From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] squid / WPAD: Add exception-files for generation of proxy.pac Date: Thu, 18 Apr 2019 11:33:33 +0100 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3745008254797016142==" List-Id: --===============3745008254797016142== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 18 Apr 2019, at 02:41, Alexander Koch = wrote: >=20 > Hi, >=20 > Am 17.04.2019 um 16:08 schrieb Michael Tremer: >> Hi, >>=20 >>> On 15 Apr 2019, at 21:12, Alexander Koch wrote: >>>=20 >>> Hello Michael, >>>=20 >>> my motivation for the patch is to provide a possibility to make exception= s survive an update of squid, as I'm repatching proxy.cgi by myself after eac= h upgrade. I suppose there are more people out there with the same issue. I a= gree that it would by very nice to have it on the GUI as well, but unfortunat= ely I don't have any experience with CGI yet and I don't have the time to lea= rn it right now. I think patching the integration of the exception files into= proxy.cgi is a good first step. It can be used as the base for extending the= GUI. Maybe somebody else with CGI experience can help out? It's "just" two t= extareas and some file i/o basically=E2=80=A6 >>=20 >> You can literally just copy and paste that. Give it a try! >=20 > Have a look at it please, I just sent in an additional patch ... the transl= ations for all languages except en and de need to be revised, how is this usu= ally done? I copied the english versions into the language files I'm not able= to translate by myself to avoid empty texts in the frontend. I already replied to this on the patch. Just leave them empty if you don=E2= =80=99t have a translation. English is a must. Do not use Google Translate or= something. That never goes well. >>> As far as I know, the WPAD-Feature does not have any GUI support in gener= al (e.g. checkboxes for enabled, enabled on a per subnet basis, etc.) until n= ow. Additionally the WPAD-Feature requires the user to set up the extra apach= e-vhost or haproxy-frontend for port 80 (for http://wpad./wpad.dat) via CLI by himself anyway (another ToDo for a future patch ;-). >>=20 >> It is available on http://:81/wpad.dat. No need for an extra host. >=20 > This only provides WPAD via DHCP (if option 252 is configured by the user).= Firefox for example does not support this (see http://findproxyforurl.com/br= owser-support/) and it alternatively uses WPAD via DNS. This requires one of = the following URL's to work: http://wpad./wpad.dat or = http://wpad/wpad.dat Yeah that is indeed a problem. > Port 80 does not seem to be in use on a new IPFire-Host by default. I could= provide a patch for an additional apache-vhost. I'm not sure whether this is= a good idea though. If users are running a haproxy on port 80/443 for exampl= e, this could break their running setup ... shipping some working example lin= es for haproxy.cfg to provide a frontend/backend-pair for wpad on port 80 is = also a possibility. Or a Checkbox in the GUI to enable the vhost. Or just lea= ve it as it is and provide the infos on the Wiki. How do we solve conflicts then when people either run a web server on IPFire = or use a port-forwarding? A checkbox is quite complicated. We could use an ip= tables redirect rule or something but that all creates new problems. I really would like to support WPAD across platforms, but WPAD over DNS is a = nightmare. There is no clean way to =E2=80=9Cmake it just work=E2=80=9D. -Michael >=20 > What do you think? >=20 > Best regards, Alex >=20 >>=20 >>> Having this said, I think it is reasonable for the users to maintain thei= r exceptions via CLI in the first instance until a GUI is available. Usually = these things are not changed very often. It is still better than having to fi= x them after each upgrade of proxy.cgi If nobody else grabs this, I might pos= sibly come back to it by myself at a later date. >>>=20 >>> Should I write a bug report for the WPAD-GUI feature request? >>=20 >> If you want to track it, why not. >>=20 >> -Michael >>=20 >>>=20 >>> Best regards, >>> Alex=20 >>>=20 >>>=20 >>> Am 15.04.2019 um 11:43 schrieb Michael Tremer: >>>> Hello Alex, >>>>=20 >>>> Thanks for submitting the patch. >>>>=20 >>>> I guess the code looks fine, but where is the UI? >>>>=20 >>>> Why should this not be configurable on the web interface? >>>>=20 >>>> -Michael >>>>=20 >>>>> On 14 Apr 2019, at 11:08, Alexander Koch wrote: >>>>>=20 >>>>> This patch extends the script /srv/web/ipfire/cgi-bin/proxy.cgi by addi= tional code for reading exceptions for URL's and IP's/Subnets from two new fi= les: >>>>>=20 >>>>> - /var/ipfire/proxy/advanced/acls/dst_noproxy_url.acl >>>>> - /var/ipfire/proxy/advanced/acls/dst_noproxy_ip.acl >>>>>=20 >>>>> as described in: https://wiki.ipfire.org/configuration/network/proxy/ex= tend/add_distri >>>>>=20 >>>>> These can be used to define additional URL's, IP's and Subnets that sho= uld be retrieved "DIRECT" and not via the proxy. The files have to be created= by the user, as the WPAD-Feature is not enabled by default anyway. If the fi= les are not present or their size is 0, nothing is done. I'll revise the wiki= -page, after the patch is merged and the core update is released. >>>>>=20 >>>>> Signed-off-by: Alexander Koch >>>>> --- >>>>> html/cgi-bin/proxy.cgi | 39 +++++++++++++++++++++++++++++++++++++++ >>>>> 1 file changed, 39 insertions(+) >>>>>=20 >>>>> diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi >>>>> index 6daa7fb..369a5cb 100644 >>>>> --- a/html/cgi-bin/proxy.cgi >>>>> +++ b/html/cgi-bin/proxy.cgi >>>>> @@ -124,6 +124,9 @@ my $acl_ports_safe =3D "$acldir/ports_safe.acl"; >>>>> my $acl_ports_ssl =3D "$acldir/ports_ssl.acl"; >>>>> my $acl_include =3D "$acldir/include.acl"; >>>>>=20 >>>>> +my $acl_dst_noproxy_url =3D "$acldir/dst_noproxy_url.acl"; >>>>> +my $acl_dst_noproxy_ip =3D "$acldir/dst_noproxy_ip.acl"; >>>>> + >>>>> my $updaccelversion =3D 'n/a'; >>>>> my $urlfilterversion =3D 'n/a'; >>>>>=20 >>>>> @@ -2763,6 +2766,42 @@ END >>>>> print FILE " (isInNet(host, \"$netsettings{'ORANGE_NETADDRESS'}\"= , \"$netsettings{'ORANGE_NETMASK'}\")) ||\n"; >>>>> } >>>>>=20 >>>>> + # Additional exceptions for URLs >>>>> + # The file has to be created by the user and should contain one entry= per line >>>>> + # Line-Format: >>>>> + # e.g. *ipfire.org* >>>>> + if (-s "$acl_dst_noproxy_url") { >>>>> + undef @templist; >>>>> + >>>>> + open(NOPROXY,"$acl_dst_noproxy_url"); >>>>> + @templist =3D ; >>>>> + close(NOPROXY); >>>>> + chomp (@templist); >>>>> + >>>>> + foreach (@templist) >>>>> + { >>>>> + print FILE " (shExpMatch(url, \"$_\")) ||\n"; >>>>> + } >>>>> + } >>>>> + >>>>> + # Additional exceptions for Subnets >>>>> + # The file has to be created by the user and should contain one entry= per line >>>>> + # Line-Format: "", "" >>>>> + # e.g. "192.168.0.0", "255.255.255.0" >>>>> + if (-s "$acl_dst_noproxy_ip") { >>>>> + undef @templist; >>>>> + >>>>> + open(NOPROXY,"$acl_dst_noproxy_ip"); >>>>> + @templist =3D ; >>>>> + close(NOPROXY); >>>>> + chomp (@templist); >>>>> + >>>>> + foreach (@templist) >>>>> + { >>>>> + print FILE " (isInNet(host, $_)) ||\n"; >>>>> + } >>>>> + } >>>>> + >>>>> print FILE <>>>> (isInNet(host, "169.254.0.0", "255.255.0.0")) >>>>> ) >>>>> --=20 >>>>> 2.7.4 >>>>>=20 >>>>=20 >>=20 --===============3745008254797016142==--