Monday, September 19, 2011

Lazy Web Proxy Auto-Discovrey protocol configuration

To setup the WPAD in our network we can choose between these options:

  1. DHCP
  2. DNS
  3. AD group policy enforcing PAC (Proxy Auto Configuration) file
The .PAC file contains the configuration for the proxy. We will need to prepare a http server to serve this file.

  • DHCP under using linux's isc dhcpd

This configuration is set trough the option wpad-url. Since version 3 we need to specify what code and content it has:

option wpad-url    code 252 = text;
option wpad-url    "http://sin-proxy-001.local.domain/proxy.pac ";

We add these lines to the dhcpd.conf and reload the service.

  • DNS serving wpad
We need to create two records, one type A named wpad pointing to the IP address  of the server with the .PAC file and another one with TXT content specifying the URL to locate the .PAC file. On windows would look something like this:


 On linux, we need to add some lines in our zone with this content:
$ORIGIN local.domain.
wpad            IN      A       10.9.98.2
                IN      TXT     "service: wpad:!http://sin-proxy-001.local.domain:80/proxy.pac"
wpad.tcp        IN      SRV     0 0 80 sin-proxy-001.local.domain.
After that, reload DNS service.

  • AD Group Policy wpad enforcing
We open the Group Policy Management Console and create a new policy. Then we proceed to edit and we go to Computer Configuration - > user configuration - > windows settings -> Internet Explorer Maintenance -> connection and we set our preferences:


To avoid caching problems, is better to disable that feature for the .pac file:


If our users are too naughty and they disable the proxy, we can always remove this privilege from them activating the option Make proxy settings per-machine:


We have finished the WPAD policy.

  • The .PAC file
As a basic example, this will provide proxy for everything and if it fails we will provide direct access. If the host try to access our intranet connection will be direct, and if is on our local office network proxy will be enforced:


function FindProxyForURL(url, host) {
      else if (shExpMatch(host, "*.myintranet.com"))
      {
         return "DIRECT";
      }
      else if (isInNet(host, "10.9.98.0",  "255.255.255.0"))
      {
         return "PROXY sin-proxy-001.local.domain:3128";
      }
      else
      return "PROXY sin-proxy-001.local.domain:3128; DIRECT";
}
  •  Web server configuration on Apache & Linux
This would be the configuration file on the sites-available folder (you'd need to enable it later). Is important to specify the .pac extension type:


MyServer:/etc/apache2/sites-available# cat sin-proxy-001
<VirtualHost *:80>
        ServerAdmin admin@local.domain.com
        ServerName sin-proxy-001.local.domain
        DocumentRoot /var/www/proxy/
        AddType application/x-ns-proxy-autoconfig .pac
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        ErrorLog ${APACHE_LOG_DIR}/wpad-error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/wpad-access.log combined

</VirtualHost>
Posted by

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)