,where I was doing mistake ? please assist me
questions which you have raised
My server name : msserver01
Domain name : msserver01.lan
I've default entry in DNS,with domain name as "msserver01.lan" in that I've given "wpad" in "hostname tab" and "192.168.6.1" in "ip address tab".
Doubt: There was another entry in hostnames tab as "system10.desktop.lan" with "IP" as "192.168.6.5",now I deleted it,even though in my client system when I give "system10.desktop.lan" I'm able to access index.html file,how ? I've cleared browser history also.
Christian I'm very much glad to you,Sorry for giving lot of strain to you.
-
As you've already read my previous reply, please fix your proxy.pac (or wpad.dat) file to user Zentyal FQDN ::)
-
Sorry Christian,I didn't get you,is there anything wrong in wpad.dat file ?
-
yes, as you read it because you specify now what's your domain is, you should have understood that expectation in wpad.dat file is to set FQDN for proxy server.
What is perhaps not clear to you is that FQDN is made of host name (here msserver01) and domain name (here msserver01.lan)
yes, your domain name is strange but this is your choice ;)
then fqdn is msserver01.msserver01.lan 8)
-
Thanks Christian,
I've changed "msserver01.lan" to "msserver01.msserver01.lan" and tried but failed,again I've given "http://msserver01.msserver01.lan/wpad.dat" in network proxy setting of the system,even though it failed(I've selected "Autoproxy" in browser").I hope I'm using 3.0 So, there is no entries required in SRV and TXT tabs ? Currently I've only one record in DNS module with name msserver01.lan which exist by default,in that only I've added required things.
-
I don't see why using 3.0 prevent to add SRV entry ::)
You obviously did read my previous reply (the one erased while removing your post) as you highlighted in this thread what your domain name is and now you focus on SRV record.
Again, to it step by step:
- write correct wpad.dat
- test it using (explicitly in conf) proxy with both IE and Firefox browsers
- once and only once this works, you can focus on the automatic detection
You are not yet at the stage you can try to solve the whole stack in one simple move ;)
-
ok thanks,
Now I'll come with from first step but I didn't understand how to check proxy conf by using IE and FireFox,will you explain clearly
-
::)
In firefox, there is an option to specify URL from where proxy.pac is loaded ("automatic proxy configuration URL")
In IE, "use automatic configuration script" has exactly same purpose.
Doing so, you will load you wpad.dat (or proxy.pac) and ensure it works as expected.
-
I'm going to setup explicit proxy,before that I want to confirm that FQDN is working,for that how I need to check ?
[MODERATOR MODE]
I'm merging this post because even if forum member looks different, topic is obviously the same, from same source BTW ::)
Creating multiple new post for same topic, after having, by mistake, deleted one similar thread, is the best way not to get any support from forum because it makes everything difficult to follow
Try to make it easy and simple for other forum members please :)
[/MODERATOR MODE]
-
I've given automatice proxy configuration URL as http://msserver01.msserver01.lan/wpad.dat in firefox,after some time browser showing "Timed Out". When I give that url in address the file (wpad.dat) is downloading.
When I'm going for wpad.dat approach I'm deleting firewall record having "any-allow",because it allowing the site to browse.
-
1 - Control at FW is to prevent users to bypass proxy. It has nothing to do with wpad.
2 - This to say that you must first start with proxy validation: if you set proxy in your browser, does it work? first step 8)
3 - Second step is to set-up proxy.dat or wpad.dat file and ensure it work when configuring URL. Second setp. If you get time-out here, this means that wpad.dat has something wrong.
' - third step is to use either DHCP or DNS discovery method.
-
Could you explain what you mean with "FQDN is working"?
-
Thanks Christian,
Lot of Zentyal users suffering in setting explicit proxy,even forum moderators(like you) also in guiding suffering in guiding newbie's(like me),even though you have suggested built-in Explicit Proxy feature for next coming versions of Zentyal,we are happy for that,if possible why can't we have clear explanation in setting up explicit proxy,how this http://download.webtitan.com/manuals/webtitan_quickstart_WPAD.pdf .Please don't take my words negative way,it will save your's time also.
-
I don't take your comment the wrong (bad) way but just don't understand what you mean.
Your main issue is not with proxy setting but with basic networking stuff.
You have defined in your wpad.dat domain name instead of server name :o and you still try to solve everything stacked instead of checking every single (simple) step as I suggest.
I explained the proxy stuff in the HowTo pages. Some other sites available on internet also describe this in an even better and clearer way. However link you show here just make things a bit confusing as it show only partial stuff dedicated to another product.
I think I already explained everything. If you still don't understand but can't explain further what is not clear to you, then I can't help further.
I think you should get in touch with "flicker" who is facing, as you, FQDN related question that may solve your problem with wpad.dat ;)
-
@Christian,
I'll able to configure basic network stuff,currently,DHCP,DNS,HTTP Proxy(Transparent),Firewall,File Sharing,etc working fine for me.Just I want to move from Transparent Proxy to Explicit Proxy here I struck.
Currently I tried with DNS as in some posts I read that its easy to implements,If possible can you explain how I need to proceed with DHCP.
if (isInNet(host, "192.168.6.0", "255.255.255.192"))
{
return "DIRECT";
}
Now I will keep above code in wpad.dat,I think it will redirect any request from 192.168.6.0/24 to requested URL ?,So there will be no issues.(once everything works fine I write other rules).
Doubt : Should we delete "allow any rule" in firewall or not before implementing explicit proxy ?
The main intention of link in previous post is,how they are shown with screenshots,that's it.
I'm not understanding that in which way I can express my thankfulness to you,because I crossed the limits of "Support" .
-
Unfortunately (at least for you) you will not get any "screen shot based" howto because I do not believe this is the right way to proceed.
With such material, you might be able to reproduce or mimic what you see but you will not learn anything.
If I tell you "put here server FQDN" or if I show you my own screen copy with my own FQDN, until you know what FQDN is, screenshot will just make you more confused, if you see what I mean.
wpad.dat you show above mean: "when targeting one of the 62 hosts on my LAN, do not use proxy".
So far so good but what do you do for anything else, including internet ?
You do need rules (or at least no "allow any to any") at FW level if you want to prevent users to access internet (from their browser) without using your proxy.
-
@Christian,
ok,then. Atleast will you explain (more elaborately ) "configuring explicit proxy using DHCP 252 option",I hope when I go for DHCP 252 option DNS role won't be there.
When explicit proxy is setup FW level "alllow to any" rule should be place or not ? here I want to access internet.
-
OK, let me try to explain one more time. Sorry for this long post.
1 - the more useful link is definitely this one (http://findproxyforurl.com/). Be sure to understand and apply what it explains.
2 - if you want to be sure that users are using proxy, your FW should NOT contain any "allow any to any" rule (it looks so obvious to me ::) )
3 - referring to this link (http://findproxyforurl.com/browser-support/), DNS based advertisement has wider coverage than DHCP.
4 - your are currently facing issues that are not due to DNS implementation but to wrong wpad.dat file, or at least you don't know because you have not been able (or wiling) to validate this step.
So I will explain again (last time perhaps) how to proceed, step by step.
1 - configure your Zentyal proxy as explicit proxy. Do not set filtering rules, profiling, authentication or whatever, only simple "non transparent" proxy.
2 - configure your browser to use this proxy and ensure it works (feel free to remove any "allow any to any rule in your FW :P)
3 - once (and only once) this works, configure web server and wpad.dat file so that you get access to proxy when proxy is not explicitly configured in your browser but when you are using URL to point to web server exposing your wpad.dat file (this must be something like http://wpad.yourdomain/
4 - once above works (and only once it works >:() you can start working at DNS level to expose A and SRV records. If you're not happy with DNS, you can go with DHCP. In any case, as you can see, this is the very last step, only everything above works.
I hope I'm crystal clear now. If not, just tell me :)
-
@Christian,
In this link http://trac.zentyal.org/wiki/Documentation/Community/HowTo/SelectRightHTTPproxyDesign I'm almost did,expect few,if you guide I can proceed with those steps also which I've left.
First step is to set up webserver for wpad.yourdomain.com[4]. This can be done with Zentyal web server module → Virtual host → wpad.yourdomain.com[4] This server is mandatory to handle your wpad.dat file.
First of fall one doubt, you have mentioned "yourdomain.com"(in some parts only) what it mean exactly ? upto my knowledge domains will have some extension then from where ".com" came into the document ?
I've created Vhost in web server,just creating Vhost in web server is enough ? shall we need to take the help of .htaccess file to handle "wpad.dat" file mandatory by web server ? I've attached a screenshot which is of "when I've given "wpad.msserver01.lan" in client browser.
wpad IN A 192.168.0.10 (your wpad address here... if CNAME is not used)
IN TXT "service: wpad:!http://wpad.yourdomain:80/proxy.pac"
wpad.tcp IN SRV 0 0 80 wpad.yourdomain.
Please notice the "dot" at the end of SRV record...
Should we keep "dot" or not in SRV record and one more,when service name is given as "wpad.tcp" it showing error as "no service with name given in /etc/services/'. What we need to give in the service name exactly ?
I hope if we given "proxy.pac' in the TXT then we need to save the file with "proxy.pac" only here saving the file with "wpad.dat" won't be meaning I think.
In example of proxy.pac or wpad.dat,you have mentioned "zentyal.yourdomain.com:3218" in my case I hope "msserver01.msserver01.lan:3218" is it correct ?
Lot of questions I've asked you :), please don't mind.
-
In this link http://trac.zentyal.org/wiki/Documentation/Community/HowTo/SelectRightHTTPproxyDesign I'm almost did,expect few,if you guide I can proceed with those steps also which I've left.
Applying only some step is non-sense. Sorry if my comment sounds harsh but it will not give you any result if you decide to apply only some settings ::)
First of fall one doubt, you have mentioned "yourdomain.com"(in some parts only) what it mean exactly ? upto my knowledge domains will have some extension then from where ".com" came into the document ?
Sorry if I'm not clear enough. This document was supposed, when written, to be read by people having some basic knowledge about server and domain name. What I mean to say is that such doc focus on HTTP proxy only. If you don't understand what "domain.com" means, please do a bit of your homework too.
".com" is the common extension for TLD (top level domain).
You are perhaps using ".lan" or ".ind" or whatever, this is one example and you have to adapt to your own case.
However, and you're right here, I'm not using consistent naming scheme as I sometimes wrote "yourdomain" or "domain.com" with same meaning :-[
My fault. I'll fix it later.
BTW, this is why I don't like to provide screen-shot. Some people will look at it without thinking twice and trying to understand what it means but just mimic what it shows ::) ::)
wpad IN A 192.168.0.10 (your wpad address here... if CNAME is not used)
IN TXT "service: wpad:!http://wpad.yourdomain:80/proxy.pac"
wpad.tcp IN SRV 0 0 80 wpad.yourdomain.
Please notice the "dot" at the end of SRV record...
Should we keep "dot" or not in SRV record and one more,when service name is given as "wpad.tcp" it showing error as "no service with name given in /etc/services/'. What we need to give in the service name exactly ?
This is another mistake I made that is to provide too much information for people only wiling to copy/paste. Sorry :-[
Just create wpad service using Zentyal interface, it will be fine.
Then if you look at DNS content, yes it does have "dot" at the end of the line but Zentyal interface should handle it for you in a transparent way.
I hope if we given "proxy.pac' in the TXT then we need to save the file with "proxy.pac" only here saving the file with "wpad.dat" won't be meaning I think.
Correct, if your file is wpad.dat, set it as wpad.dat ::)
In example of proxy.pac or wpad.dat,you have mentioned "zentyal.yourdomain.com:3218" in my case I hope "msserver01.msserver01.lan:3218" is it correct ?
Yes correct.
-
Thanks Christian,
I don't want to tell philosophy but," Millions away destination should also start with a single step",So, after reading "HowTo" and "other" documents I will started configuring the explicit proxy with what I understand because once I start the configuration then only I can know where I'm lacking.
Anyhow if you wish please try to clarify this poor fellow's doubts.
I've created a "wpad" service using zentyal interface,should I left the configuration of the service as it is,means no need to mention any protocol,source & destination port of "wpad" service?
After creating "wpad" service I tired for "SRV" record,then it showing previous error "there is no service with name wpad in /ect/services".
Then coming to Vhosts, if I don't go for multiple web application then Vhost is not necessary I think,Currently only one "A record" is there in DNS i,e. "wpad". When I give "wpad.msserver01.lan/proxy.pac" in client browser file is being downloading,when Vhost is enabled it showing error.
My proxy.pac looks like
if (shExpMatch(url, "http:*"))
return "PROXY msserver01.msserver01.lan:3128" ;
if (shExpMatch(url, "https:*"))
return "PROXY msserver01.msserver01.lan:3128" ;
if (shExpMatch(url, "ftp:*"))
return "PROXY msserver01.msserver01.lan:3128" ;
return "DIRECT";
I hope in I can apply filter using "Access Rules" and "Filter Profiles".
Please clarify the above mentioned points,myself feeling guilty in asking again and again.
Thanks
-
I've created a "wpad" service using zentyal interface,should I left the configuration of the service as it is,means no need to mention any protocol,source & destination port of "wpad" service?
If you mean "Zentyal service", I don't think such entry is required. What's the purpose?
After creating "wpad" service I tired for "SRV" record,then it showing previous error "there is no service with name wpad in /ect/services".
Indeed, you do need to manually update /etc/services adding below line
wpad 3128/tcp wpad # http proxy
Then coming to Vhosts, if I don't go for multiple web application then Vhost is not necessary I think,Currently only one "A record" is there in DNS i,e. "wpad". When I give "wpad.msserver01.lan/proxy.pac" in client browser file is being downloading,when Vhost is enabled it showing error.
I suppose that without vhost, you can download wpad.dat file because unknown URL will point to default configuration.
BTW, did you decide whenever you are going to use proxy.pac or wpad.dat file name?
What is the error message with vhost enabled?
My proxy.pac looks like
if (shExpMatch(url, "http:*"))
return "PROXY msserver01.msserver01.lan:3128" ;
if (shExpMatch(url, "https:*"))
return "PROXY msserver01.msserver01.lan:3128" ;
if (shExpMatch(url, "ftp:*"))
return "PROXY msserver01.msserver01.lan:3128" ;
return "DIRECT";
looks ok for me in a first approach.
At this stage, did you try to use this proxy.pac file by configuring "http://wpad.msserver01.lan/" as URL in your browser settings?
I hope in I can apply filter using "Access Rules" and "Filter Profiles".
As I explained multiple times (and above again regarding proxy.pac content), you should:
- ensure your proxy is working fine (which means access rules and profiles are OK): this is done configuring proxy FQDN in your browser
- ensure your proxy.pac file is working fine: this is done configuring proxy.pac URL in your browser instead of using FQDN
- ensure autodiscovery is working fine: this is done enabling the auto discovery feature in your browser
-
Due to misunderstand,I've created record "wpad" in "Zentyal service",now I removed that. I've added " wpad 3128/tcp wpad # http proxy" in /etc/services file (at #Local services section,which is at bottom of the file).I hope now no need of SRV record in Zentyal GUI ?
Now I think only problem with web server is exist in my configuration.
When I give following url in client browser,
Without Vhost entry | With Vhost
http://wpad.msserver01.lan # pointing to index.html page of web server. # pointing to Vhost
http://wpad.msserver01.lan/prox.pac # File is downloading to client system # showing 404 error
I'm creating Vhost with name "wpad.msserver01.lan" is it enough or I should do any changes ? Currently proxy.pac file is at /var/www/.
I've tried blocked some sites using Access Rules,I've selected "Auto Proxy option" in client browser and tried for blocked site but able to access the blocked-site. I also tried with "Auto Proxy URL" by giving url as "http://wpad.msserver01.lan/proxy.pac" even in this case also same. When I remove "allow to any rule" in FW then I'm unable to access internet.
Thanks a lot
-
Due to misunderstand,I've created record "wpad" in "Zentyal service",now I removed that. I've added " wpad 3128/tcp wpad # http proxy" in /etc/services file (at #Local services section,which is at bottom of the file).I hope now no need of SRV record in Zentyal GUI ?
Yes, you misunderstand :-[ you DO need this entry in /etc/services in order to be able to create, using Zentyal GUI, DNS SRV record. This is because detection (i.e. proxy auto-discovery) is done relying on DNS. If you do not create any DNS SRV record, nothing will happen.
As this was not enough clear, I've updated the HowTo, explaining, clear text, that in order to create surch SRV record, updating /etc/services file is mandatory.
Now I think only problem with web server is exist in my configuration.
When I give following url in client browser,
Without Vhost entry | With Vhost
http://wpad.msserver01.lan # pointing to index.html page of web server. # pointing to Vhost
http://wpad.msserver01.lan/prox.pac # File is downloading to client system # showing 404 error
I'm creating Vhost with name "wpad.msserver01.lan" is it enough or I should do any changes ? Currently proxy.pac file is at /var/www/.
Error is because vhost does not store pages in /var/www/
(I know this is a strange choice :-X
Look at your Apache configuration (/etc/apache2/sites-available
this is rather something like /srv/www/wpad.yourdomain
I've tried blocked some sites using Access Rules,I've selected "Auto Proxy option" in client browser and tried for blocked site but able to access the blocked-site. I also tried with "Auto Proxy URL" by giving url as "http://wpad.msserver01.lan/proxy.pac" even in this case also same. When I remove "allow to any rule" in FW then I'm unable to access internet.
This is the very first step. We should not discuss in very long and complex posts all above stuff until you are sure that your proxy configuration (without transparent, discovery and proxy.pac stuff) works ::)
So please drop anything else and focus on this preliminary step: How to configure Zentyal proxy so that it provide some filtering. Everything is described in Zentyal documentation. Once your proxy works, we can move further.
To ensure your proxy works, explicit mode, configure it using msserver01.msserver01.lan in your browser setting.
-
@Christian,
Just now I've checked by giving in "Manual Proxy Configuration" as "msserver01.msserver01.lan" and "Port" as "3128" in Firefox,greatly the blocked sites are inaccessible.Thank god its working( I think :) ).
After that
Look at your Apache configuration (/etc/apache2/sites-available
this is rather something like /srv/www/wpad.yourdomain
Ya, document root is pointing to "srv/www/wpad.mssserver01.lan" ,So I've moved "proxy.pac" to "srv/www/wpad.msserver01.lan/" (because this a root folder).After that also I've checked by changing browser settings to "Auto detect proxy settings for this network" option and "Auto proxy configuration URL" as "http://wpad.msserver.lan/proxy.pac" but I'm able to access blocked-sites,means browser is not picking up "proxy file" or proxy.pac might be not redirecting to "msserver01.msserver01.lan:3128" .
How to resolve this ?
Thanks
-
Just now I've checked by giving in "Manual Proxy Configuration" as "msserver01.msserver01.lan" and "Port" as "3128" in Firefox,greatly the blocked sites are inaccessible.Thank god its working( I think :) ).
Good :)
Ya, document root is pointing to "srv/www/wpad.mssserver01.lan" ,So I've moved "proxy.pac" to "srv/www/wpad.msserver01.lan/" (because this a root folder).After that also I've checked by changing browser settings to "Auto detect proxy settings for this network" option and "Auto proxy configuration URL" as "http://wpad.msserver.lan/proxy.pac" but I'm able to access blocked-sites,means browser is not picking up "proxy file" or proxy.pac might be not redirecting to "msserver01.msserver01.lan:3128" .
it can not be
changing browser settings to "Auto detect proxy settings for this network" option [b]and[/b] "Auto proxy configuration URL"
This is either one or the other, at least with Firefox.
For the time being, do not look at "auto detect". This is the very last step.
What if you type this URL in your browser ? Are you prompted to download the file?
If not, file is not accessed...
-
When I give http://wpad.msserver01.lan/proxy.pac in browser ( in client machine) then file is listing,once we click on that file then it is downloading.
-
??? what is your browser ?
typing such URL should not bring you to directory content but prompt you for file download directly.
BTW, perform test with both IE and Firefox because behaviour is slightly different.
May I also suggest that you duplicate your proxy.pac file to wpad.dat file. I'm not sure Firefox will search wpad.dap file first... I'll check on my side too.
-
Sorry Christian, File is downloading when I give http://wpad.msserver01.lan/proxy.pac in both FF & Chrome. Shall I have to duplicate proxy.pac file ?
-
your previous answer was "listing then download" then you tell me "download" ???
Any change in the middle ?
What's about IE ?
can you post again result of:
dig wpad.msserver01.lan @
-
No,file is downloading I was mistaken,nothing change I've made in middle. I've checked in IE also,result was same as of FireFox.
dig wpad.msserver01.lan
; <<>> DiG 9.8.1-P1 <<>> wpad.msserver01.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15064
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;wpad.msserver01.lan. IN A
;; ANSWER SECTION:
wpad.msserver01.lan. 259200 IN A 192.168.6.1
;; AUTHORITY SECTION:
msserver01.lan. 900 IN NS msserver01.msserver01.lan.
;; ADDITIONAL SECTION:
msserver01.msserver01.lan. 900 IN AAAA ::1
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov 21 16:13:29 2012
;; MSG SIZE rcvd: 107
-
BTW did you look at /var/log/apache2/wpad.msserver01.lan-access.log ?
It will tell you if your browser tries to access your file or not.
Keep also in mind while applying changes, that you may have to restart your browser.
-
@ Christian,
I've did how you have suggested,"Auto Proxy Configuration URL" is working fine,when I've given as "wpad.msserver01.lan/proxy.pac",then blocked sites are inaccessible,thanks Christian for your guidance.
But "Auto Proxy detect" is not working,
From "HowTo"
wpad IN A 192.168.0.10 (your wpad address here... if CNAME is not used)
IN TXT "service: wpad:!http://wpad.yourdomain:80/proxy.pac"
wpad.tcp IN SRV 0 0 80 wpad.yourdomain.
When I give dig wpad.msserver01.lan above things are not showing except "A record " though I've configured "TXT" as service:wpad:!http://wpad.msserver01.lan:80/proxy.pac and "SRV" as wpad TCP 0 0 80 wpad . If I did this,I'm almost done Christian.
-
you do not use "dig" with the right syntax.
Default entry type is "A" ;)
If you want to "see" your TXT record along with your A record, type this:
dig wpad.msserver01.lan ANY
if you want to "see" your SRV record, try this:
dig _wpad._tcp.msserver01.lan -t SRV
BTW, did you:
1 - try with IE
2 - Look at /var/log/apache/...
-
dig wpad.msserver01.lan ANY
; <<>> DiG 9.8.1-P1 <<>> wpad.msserver01.lan ANY
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12898
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;wpad.msserver01.lan. IN ANY
;; ANSWER SECTION:
wpad.msserver01.lan. 259200 IN A 192.168.6.1
wpad.msserver01.lan. 259200 IN TXT "service:" "wpad:!http://wpad.msserver01.lan:80/wpad.dat"
;; AUTHORITY SECTION:
msserver01.lan. 900 IN NS msserver01.msserver01.lan.
;; ADDITIONAL SECTION:
msserver01.msserver01.lan. 900 IN AAAA ::1
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov 21 19:08:05 2012
;; MSG SIZE rcvd: 170
dig wpad.msserver01.lan -t SRV
; <<>> DiG 9.8.1-P1 <<>> wpad.msserver01.lan -t SRV
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57971
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;wpad.msserver01.lan. IN SRV
;; AUTHORITY SECTION:
msserver01.lan. 0 IN SOA zentyal-server.msserver01.lan. hostmaster.msserver01.lan. 16 900 600 86400 0
;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov 21 19:09:31 2012
I hope everything is configured perfectly,once check SRV record. I've checked in "/var/log/apache2/wpad.msserver01.lan-access.log" it showing only the logs of when we tried with "Auto Proxy Configuration URL", it is not showing any logs after I changed to "Auto Proxy detect".
Note : I've tried with "wpad.dat" so,replaced everywhere with "wpad.dat" in place of "proxy.pac" .
Thanks.
-
Again and again, did you try with IE (Internet Explorer) ?
And did you remember to restart your browser in order to test?
Then now that we have reached the "auto-discovery step", it deserves some explanations (based on this (http://www.wrec.org/Drafts/draft-cooper-webi-wpad-00.txt) RFC draft)
First you have to understand that you are not obliged to implement EVERYTHING as browser is suposed to try first mechanism first, then the second, then third...
Available mechanisms are (in this sequence)
- Dynamic Host Configuration Protocol (DHCP)
- Service Location Protocol (SLP)
- "Well Known Aliases" using DNS A records
- DNS SRV records
- "service: URLs" in DNS TXT records
1 - In term of auto-discovery, first mechanism to be used is DHCP but you can't implement it using Zentyal GUI. Furthermore, IE (Microsoft) doesn't support it >:(
2 - Second mechanism is SLP: I don't know any implementation for WPAD ::)
3 - Then the DNS "well known alias", meaning DNS A record describing "wpad.yourdomain" : this is definitely supposed to be the easy :D but I don't know how to implement it easily with Zentyal :-[ Why ? :o because you can't set, using Zentyal GUI, any A record in Zentyal DNS for IP address matching Zentyal server itself (BTW, how did you achieve it, using GUI?) One way to do it still using GUI only is to set secondary IP on same interface and point your A record here. Hopefully, your vhost will listen on this interface too ;D
4 - DNS SRV record: quite easy using Zentyal GUI. The only potentially unclear point is that RFC draft is showing "wpad.tcp" while SRV record is supposed to be "_wpad._tcp" instead (referring to RFC2782). Need to update /etc/services first in order to set it up using Zentyal GUI
5 - DNS TXT record: this one is another easy (perhaps the easier) implementation ;)
What I notice in what you show is:
- that you succeeded creating A record for wpad while at this same IP address you have msserver01 ???
- there is a typo in your TXT record (I suppose due to error I made in my howto (fixed now). Your TXT record should look like this:
wpad IN TXT "service:wpad:http://wpad.msserver01.lan:80/wpad.dat" which using dig shows:
wpad.msserver01.lan. 259200 IN TXT "service:" "wpad:http://wpad.msserver01.lan:80/wpad.dat"
I don't think there is any "!" before "http" but I need to check further why I made such mistake.
-
Christian,
I admire your patience. Reading all post I wondered if it is really that hard to do. So I set it up as in your tutorial.
I used the DNS method adding an alias wpad. I also added a virtual host wpad.mydomain.lan
Copied your example of wpad.dat to /srv/www/wpad.mydomain.lan
Set up some filtering rules just to test.
Made a change in IE9 en Firefox and guess what.
All works just fine.
I took me about 10 minutes to do.
Great job!
Regards Peter
-
Peter,
From pure technical standpoint, this is really not as difficult as it may looks first.
I would even say that if you have the very minimum technical background to understand what does what, this is pretty straightforward.
But for some user with different background, it may require more explanation. What is really difficult, from my side, it to guess what is not understood from the other side and I'm not very efficient with this :)
On top of this, "Zent user" is also experimenting with DNS plus some other Zentyal aspects, reason why, I suppose, his platform is not as stable as need to focus on this simple WPAD implementation.
Anyway, for most admins, this is pretty easy and definitely the way to go when you really want to control stuff around HTTP proxy 8)
-
@ Christian,
I tried from my end but unable to implement "Auto detect proxy", I tried in IE also,its not working. I'm thinking that,I might be done wrong in DNS configuration.
In DNS module,I've only one domain(msserver01.lan) in "Hostnames" tab I've one record: 'Hostname'(wpad),ip(192.168.6.1 which is eth1 IP(internal interface),Alias(wpad.msserver01.lan,www.wpad).
In "Nameservers" tab : 'Hostname' (wpad), in 'TXT records' tab I've two records : one is for kerberos and other is of Hostname(wpad),TXT data( service:wpad:!http://wpad.msserver01.lan:80/wpad.dat),I'm getting doubt on TXT data record,is correct ? I've written as I've shown you.
In 'Services' tab, Service name(wpad),protocol(TCP),Priority(0),Weight(0),Target Port(80),Target(wpad) along with some Kerbose records.
Above information looks so foolish,but I don't find other way. I've doubt on the configuration,in above text which looks "bold". Please ensure that I'm configuration is correct for "Auto Detect Proxy".
Thanks
-
@ Christian,
Just know I've checked by deleting the SRV and TXT records and once again I've given dig cmd,the output of dig does not showing any difference after /before deleting the SRV & TXT records. I think there is something wrong in these two records only.In "HowTo" page you have modified the SRV entry also from "wpad" to "_wpad._tcp" should we also modify entry in "/etc/services" ? Please once observe the dig outputs which I've posted in previous post.
-
You're probably right thinking something could be wrong with DNS.
Let's try to make it simple: if you have only one A record (wpad), remove the WPAD SRV record and also the WPAD TXT record.
Aliases your added to wpad hostname are useless (for what concerns WPAD at least) remove it for testing purpose.
Feel free also to tell me how you can access msserver01.msserver01.lan if there is no DNS record matching it. Answer to this might help to understand what's currently wrong.
Once SRV and TXT records are removed, give a try again and let us know.
-
Regarding DIG output and the HowTo:
I've modified it to introduce the "_" (underscore) because RFC2782 describes DNS SRV records with such underscore but it has been written after the RFC draft about WPAD. So I aligned with the newest.
No need however to change /etc/services files. Service is still "wpad" without underscore and no need to creat this service with underscore neither, ZEntyal interface will handle it for you transparently.
Again, try to make it simple: we will look at SRV and TXT records later. For the time being, remove it so that we can work on the "well known alias" method only.
-
Let's try to make it simple: if you have only one A record (wpad), remove the WPAD SRV record and also the WPAD TXT record.
Aliases your added to wpad hostname are useless (for what concerns WPAD at least) remove it for testing purpose.
I've removed SRV,TXT and aliases.
Feel free also to tell me how you can access msserver01.msserver01.lan if there is no DNS record matching it. Answer to this might help to understand what's currently wrong.
Ya,there is only one hostname in my DNS i,e "wpad",but when I give "nslookup msserver01.msserver01.lan" then its pointing to my server ip only(192.168.6.1),the only thing I remembered is "I have given hostname of as msserver01" while install the Zentyal that's it,other records regarding "msserver01" is not exist.
-
1 - Please show us DNS content for msserver01.msserver01.lan using dig command.
2 - once SRV and TXT records removed, is there any difference in the way auto-detection works ? Remember you will have to either only restart you browser or, because of changes at DNS level, clear client DNS cache or reboot (this is easier) your client before testing.
-
dig msserver01.msserver01.lan
; <<>> DiG 9.8.1-P1 <<>> msserver01.msserver01.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45552
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;msserver01.msserver01.lan. IN A
;; ANSWER SECTION:
msserver01.msserver01.lan. 259200 IN A 192.168.6.1
;; AUTHORITY SECTION:
msserver01.lan. 900 IN NS msserver01.msserver01.lan.
;; ADDITIONAL SECTION:
msserver01.msserver01.lan. 900 IN AAAA ::1
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Nov 22 13:47:47 2012
;; MSG SIZE rcvd: 102
There is no difference before/after removing SRV and TXT records in "Auto Detection" working,but "Auto Proxy configuration URL" is working fine.
Every time I'm rebooting the systems( both client & server :) ) if do any changes in DNS.
-
So, let me summarize:
- you have set up vhost: http://wpad.msserver01.lan
- you have wpad.dat file in /srv/www/wpad.msserver01.lan/
- this works if you set up this URL in your browser (both IE & Firefox)
- wpad.dat behave as expected and HTTP proxy filtering work (FW prevents direct HTTP internet access without using proxy)
- we want to implement auto-discovery using thre "well known alias" method.
=> so far this doesn't work :( although DNS does contain A record for wpad.msserver01.lan :o
The only reason I can see is that client FQDN is not member of msserver01.lan (network) domain.
Can you please check this ?
(the well known alias method relies on client's FQDN and stripes the leftest section to perform DNS requests until valid A record is found)
-
Can I do one thing,the "A recored" 'wpad' change to 'msserver01' and will have a alias as "wpad","wpad.msserver01.lan". When I try from system02 as "system01.msserver010.lan" then can able to access,its not means client FQDN is a member of msserver01.lan or is there any other way to know this ?
-
1 - "well known alias" is supposed to rely on "A" record, not "CNAME". Please do not change this for the time being.
2 - I don't understand this sentence:
When I try from system02 as "system01.msserver010.lan" then can able to access,its not means client FQDN is a member of msserver01.lan or is there any other way to know this ?
- what are system02 and system01 ?
- what you need to check is whether clients FQDN is something.msserver01.lan or not and inf search domain is msserver01.lan (this is supposed to be provided by DHCP server)
-
Few things I might be missing,
1) my client system name is 'user102-desktop',but when I assigned IP using Fixed DHCP(MAC) there I've given as Hostname(system01-desktop), IP(192.168.6.1). When I given in client terminal as 'hostname' then it as shown "user102-descktop' and "dnsdomainname" as shown "no output" here it has to show "msserver01.lan",I think here mistake is there.
Thanks
-
bingo!
so your DHCP configuration is wrong :(
As stated at the very beginning of this long thread (or perhaps in the one you deleted), you are trying to implement to much complex set up in regard to your technical skill (for the time being. No doubt you will improve ;))
You should rather go for basic DHCP configuration, ensure everything fine then move to the next step, adding - under control - more features.
Anyway, we are not going to investigate this right now.
To make it short:
- what is your client OS (I previously made assumption that it is Windows but I might be wrong)?
- in order to check wpad auto-discovery, could you please "rename" your client as whatveryouwant.msserver01.lan and test auto-discovery?
Then we (or perhaps someone else ;D) will deal with DHCP conf.
BTW what's this habit to not use domain name when describing devices name? ::) ;)
-
In Client Machine: I've changed my client hostname to "system01.msserver01.lan",rebooted the system,checked my giving "hostname -f" it shown "system01.msserver01.lan".
In Server system : Added SRV and TXT records,
Tried for "Auto discovery" but failed in FireFox( browser is already set to Auto Discovery in settings). My client OS is Ubuntu 12.04.
One thing I can say confidently that what ever in zentyal 3.0 dchp configuration is explained I've setup liked that only.
Thanks
-
In Server system : Added SRV and TXT records,
:o :o why ? ::)
For the time being, we try to check "well known alias" method ONLY.
-
Oh I forgot,I've removed SRV and TXT records and added few alias as "wpad.msserver01.lan","msserver01.lan" and rebooted the both systems,tired but failed.
-
Oh I forgot,I've removed SRV and TXT records and added few alias as "wpad.msserver01.lan","msserver01.lan" and rebooted the both systems,tired but failed.
OK, I give up :( each and every time I ask you to do something, you do it plus something else in another direction without any explanation which at the end makes everything fuzzy.
Why did you add aliases? I've asked you to remove it some posts ago?
You can't do it by yourself. I try to help you as best as possible without having good visibility on your system but if you don't understand how it work, please do not take any initiative on your own unless you explain why.
::) ::)
-
Sorry Christian,
For the time being, we try to check "well known alias" method ONLY.
Considering this I've added aliases,I'll remove them.Please guide me.
-
@ Christian,
I'm now in middle please guide me,it won't repeated again.
After removing the aliases also I've checked its not working.Currently only "A record" (wpad) is there,other then that thing is there in DNS entries and some default entries of kerbose.
Please don't mind, guide me.
-
@ Christian,
One great news,I found some troubleshooting of "wpad" documents in internet,its worked for me. When I copied "wpad.dat" file into "/var/www" then it works. Why Vhost is not handling the "wpad.dat" file,when browser is configured to "auto detect proxy" ?
Anyhow its worked for me,I've try for other corrections and other aspects.
Thanks a lot in this long journey for your support.
-
it may works because http://wpad.msserver01.lan is pointing to your default apache server instead of vhost.
Well, if you were using win98 and/or old IE version, some additional trick need to be implemented (with IP address as vhost alias) but I'm not aware of any such trick to be used with firefox and Ubuntu client.
-
Even if I remove aliases,SRV,TXT records also its working fine,can I proceed with this or is there any trouble if I proceed ? Currently in my network Ubuntu 10.04,12.04 are there along with Windows XP (IE 6 by default).
Thanks for your reply
-
Good news!
Then if it works for you, please stamp this (long) thread as [SOLVED] modifying first post title.